Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Unlocker1.9.2.exe

Overview

General Information

Sample name:Unlocker1.9.2.exe
Analysis ID:1474201
MD5:1e02d6aa4a199448719113ae3926afb2
SHA1:f1eff6451ced129c0e5c0a510955f234a01158a0
SHA256:fb6b1171776554a808c62f4045f5167603f70bf7611de64311ece0624b365397
Infos:

Detection

Score:42
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: rundll32 run dll from internet
Contains functionality to register a low level keyboard hook
Creates an undocumented autostart registry key
Sample is not signed and drops a device driver
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to harvest and steal browser information (history, passwords, etc)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates driver files
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sigma detected: Classes Autorun Keys Modification
Sigma detected: Use Short Name Path in Command Line
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • Unlocker1.9.2.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\Unlocker1.9.2.exe" MD5: 1E02D6AA4A199448719113AE3926AFB2)
    • DeltaTB.exe (PID: 7380 cmdline: "C:\Users\user\AppData\Local\Temp\DeltaTB.exe" /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt MD5: EB2764885565B6C01CB32E5F51F213B3)
      • Setup.exe (PID: 7396 cmdline: "C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt MD5: 26F6D1B6756A83DE9755A05F7C030D75)
        • rundll32.exe (PID: 7460 cmdline: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Local\Temp\BD7BB1~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com MD5: 889B99C52A60DD49227C5E485A016679)
          • ielowutil.exe (PID: 7504 cmdline: "C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -PID:123 MD5: 650FE7460630188008BF8C8153526CEB)
        • setup.exe (PID: 7640 cmdline: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\Setup.exe -latest -trkInfo=[TType:5012_7] -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt MD5: 5790A04F78C61C3CAEA7DDD6F01829D2)
    • regsvr32.exe (PID: 7716 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Unlocker\UnlockerCOM.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • regsvr32.exe (PID: 7728 cmdline: /s "C:\Program Files\Unlocker\UnlockerCOM.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Classes Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\regsvr32.exe, ProcessId: 7728, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension\(Default)
Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Local\Temp\BD7BB1~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com, CommandLine: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Local\Temp\BD7BB1~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt, ParentImage: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe, ParentProcessId: 7396, ParentProcessName: Setup.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Local\Temp\BD7BB1~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com, ProcessId: 7460, ProcessName: rundll32.exe

Data Obfuscation

barindex
Sigma detected: rundll32 run dll from internet
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Local\Temp\BD7BB1~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com, CommandLine: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Local\Temp\BD7BB1~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt, ParentImage: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe, ParentProcessId: 7396, ParentProcessName: Setup.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Local\Temp\BD7BB1~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com, ProcessId: 7460, ProcessName: rundll32.exe

Snort Signatures

No Snort rule has matched

Suricata Signatures

Timestamp:2024-07-16T14:44:37.431977+0200
SID:2012735
Source Port:49734
Destination Port:80
Protocol:TCP
Classtype:Potential Corporate Privacy Violation
Timestamp:2024-07-16T14:44:38.291598+0200
SID:2012735
Source Port:49736
Destination Port:80
Protocol:TCP
Classtype:Potential Corporate Privacy Violation
Timestamp:2024-07-16T14:44:37.790287+0200
SID:2012735
Source Port:49731
Destination Port:80
Protocol:TCP
Classtype:Potential Corporate Privacy Violation
Timestamp:2024-07-16T14:44:36.804732+0200
SID:2012735
Source Port:49732
Destination Port:80
Protocol:TCP
Classtype:Potential Corporate Privacy Violation

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeReversingLabs: Detection: 45%
Multi AV Scanner detection for submitted file
Source: Unlocker1.9.2.exeReversingLabs: Detection: 50%
Source: Unlocker1.9.2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeWindow detected: < &BackI &AgreeCancelNullsoft Install System v2.46 Nullsoft Install System v2.46License AgreementPlease review the license terms before installing Unlocker 1.9.2.Press Page Down to see the rest of the agreement.A. Unlocker End User License AgreementB. Delta Toolbar End User License AgreementA. Unlocker End User License AgreementThis software is provided "as is" without any guarantee made as to its suitability or fitness for any particular use. It may contain bugs so use of this tool is at your own risk. We take no responsibility for any damage that may unintentionally be caused through its use.You may not distribute Unlocker in any form without express written permission of Cedrick Collomb (ccollomb@emptyloop.com)B. Delta Toolbar End User License AgreementYou have the option of installing the Delta Toolbar. By Installing the Delta Toolbar you agree to Delta End-User Licence Agreement and Delta Privacy Statement. You can easily remove this application at any time.o Delta End-User Licence Agreement: http://info.delta-search.com/uninstall/eula.htmlo Delta Privacy Statement http://info.delta-search.com/uninstall/privacy.htmlIf you accept the terms of the agreement click I Agree to continue. You must accept the agreement to install Unlocker 1.9.2.
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDirectory created: C:\Program Files\UnlockerJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDirectory created: C:\Program Files\Unlocker\Unlocker.exeJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDirectory created: C:\Program Files\Unlocker\UnlockerDriver5.sysJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDirectory created: C:\Program Files\Unlocker\UnlockerInject32.exeJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDirectory created: C:\Program Files\Unlocker\README.TXTJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDirectory created: C:\Program Files\Unlocker\UnlockerCOM.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDirectory created: C:\Program Files\Unlocker\Unlocker.urlJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDirectory created: C:\Program Files\Unlocker\uninst.exeJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnlockerJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Program Files\Unlocker\README.TXTJump to behavior
Source: Binary string: D:\Projects\Setup_9.1.1\Release_Win32\Setup32.pdb source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.dr
Source: Binary string: c:\Documents and Settings\Cedrick\My Documents\Cedrick\Backup Office\My Sources\Visual Studio Projects\Unlocker\Release64\Unlocker.pdb source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.dr
Source: Binary string: C:\projects\meitar-branch\SP_Meitar\Release_Win32\ReportUrlDll.pdb source: setup.exe, 00000007.00000002.1878378255.0000000000BC2000.00000002.00000001.01000000.00000011.sdmp, setup.exe, 00000007.00000000.1877424326.0000000000BC2000.00000002.00000001.01000000.00000011.sdmp, setup.exe.2.dr
Source: Binary string: D:\Projects\Setup_9.1.0\Release_Win32\IEHelper.pdbp source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, IEHelper.dll.2.dr, IEHelper.dll.1.dr
Source: Binary string: D:\Projects\Babylon\Setup1_Win32\Setup_Stub.pdbN source: Unlocker1.9.2.exe, DeltaTB.exe.0.dr
Source: Binary string: D:\Projects\Setup_9.1.0\Release_Win32\BExternal.pdb source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, BExternal.dll.1.dr, BExternal.dll.2.dr
Source: Binary string: D:\Projects\Setup_9.1.1\Release_Win32\Setup32.pdbp;V source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.dr
Source: Binary string: D:\Projects\Babylon\Setup1_Win32\Setup_Stub.pdb source: DeltaTB.exe, 00000001.00000000.1820166245.0000000000FE4000.00000002.00000001.01000000.00000009.sdmp, DeltaTB.exe, 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmp, Unlocker1.9.2.exe, DeltaTB.exe.0.dr
Source: Binary string: D:\Projects\Setup_9.1.0\Release_Win32\IEHelper.pdb source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, IEHelper.dll.2.dr, IEHelper.dll.1.dr
Source: Binary string: c:\Documents and Settings\Cedrick\My Documents\Cedrick\Backup Office\My Sources\Visual Studio Projects\Unlocker\Release64\Unlocker.pdbH source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.dr
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeCode function: 0_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405302
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeCode function: 0_2_00405CD8 FindFirstFileA,FindClose,0_2_00405CD8
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeCode function: 1_2_00FE121F _wcscpy,_wcscpy,_wcscat,FindFirstFileW,1_2_00FE121F
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_0049F0E0 FindFirstFileW,FindClose,2_2_0049F0E0
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_0042ECB0 _wcscpy,PathAddBackslashW,_wcslen,_wcscpy,FindFirstFileW,_wcscpy,FindNextFileW,FindClose,2_2_0042ECB0
Source: Joe Sandbox ViewIP Address: 184.154.27.232 184.154.27.232
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /report.php?no_policy=1&lang=0&source=setup-start&stage=0&ver=9.1.1.10&affilID=122471&guid={58179BB7-E7F9-4C19-A3E7-DD439943CF6D}&mntrId=D842ECF4BBEA1588&moldid=d84249be000000000000ecf4bbea1588&sufn=Unlocker1.9.2.exe&iev=11&ffv=1&crv=117&dwb=cr&dlb=cr&wbr=4&ibprs=NA&ibprv=0&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&avr=V2luZG93cyBEZWZlbmRlcg==&tbtp=def&tbinst=1&w64=1&cntry=CH&cat=delta&uac=1&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:0;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0 HTTP/1.1User-Agent: BabylonHost: stat.info-stream.netCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /downloader.php?ver=9.1.1.10&affilID=122471&guid={58179BB7-E7F9-4C19-A3E7-DD439943CF6D}&mntrId=D842ECF4BBEA1588&moldid=d84249be000000000000ecf4bbea1588&sufn=Unlocker1.9.2.exe&iev=11&ffv=1&crv=117&dwb=cr&dlb=cr&wbr=4&ibprs=NA&ibprv=0&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&avr=V2luZG93cyBEZWZlbmRlcg==&tbtp=def&tbinst=1&w64=1&cntry=CH&cat=delta&uac=1&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:0;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&lang=en&zpb=1&geo=1 HTTP/1.1User-Agent: BabylonHost: stp.babylon.comConnection: Keep-AliveCookie: affilID=122471
Source: global trafficHTTP traffic detected: GET /site/files/Setup9/dwr/latest/latest_bl/Setup2.zpb HTTP/1.1User-Agent: BabylonHost: dl.babylon.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /report.php?no_policy=1&lang=0&source=setup-end&stage=91&ver=9.1.1.10&affilID=122471&guid={58179BB7-E7F9-4C19-A3E7-DD439943CF6D}&mntrId=D842ECF4BBEA1588&moldid=d84249be000000000000ecf4bbea1588&sufn=Unlocker1.9.2.exe&iev=11&ffv=1&crv=117&dwb=cr&dlb=cr&wbr=4&ibprs=NA&ibprv=0&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&avr=V2luZG93cyBEZWZlbmRlcg==&tbtp=def&tbinst=1&w64=1&cntry=CH&cat=delta&uac=1&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:0;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&hp=4&dsp=4&tb=4&hpx=0&dspx=0&rvrt=0&excd=0&stm=1&nvs=0&dnld=100&dcnt=1&dtot=1&dlerr=200&dltm=0&dlsz=3844&dsflr=0&errurl=Setup2.zpb&hpc=1998245871&spc=1998245871&tbx=0 HTTP/1.1User-Agent: BabylonHost: stat.info-stream.netCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /report.php?no_policy=1&lang=0&source=setup-end&stage=91&ver=9.1.1.10&affilID=122471&guid={58179BB7-E7F9-4C19-A3E7-DD439943CF6D}&mntrId=D842ECF4BBEA1588&moldid=d84249be000000000000ecf4bbea1588&sufn=Unlocker1.9.2.exe&iev=11&ffv=1&crv=117&dwb=cr&dlb=cr&wbr=4&ibprs=NA&ibprv=0&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&avr=V2luZG93cyBEZWZlbmRlcg==&tbtp=def&tbinst=1&w64=1&cntry=CH&cat=delta&uac=1&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:0;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&hp=4&dsp=4&tb=4&hpx=0&dspx=0&rvrt=0&excd=0&stm=1&nvs=0&dnld=100&dcnt=1&dtot=1&dlerr=200&dltm=0&dlsz=3844&dsflr=0&errurl=Setup2.zpb&hpc=1998245871&spc=1998245871&tbx=0 HTTP/1.1User-Agent: BabylonHost: stat.info-stream.netCache-Control: no-cache
Source: global trafficDNS traffic detected: DNS query: stat.info-stream.net
Source: global trafficDNS traffic detected: DNS query: stp.babylon.com
Source: global trafficDNS traffic detected: DNS query: dl.babylon.com
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.drString found in binary or memory: http://Kernel32.dllSetDllDirectoryW
Source: rundll32.exe, 00000004.00000002.1835852814.000000000072A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1835852814.0000000000720000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000005.00000002.2435790422.0000000002D30000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://babylon.com
Source: Setup.exe, 00000002.00000002.1889578094.0000000000669000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889578094.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1835852814.000000000072A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1835852814.0000000000771000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000005.00000002.2435790422.0000000002D08000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000005.00000002.2435790422.0000000002D30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://babylon.com/
Source: ielowutil.exe, 00000005.00000002.2435790422.0000000002D08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://babylon.com/#
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.drString found in binary or memory: http://babylon.com/?hp%d:%d;dsp%d:%d;hpu%d:%s;dspu%d:%s;COO_gcSCOO_scSBTRSCOO_suaopenopenieffcrBUSol
Source: ielowutil.exe, 00000005.00000002.2435790422.0000000002D30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://babylon.com/m
Source: ielowutil.exe, 00000005.00000002.2435790422.0000000002D08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://babylon.com/mf
Source: rundll32.exe, 00000004.00000002.1835738200.00000000001E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://babylon.com:
Source: rundll32.exe, 00000004.00000002.1835852814.0000000000720000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1835806383.0000000000550000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://babylon.comC:
Source: rundll32.exe, 00000004.00000002.1835852814.0000000000720000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://babylon.comZ_8
Source: rundll32.exe, 00000004.00000002.1835852814.000000000072A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://babylon.comam3
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://bis.babylon.com/
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://bts.babylon.com/index.php
Source: Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bts.babylon.com/index.php2
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826341006.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826075904.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826852679.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825809134.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826245487.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888284358.000000000348C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826636430.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827261990.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827167077.0000000003417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://clientac.babsrv.com/?f=3&n=10&q=%s&l=%d&t=%d&p=babylon&b=1&callback=acp_new
Source: Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://clients.babylon.com/eval/kms6.cgi
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://clients.babylon.com/pro/kms6.cgi
Source: Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://clients.babylon.com/pro/kms6.cgipDE
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886178998.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885763690.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885875778.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://clientui.babylon.com/
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Unlocker1.9.2.exe, Setup.exe.1.dr, DeltaTB.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Unlocker1.9.2.exe, Setup.exe.1.dr, DeltaTB.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Unlocker1.9.2.exe, Setup.exe.1.dr, DeltaTB.exe.0.drString found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Source: Setup.exe, 00000002.00000002.1889578094.00000000006D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dl.babylon.com/
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885763690.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885875778.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://dl.babylon.com/site/files/Setup9/dwr/DefaultClient/DefaultClient/Default-clientdat.zpb;http:/
Source: Setup.exe, 00000002.00000003.1825654394.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://dl.babylon.com/site/files/Setup9/dwr/DefaultClient/DefaultClient/Default-tbdat.zpb;http://dl.
Source: Setup.exe, 00000002.00000002.1889578094.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889578094.00000000006C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpb
Source: Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888438576.0000000003482000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891138006.0000000003484000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887787451.0000000003470000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886689266.0000000003445000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888617392.0000000003482000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887283130.0000000003467000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886389126.0000000003420000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887823999.0000000003481000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886034766.000000000341D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886544155.000000000342A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888704415.0000000003482000.00000004.00000020.00020000.00000000.sdmp, downloader[1].htm.2.drString found in binary or memory: http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpb;
Source: Setup.exe, 00000002.00000002.1889578094.00000000006D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpbR
Source: Setup.exe, 00000002.00000002.1889578094.00000000006C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpbZ
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://info.babylon.com/campaigns/
Source: Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://info.babylon.com/campaigns/4D9
Source: Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://info.babylon.com/setup/downloader.php
Source: Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://info.babylon.com/setup/downloader.phpIVuD
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826341006.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826075904.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826852679.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888438576.0000000003482000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825809134.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826245487.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826636430.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827261990.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827167077.0000000003417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://info.babylon.com/stat/client_ga.php?name=$
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://info.babylon.com/welcome/
Source: Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://info.babylon.com/welcome/SS8D
Source: Unlocker1.9.2.exe, 00000000.00000003.1792880465.0000000003990000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1819489201.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794629232.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794514906.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000002.1926497169.0000000000556000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1790565433.0000000003990000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794570553.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794794163.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794412908.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1790305403.0000000003990000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1819188983.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000002.1925781626.000000000019A000.00000004.00000010.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794305651.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1681742885.000000000263D000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794248113.0000000003990000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1728487357.00000000038D0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1790350769.0000000003990000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1728675366.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794740244.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794356784.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794464519.00000000039A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://info.delta-search.com/uninstall/eula.html
Source: Unlocker1.9.2.exe, 00000000.00000002.1926497169.0000000000556000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000002.1925781626.000000000019A000.00000004.00000010.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1681742885.000000000263D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://info.delta-search.com/uninstall/privacy.html
Source: Unlocker1.9.2.exe, uninst.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Unlocker1.9.2.exe, uninst.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Unlocker1.9.2.exe, Setup.exe.1.dr, DeltaTB.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826341006.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826075904.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826852679.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825809134.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826245487.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888284358.000000000348C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826636430.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827261990.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827167077.0000000003417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://search.babylon.com
Source: Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826341006.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826075904.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826852679.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825809134.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826245487.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888284358.000000000348C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826636430.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827261990.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827167077.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825979103.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887787451.0000000003470000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886689266.0000000003445000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887283130.0000000003467000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826992927.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886389126.0000000003420000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://search.babylon.comICH7Q
Source: Setup.exe, 00000002.00000002.1889021999.000000000017D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://stat.info-stream.net/repo
Source: Setup.exe, 00000002.00000003.1885763690.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885798283.00000000033B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://stat.info-stream.net/report.php?no_policy=1&lang
Source: Setup.exe, 00000002.00000003.1885763690.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885798283.00000000033B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://stat.info-stream.net/report.php?no_policy=1&lang=0&source=setup-end&stage=111&ver=9.1.1.10&af
Source: Setup.exe, 00000002.00000002.1889578094.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885763690.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885798283.00000000033B9000.00000004.00000020.00020000.00000000.sdmp, log_file.txt.2.drString found in binary or memory: http://stat.info-stream.net/report.php?no_policy=1&lang=0&source=setup-end&stage=91&ver=9.1.1.10&aff
Source: Setup.exe, 00000002.00000002.1889578094.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889578094.00000000006A3000.00000004.00000020.00020000.00000000.sdmp, log_file.txt.2.drString found in binary or memory: http://stat.info-stream.net/report.php?no_policy=1&lang=0&source=setup-start&stage=0&ver=9.1.1.10&af
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.drString found in binary or memory: http://stp.babylon.com/downloader.php?&lang=&zpb=1&second=1&geo=1about:blank:about:blankbfrNvgt:
Source: Setup.exe, 00000002.00000002.1889578094.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889578094.00000000006A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://stp.babylon.com/downloader.php?ver=9.1.1.10&affilID=122471&guid=
Source: Setup.exeString found in binary or memory: http://stpui.babylon.com/
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.drString found in binary or memory: http://stpui.babylon.com/setup_cms_url?name=&param=&lang=%d&ver=%d&bld=%d&&ver=
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://tc.babylon.com/Ginger/correct
Source: Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://tcm.babylon.com/UM_Consumer/UMOpeartions
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886178998.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885763690.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885875778.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://transurl.babylon.com
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Unlocker1.9.2.exe, Setup.exe.1.dr, DeltaTB.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Unlocker1.9.2.exe, Setup.exe.1.dr, DeltaTB.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Unlocker1.9.2.exe, Setup.exe.1.dr, DeltaTB.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Unlocker1.9.2.exe, 00000000.00000003.1897071636.000000000263E000.00000004.00000020.00020000.00000000.sdmp, README.TXT.0.drString found in binary or memory: http://unlocker.emptyloop.com
Source: Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/
Source: Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/)
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/????
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Accesso
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Acest
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Aquest
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Ce
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Denegado
Source: Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Denne
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Detta
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Dit
Source: Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Esta
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Este
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/GET
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Juurdep
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Ky
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Mesej
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Odm
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Ova
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/P
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Pesan
Source: Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Poruka
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Pr
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Questo
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/See
Source: Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/T
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Ta
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/Tato
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/This
Source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drString found in binary or memory: http://unlocker.emptyloop.com/To
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://utils.babylon.com/country/
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://www.babylon.com/lingoz-redirect
Source: Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://www.babylon.com/redirects/client.cgi?
Source: Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://www.babylon.com/redirects/download.cgi?
Source: Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://www.babylon.com/redirects/purchase.cgi?
Source: Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://www.babylon.com/redirects/redir.cgi?
Source: Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.babylon.com/redirects/redir.cgi?K
Source: Setup.exeString found in binary or memory: http://www.babylon.com/redirects/redir.cgi?no_policy=1&type=%s&lang=%d
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.drString found in binary or memory: http://www.babylon.com/redirects/redir.cgi?no_policy=1&type=%s&lang=%d9.1.1.10HPTBDSPukieffcrver=&&m
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826341006.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826075904.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826852679.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825809134.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826245487.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888284358.000000000348C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826636430.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827261990.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827167077.0000000003417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.babylon.com/redirects/redir.cgi?type=babylon6_full_text
Source: Setup.exe, 00000002.00000003.1885875778.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://www.babylon.com/redirects/redir.cgi?type=getting_started&lang=$
Source: Setup.exe, 00000002.00000003.1825654394.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://www.babylon.com/redirects/redir.cgi?type=machinetrans
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drString found in binary or memory: http://www.babylon.com/redirects/redir.cgi?type=post_install_page&lang=$
Source: Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.my-online-search.com
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.drString found in binary or memory: http://www.my-online-search.com&babsrc=SP_ofln&mntrId=&dlb=%d&babsrc=SP_def&NT_HP_TB_SP_My
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.drString found in binary or memory: http://www.my-online-search.com/?babsrc=HP_def&/?q=
Source: Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891170190.0000000003489000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888867282.0000000003488000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888438576.0000000003482000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887787451.0000000003470000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886689266.0000000003445000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888617392.0000000003482000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887283130.0000000003467000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886389126.0000000003420000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887823999.0000000003481000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886034766.000000000341D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886544155.000000000342A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888704415.0000000003482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588
Source: Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471
Source: Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891106230.000000000347A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887787451.0000000003470000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886689266.0000000003445000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887283130.0000000003467000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886389126.0000000003420000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886034766.000000000341D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886544155.000000000342A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888320589.0000000003473000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471.dat?
Source: Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888342919.0000000003468000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888563401.0000000003468000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886689266.0000000003445000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887283130.0000000003467000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886389126.0000000003420000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886034766.000000000341D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886544155.000000000342A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471atK
Source: Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888342919.0000000003468000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888563401.0000000003468000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886689266.0000000003445000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887283130.0000000003467000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886389126.0000000003420000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886034766.000000000341D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886544155.000000000342A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471dat
Source: Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888342919.0000000003468000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888563401.0000000003468000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886689266.0000000003445000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887283130.0000000003467000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886389126.0000000003420000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886034766.000000000341D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886544155.000000000342A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471datr
Source: Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888342919.0000000003468000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888563401.0000000003468000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886689266.0000000003445000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887283130.0000000003467000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886389126.0000000003420000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886034766.000000000341D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886544155.000000000342A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471tml
Source: Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.my-online-search.com/?q=
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.drString found in binary or memory: http://www.my-online-search.comhttp://www.my-online-search.com/?babsrc=HP_ofln&mntrId=&dlb=%dhome&?/
Source: Setup.exe, 00000002.00000002.1891296075.00000000037A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Setup.exe, 00000002.00000002.1891296075.00000000037A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Setup.exe, 00000002.00000002.1891296075.00000000037A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Setup.exe, 00000002.00000002.1891296075.00000000037A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_004C8C80 SetWindowsHookExW 00000002,004C8BE0,00000000,000000002_2_004C8C80
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeCode function: 0_2_00404EB9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EB9
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeCode function: 0_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030CB
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Program Files\Unlocker\UnlockerDriver5.sysJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeCode function: 0_2_004046CA0_2_004046CA
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeCode function: 0_2_00405FA80_2_00405FA8
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeCode function: 1_2_00FE31F31_2_00FE31F3
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_004500152_2_00450015
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_0045832D2_2_0045832D
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_004524B02_2_004524B0
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_004997402_2_00499740
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_60941B742_2_60941B74
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095E2BC2_2_6095E2BC
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_609062A02_2_609062A0
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_609372A02_2_609372A0
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_609072D42_2_609072D4
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: String function: 6090604C appears 116 times
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: String function: 6090690C appears 84 times
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: String function: 60905ED4 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: String function: 004134D0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: String function: 004CC5C0 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: String function: 00456860 appears 37 times
Source: Unlocker1.9.2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: sqlite3.dll.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: sqlite3.dll.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DeltaTB.exe.0.drStatic PE information: Section: .rsrc ZLIB complexity 0.9996548694779116
Source: Unlocker.exe.0.drBinary string: %s\Unlocker-Log.txt\Device\LanmanRedirector%S%S\LanmanRedirector\%S\??\LanmanRedirector%c:\\.\%c:"0:\%s\\\\?\%s\Unlocker.cfgIsWow64Processopenhttp://unlocker.emptyloop.com/GET /unlocker/version.txt HTTP/1.0
Source: UnlockerDriver5.sys.0.drBinary string: C2C\DosDevices\UnlockerDriver5\Device\UnlockerDriver5
Source: classification engineClassification label: mal42.spyw.evad.winEXE@14/55@3/3
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_60908DA0 GetLastError,FormatMessageW,FormatMessageA,sqlite3_win32_mbcs_to_utf8,LocalFree,sqlite3_snprintf,sqlite3_snprintf,free,2_2_60908DA0
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeCode function: 0_2_004041CD GetDlgItem,SetWindowTextA,SHAutoComplete,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004041CD
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_0049D9C0 CreateToolhelp32Snapshot,GetCurrentProcessId,Process32FirstW,Process32NextW,CloseHandle,2_2_0049D9C0
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,0_2_00402020
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeCode function: 1_2_00FE1B44 LoadResource,SizeofResource,LockResource,1_2_00FE1B44
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Program Files\UnlockerJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UnlockerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeMutant created: NULL
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Users\user\AppData\Local\Temp\nsl59A9.tmpJump to behavior
Source: Unlocker1.9.2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Local\Temp\BD7BB1~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, sqlite3.dll.1.dr, sqlite3.dll.2.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, sqlite3.dll.1.dr, sqlite3.dll.2.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, sqlite3.dll.1.dr, sqlite3.dll.2.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, sqlite3.dll.1.dr, sqlite3.dll.2.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Setup.exe, 00000002.00000002.1889578094.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.1.dr, sqlite3.dll.2.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, sqlite3.dll.1.dr, sqlite3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, sqlite3.dll.1.dr, sqlite3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, sqlite3.dll.1.dr, sqlite3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, sqlite3.dll.1.dr, sqlite3.dll.2.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);name='%q'
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, sqlite3.dll.1.dr, sqlite3.dll.2.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, sqlite3.dll.1.dr, sqlite3.dll.2.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');sqlite_sequence
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, sqlite3.dll.1.dr, sqlite3.dll.2.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, sqlite3.dll.1.dr, sqlite3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Setup.exeBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zerobl
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, sqlite3.dll.1.dr, sqlite3.dll.2.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, sqlite3.dll.1.dr, sqlite3.dll.2.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;U
Source: Unlocker1.9.2.exeReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile read: C:\Users\user\Desktop\Unlocker1.9.2.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Unlocker1.9.2.exe "C:\Users\user\Desktop\Unlocker1.9.2.exe"
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeProcess created: C:\Users\user\AppData\Local\Temp\DeltaTB.exe "C:\Users\user\AppData\Local\Temp\DeltaTB.exe" /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeProcess created: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe "C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Local\Temp\BD7BB1~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe "C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -PID:123
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exe C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\Setup.exe -latest -trkInfo=[TType:5012_7] -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Unlocker\UnlockerCOM.dll"
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe /s "C:\Program Files\Unlocker\UnlockerCOM.dll"
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeProcess created: C:\Users\user\AppData\Local\Temp\DeltaTB.exe "C:\Users\user\AppData\Local\Temp\DeltaTB.exe" /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mntJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Unlocker\UnlockerCOM.dll"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeProcess created: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe "C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mntJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exe C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\Setup.exe -latest -trkInfo=[TType:5012_7] -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mntJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe "C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -PID:123Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe /s "C:\Program Files\Unlocker\UnlockerCOM.dll"Jump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: reslib.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: msiso.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: reslib.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeSection loaded: reslib.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeSection loaded: wininet.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeSection loaded: msiso.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: README.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Unlocker\README.TXT
Source: Start Unlocker.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Unlocker\Unlocker.exe
Source: Website.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Unlocker\Unlocker.url
Source: Uninstall.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Unlocker\uninst.exe
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile written: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\Delta.iniJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeAutomated click: OK
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeAutomated click: I Agree
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeAutomated click: Install
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeWindow detected: < &BackI &AgreeCancelNullsoft Install System v2.46 Nullsoft Install System v2.46License AgreementPlease review the license terms before installing Unlocker 1.9.2.Press Page Down to see the rest of the agreement.A. Unlocker End User License AgreementB. Delta Toolbar End User License AgreementA. Unlocker End User License AgreementThis software is provided "as is" without any guarantee made as to its suitability or fitness for any particular use. It may contain bugs so use of this tool is at your own risk. We take no responsibility for any damage that may unintentionally be caused through its use.You may not distribute Unlocker in any form without express written permission of Cedrick Collomb (ccollomb@emptyloop.com)B. Delta Toolbar End User License AgreementYou have the option of installing the Delta Toolbar. By Installing the Delta Toolbar you agree to Delta End-User Licence Agreement and Delta Privacy Statement. You can easily remove this application at any time.o Delta End-User Licence Agreement: http://info.delta-search.com/uninstall/eula.htmlo Delta Privacy Statement http://info.delta-search.com/uninstall/privacy.htmlIf you accept the terms of the agreement click I Agree to continue. You must accept the agreement to install Unlocker 1.9.2.
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDirectory created: C:\Program Files\UnlockerJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDirectory created: C:\Program Files\Unlocker\Unlocker.exeJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDirectory created: C:\Program Files\Unlocker\UnlockerDriver5.sysJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDirectory created: C:\Program Files\Unlocker\UnlockerInject32.exeJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDirectory created: C:\Program Files\Unlocker\README.TXTJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDirectory created: C:\Program Files\Unlocker\UnlockerCOM.dllJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDirectory created: C:\Program Files\Unlocker\Unlocker.urlJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDirectory created: C:\Program Files\Unlocker\uninst.exeJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnlockerJump to behavior
Source: Unlocker1.9.2.exeStatic file information: File size 1078591 > 1048576
Source: Binary string: D:\Projects\Setup_9.1.1\Release_Win32\Setup32.pdb source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.dr
Source: Binary string: c:\Documents and Settings\Cedrick\My Documents\Cedrick\Backup Office\My Sources\Visual Studio Projects\Unlocker\Release64\Unlocker.pdb source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.dr
Source: Binary string: C:\projects\meitar-branch\SP_Meitar\Release_Win32\ReportUrlDll.pdb source: setup.exe, 00000007.00000002.1878378255.0000000000BC2000.00000002.00000001.01000000.00000011.sdmp, setup.exe, 00000007.00000000.1877424326.0000000000BC2000.00000002.00000001.01000000.00000011.sdmp, setup.exe.2.dr
Source: Binary string: D:\Projects\Setup_9.1.0\Release_Win32\IEHelper.pdbp source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, IEHelper.dll.2.dr, IEHelper.dll.1.dr
Source: Binary string: D:\Projects\Babylon\Setup1_Win32\Setup_Stub.pdbN source: Unlocker1.9.2.exe, DeltaTB.exe.0.dr
Source: Binary string: D:\Projects\Setup_9.1.0\Release_Win32\BExternal.pdb source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, BExternal.dll.1.dr, BExternal.dll.2.dr
Source: Binary string: D:\Projects\Setup_9.1.1\Release_Win32\Setup32.pdbp;V source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.dr
Source: Binary string: D:\Projects\Babylon\Setup1_Win32\Setup_Stub.pdb source: DeltaTB.exe, 00000001.00000000.1820166245.0000000000FE4000.00000002.00000001.01000000.00000009.sdmp, DeltaTB.exe, 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmp, Unlocker1.9.2.exe, DeltaTB.exe.0.dr
Source: Binary string: D:\Projects\Setup_9.1.0\Release_Win32\IEHelper.pdb source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, IEHelper.dll.2.dr, IEHelper.dll.1.dr
Source: Binary string: c:\Documents and Settings\Cedrick\My Documents\Cedrick\Backup Office\My Sources\Visual Studio Projects\Unlocker\Release64\Unlocker.pdbH source: Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.dr
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeCode function: 0_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405CFF
Source: BExternal.dll.1.drStatic PE information: section name: .SHARDAT
Source: sqlite3.dll.1.drStatic PE information: section name: .stab
Source: sqlite3.dll.1.drStatic PE information: section name: .stabstr
Source: BExternal.dll.2.drStatic PE information: section name: .SHARDAT
Source: sqlite3.dll.2.drStatic PE information: section name: .stab
Source: sqlite3.dll.2.drStatic PE information: section name: .stabstr
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Unlocker\UnlockerCOM.dll"
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_004568A5 push ecx; ret 2_2_004568B8
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_60906B76 push es; iretd 2_2_60906B84
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_60907D83 pushad ; retf 2_2_60907D90

Persistence and Installation Behavior

barindex
Sample is not signed and drops a device driver
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Program Files\Unlocker\UnlockerDriver5.sysJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Program Files\Unlocker\UnlockerCOM.dllJump to dropped file
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Program Files\Unlocker\uninst.exeJump to dropped file
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Users\user\AppData\Local\Temp\DeltaTB.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeFile created: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\sqlite3.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\sqlite3.dllJump to dropped file
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Program Files\Unlocker\UnlockerDriver5.sysJump to dropped file
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\InstallOptions.dllJump to dropped file
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\LangDLL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeFile created: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeJump to dropped file
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Program Files\Unlocker\UnlockerInject32.exeJump to dropped file
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Program Files\Unlocker\Unlocker.exeJump to dropped file
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeFile created: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\BExternal.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeFile created: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\IEHelper.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\IEHelper.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\BExternal.dllJump to dropped file
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Program Files\Unlocker\README.TXTJump to behavior

Boot Survival

barindex
Creates an undocumented autostart registry key
Source: C:\Windows\System32\regsvr32.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension NULLJump to behavior
Source: C:\Windows\System32\regsvr32.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension NULLJump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeWindow found: window name: ProgmanJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnlockerDriver5Jump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UnlockerJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker\README.lnkJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker\Start Unlocker.lnkJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker\Website.lnkJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker\Uninstall.lnkJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_0049D9C0 CreateToolhelp32Snapshot,GetCurrentProcessId,Process32FirstW,Process32NextW,CloseHandle,2_2_0049D9C0
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: _memset,GetVolumeInformationW,_memset,GetAdaptersInfo,_memset,StringFromGUID2,2_2_004F4BC0
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDropped PE file which has not been started: C:\Program Files\Unlocker\UnlockerCOM.dllJump to dropped file
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDropped PE file which has not been started: C:\Program Files\Unlocker\uninst.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\sqlite3.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\sqlite3.dllJump to dropped file
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\InstallOptions.dllJump to dropped file
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDropped PE file which has not been started: C:\Program Files\Unlocker\UnlockerDriver5.sysJump to dropped file
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\LangDLL.dllJump to dropped file
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDropped PE file which has not been started: C:\Program Files\Unlocker\UnlockerInject32.exeJump to dropped file
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDropped PE file which has not been started: C:\Program Files\Unlocker\Unlocker.exeJump to dropped file
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\IEHelper.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\BExternal.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\IEHelper.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\BExternal.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_2-94050
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_2-93430
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-93103
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeAPI coverage: 6.9 %
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_60909490 GetSystemTime followed by cmp: cmp eax, 03h and CTI: jbe 609094F9h2_2_60909490
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile Volume queried: C:\Program Files FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeFile Volume queried: C:\Program Files FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeCode function: 0_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405302
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeCode function: 0_2_00405CD8 FindFirstFileA,FindClose,0_2_00405CD8
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeCode function: 1_2_00FE121F _wcscpy,_wcscpy,_wcscat,FindFirstFileW,1_2_00FE121F
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_0049F0E0 FindFirstFileW,FindClose,2_2_0049F0E0
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_0042ECB0 _wcscpy,PathAddBackslashW,_wcslen,_wcscpy,FindFirstFileW,_wcscpy,FindNextFileW,FindClose,2_2_0042ECB0
Source: Unlocker1.9.2.exe, 00000000.00000003.1682273538.0000000000589000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}O8
Source: Setup.exe, 00000002.00000002.1889578094.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889578094.00000000006A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000004.00000002.1835852814.0000000000746000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000005.00000002.2435790422.0000000002D08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeAPI call chain: ExitProcess graph end nodegraph_0-3147
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeAPI call chain: ExitProcess graph end nodegraph_2-93105
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeCode function: 1_2_00FE3BC5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00FE3BC5
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_0049D9C0 CreateToolhelp32Snapshot,GetCurrentProcessId,Process32FirstW,Process32NextW,CloseHandle,2_2_0049D9C0
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeCode function: 0_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405CFF
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_00494F60 OpenProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,2_2_00494F60
Source: C:\Users\user\AppData\Local\Temp\DeltaTB.exeCode function: 1_2_00FE3BC5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00FE3BC5
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_0045567D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0045567D
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_0044F6C8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0044F6C8
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeCode function: 7_2_00BC150D SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00BC150D
Source: Setup.exeBinary or memory string: Progman
Source: DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: buyprc://%s,%d,%dCP_LINK<a id='%s' href='buyprc://%s,%d,%d'>%s</a> rbBF::RL%dwbBF::WL%dBLS_BLSBLS_~BLSBLS_CNLBLS_AL 0x%p 0x%p 0x%pBLS_AIN 0x%pBLS_GAPBLS_BLS_HFTPBLS_BLS_HTSPBLS_BLS_HUTPBLS_GTCLBLS_GCP3_1BLS_GCP3_2BLS_GPLNUBLS_BLS_HFTPBL_SCUIZ 0x%p 0x%pBLS_GCP4BLS::HCT%dBLS_GCP1 %d %d %d %dBLS::SSD%dBLS::GSD%dBLS::CC%dBLS_GCP2BLS_SCPBLS_GDICBLS_GVICBLS_GVOICBLS_GVVCBLS_DGP %d %d %d 0x%pBLS_GP1BLS_GP2 %d %d %dBLS_FNUFBLS_GP3BLS_GFT 0x%p 0x%pBLS::RC%dBLS::RAL%dBLS_RLBHBLS_GFCBLS_GFNTSBLS_GSTSBLS_GFPBLS_GNPBLS_GFLBLS_GNLBLS_GLBHBLS_GLBCBLS_ICRC 0x%p 0x%pBLS_ICRC1 0x%pBLS::IBL%dBLS::BL%dBLS::UBL%dBLS::DBL%dBLS::GLAI%dTRIALCORPUNLICENSED_CORPCEPROOTHERBLS::GPLL%dBLS::GCSD%dBLS::GCED%dBLS::GMED%dBLS::GCTL%dBLS::GCML%dBLS::GLI%dBLS::IT%dBLS::IR%dBLS::PL%dBLS::APL%dBLS::AVL%dIDIDRandRNDMinVersionVLicNameLNUserNameUNFeatureTypeFTFeatureIDFIDStartDateSLicenseMonthsLMLicenseDaysLDMaintMonthesMMMaintDaysMDFeatureNameFNMaintEndMEMaxPushMPUpgradeUPProductVersionPVURIURIBCL_GCTCBCL_IFSBCL_ITL%dBCL_HFBCL_GMTBCL_CFIDBCL_CPIDBCL_CVIDBCL_CFBCL_IFBCL_IUBCL_IVOKBCL::GFNTS%dBCL::GSTSIP%d%d %s%dBCL::GPD%dBCL::GPPV%dBCL::GPUV%d%dBCL::GPFV%dBCL::GFP%d%dBCL::GNP%dBL_GFTHBCL_GFLDBCL_GFMDBCL::GFD%dBCL_GCI2BCL_GCIBCL_GCFIBCL_GCFI1BCL_GFTT %s (%d)BCL_GFITBCL_GCINBCL_GINBCL_GFINBCL::GLT%dBCL::IC%dBCL_GSTSBCL_APBCL_FUSBL_ILEX 0x%pBCL_ILEBCL_IEBCL_GP %dBCL::MUU%dBCL_IBUP::ILPOK%dP::IMPOK%dP::IVOK%dP::IPE%dP::RID%dP::WID%dP_WIDP::WS%dP_SSDP_STCDP_MMSP::HAS%dP::MVS%dP_MS1P::IB%dP_APP_CTLP_MSP_CLPP_CMPP_CLPP_OP%0d%0a%%%02xUnEscURL url=%hs&lt;&gt;&amp;&quot;&apos;XML_EscA()&lt;&gt;&amp;&quot;&apos;XML_EscW()&lt;&gt;&amp;&quot;&apos;XML_EscA()&lt;&gt;&amp;&quot;&apos;XML_EscW()&lt;&gt;&amp;&quot;&apos;&lt;&gt;&amp;&quot;&apos;&; &amp;&; &amp;rBTM_gftCPRWL::Dest()CPRWL::Enter cat=%dCPRWL::Leave()PTSM::PTSM n_states=%dPTSM::~PTSM()PTSM::Wait st=%dPTSM::Set st=%d\VarFileInfo\Translation\StringFileInfo\%04x%04x\%sProgmanAdvApi32CreateProcessWithTokenWDllGetVersionComctl32.dllShell32.dllwut_enWinFG()wut_FFGWN/Awut_guliUser32.dllChangeWindowMessageFilterProgmanAdvApi32CreateProcessAsUserWopenECWP()User32.dllIsProcessDPIAwareroot\SecurityCenter2root\SecurityCenterSELECT * FROM AntivirusProductWQLdisplayName;Software\Microsoft\Windows\CurrentVersion\App Paths\PathIsWow64Processkernel32Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUArundll32.exeschtasks.exeGetProductInfokernel32.dllwut_sa2bwut_GWPBR(%d, %d)]:[_&?/%#+-%%%02X&?/%#+-%??%!Bad_URI!!!!!!Bad_URI!!Bad_URI!!Bad_URI!!!!!!!!!BABAuto%s%s%d%s%dBABCrossBABCrossBABCrossBABCrossBAB!Corrections!BAB!Convert!BAB!Messages!BAB!Analytics!,ERROR (%d)ERROR (%d)ERRORCPML::Dtor()CPML::Enter()CPML::Leave()EnglishArabicChinese(S)Chinese(T)DutchFinnishFrenchGermanGreekHebrewHungarianItalianJapaneseKoreanNorwegianPolishPortugueseRussianSpanishSwedishTurkishRomanianDanishHindiCzechIndonesianThaienEnglishengfrFrenchfraitItalianitaesSpanishspanlDutchdutptPortuguesepordeGermangerruRussianrusjaJapanesejpnzhtChinese (T)chtzhsChinese (S)chielGre
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exeCode function: 7_2_00BC15EB cpuid 7_2_00BC15EB
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: GetLocaleInfoW,2_2_00502490
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: GetLocaleInfoA,2_2_004675FD
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_004C0430 GetLocalTime,EnterCriticalSection,LeaveCriticalSection,2_2_004C0430
Source: C:\Users\user\Desktop\Unlocker1.9.2.exeCode function: 0_2_004059FF GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_004059FF
Source: Unlocker1.9.2.exe, 00000000.00000002.1926497169.0000000000556000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1681742885.000000000263D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UnlockerAssistant.exe
Source: Unlocker1.9.2.exe, 00000000.00000002.1926497169.0000000000556000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1681742885.000000000263D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Software\Microsoft\Windows\CurrentVersion\App Paths\Unlocker.exe
Source: Unlocker1.9.2.exe, 00000000.00000003.1893830861.0000000000598000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files\Unlocker\Unlocker.exe
Source: Unlocker1.9.2.exe, 00000000.00000003.1899972485.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1925287984.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000002.1926695195.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1896787629.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1925514963.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, Start Unlocker.lnk.0.drBinary or memory string: C:\Program Files\Unlocker\Unlocker.exe
Source: Unlocker1.9.2.exe, 00000000.00000002.1926497169.0000000000556000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1681742885.000000000263D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Unlocker.exe
Source: Unlocker1.9.2.exe, 00000000.00000002.1926497169.0000000000556000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1681742885.000000000263D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \UnlockerAssistant.exe
Source: Setup.exe, 00000002.00000002.1889578094.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889578094.00000000006A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Start Unlocker.lnk.0.drBinary or memory string: C:\Program Files\Unlocker\Unlocker.exe>..\..\..\..\..\..\..\..\..\Program Files\Unlocker\Unlocker.exe
Source: Unlocker1.9.2.exe, 00000000.00000003.1899972485.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1896787629.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1925287984.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000002.1926695195.00000000005BE000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1896787629.00000000005B6000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1925514963.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, Start Unlocker.lnk.0.drBinary or memory string: Unlocker.exe
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PreferencesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journalJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\prefs.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095A290 sqlite3_value_type,sqlite3_value_type,sqlite3_value_type,sqlite3_bind_value,sqlite3_step,sqlite3_reset,sqlite3_last_insert_rowid,2_2_6095A290
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095C284 sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,2_2_6095C284
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6091C208 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,2_2_6091C208
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095E48C sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,memcpy,sqlite3_free,sqlite3_reset,2_2_6095E48C
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095A488 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,2_2_6095A488
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095C4F4 sqlite3_malloc,sqlite3_free,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,memset,sqlite3_reset,sqlite3_free,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,2_2_6095C4F4
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095C428 sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_free,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,2_2_6095C428
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_60924545 sqlite3_mutex_enter,sqlite3_bind_int64,sqlite3_step,sqlite3_finalize,sqlite3_errmsg,sqlite3_mutex_leave,2_2_60924545
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_609546A0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,2_2_609546A0
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095A7E4 sqlite3_malloc,memcpy,sqlite3_mprintf,sqlite3_realloc,sqlite3_prepare_v2,sqlite3_bind_int64,sqlite3_bind_int64,2_2_6095A7E4
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095E758 sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_last_insert_rowid,2_2_6095E758
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_609609FC sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,2_2_609609FC
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_60960AA4 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,2_2_60960AA4
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095AD8C sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,2_2_6095AD8C
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095ADF4 sqlite3_bind_int,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,2_2_6095ADF4
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095F100 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,2_2_6095F100
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6091D2B0 sqlite3_bind_blob,2_2_6091D2B0
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6091D2D4 sqlite3_bind_double,sqlite3_mutex_leave,2_2_6091D2D4
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6091D3A4 sqlite3_bind_null,sqlite3_mutex_leave,2_2_6091D3A4
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_609613A0 sqlite3_value_type,sqlite3_value_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_value_double,sqlite3_value_double,sqlite3_value_int,sqlite3_value_int,sqlite3_value_type,sqlite3_value_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,2_2_609613A0
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6091D3DC sqlite3_bind_text,2_2_6091D3DC
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_60961330 sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_last_insert_rowid,2_2_60961330
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6091D32C sqlite3_bind_int,sqlite3_bind_int64,2_2_6091D32C
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6091D348 sqlite3_bind_int64,sqlite3_mutex_leave,2_2_6091D348
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6091D4CC sqlite3_bind_zeroblob,sqlite3_mutex_leave,2_2_6091D4CC
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6091D400 sqlite3_bind_text16,2_2_6091D400
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6091D424 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,sqlite3_bind_blob,sqlite3_bind_null,2_2_6091D424
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6091D590 sqlite3_bind_parameter_name,2_2_6091D590
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6091D51C sqlite3_bind_parameter_count,2_2_6091D51C
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6091D6D4 sqlite3_transfer_bindings,2_2_6091D6D4
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6091D63C sqlite3_bind_parameter_index,2_2_6091D63C
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095B7F8 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,2_2_6095B7F8
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095B8C4 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_reset,2_2_6095B8C4
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_60959B1C sqlite3_malloc,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_parameter_count,sqlite3_bind_value,2_2_60959B1C
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_60959CC8 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_type,2_2_60959CC8
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095FCE0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,2_2_6095FCE0
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095FD40 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,2_2_6095FD40
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_6095BE5C sqlite3_malloc,memset,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_reset,2_2_6095BE5C
Source: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exeCode function: 2_2_60955FD4 sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,sqlite3_value_text,sqlite3_value_type,sqlite3_mprintf,2_2_60955FD4

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		1
OS Credential Dumping		11
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts3
Native API		21
Windows Service		21
Windows Service		2
Obfuscated Files or Information		11
Input Capture		3
File and Directory Discovery		Remote Desktop Protocol1
Data from Local System		1
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt11
Registry Run Keys / Startup Folder		2
Process Injection		1
Software Packing		Security Account Manager35
System Information Discovery		SMB/Windows Admin Shares11
Input Capture		2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
Registry Run Keys / Startup Folder		1
DLL Side-Loading		NTDS251
Security Software Discovery		Distributed Component Object Model1
Clipboard Data		2
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
Masquerading		LSA Secrets3
Process Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Process Injection		Cached Domain Credentials1
System Network Configuration Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Regsvr32		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Rundll32		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1474201 Sample: Unlocker1.9.2.exe Startdate: 16/07/2024 Architecture: WINDOWS Score: 42 57 stp.babylon.com 2->57 59 stp.babylon-services.com 2->59 61 4 other IPs or domains 2->61 69 Multi AV Scanner detection for submitted file 2->69 71 Sigma detected: rundll32 run dll from internet 2->71 10 Unlocker1.9.2.exe 11 49 2->10         started        signatures3 process4 file5 41 C:\Users\user\AppData\Local\...\DeltaTB.exe, PE32 10->41 dropped 43 C:\Program Files\...\UnlockerDriver5.sys, PE32+ 10->43 dropped 45 C:\Users\user\AppData\Local\...\System.dll, PE32 10->45 dropped 47 6 other files (none is malicious) 10->47 dropped 83 Sample is not signed and drops a device driver 10->83 14 DeltaTB.exe 17 10->14         started        18 regsvr32.exe 10->18         started        signatures6 process7 file8 49 C:\Users\user\AppData\Local\...\Setup.exe, PE32 14->49 dropped 51 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 14->51 dropped 53 C:\Users\user\AppData\Local\...\IEHelper.dll, PE32 14->53 dropped 55 C:\Users\user\AppData\Local\...\BExternal.dll, PE32 14->55 dropped 85 Multi AV Scanner detection for dropped file 14->85 20 Setup.exe 1 119 14->20         started        25 regsvr32.exe 7 18->25         started        signatures9 process10 dnsIp11 63 stat.babylon-services.com 184.154.27.232, 49731, 49732, 49736 SINGLEHOP-LLCUS United States 20->63 65 dl.babylon-services.com 198.143.128.244, 49734, 80 SINGLEHOP-LLCUS United States 20->65 67 127.0.0.1 unknown unknown 20->67 33 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 20->33 dropped 35 C:\Users\user\AppData\Local\...\setup.exe, PE32 20->35 dropped 37 C:\Users\user\AppData\Local\...\IEHelper.dll, PE32 20->37 dropped 39 C:\Users\user\AppData\Local\...\BExternal.dll, PE32 20->39 dropped 73 Multi AV Scanner detection for dropped file 20->73 75 Contains functionality to register a low level keyboard hook 20->75 77 Tries to harvest and steal browser information (history, passwords, etc) 20->77 79 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 20->79 27 rundll32.exe 1 20->27         started        29 setup.exe 20->29         started        81 Creates an undocumented autostart registry key 25->81 file12 signatures13 process14 process15 31 ielowutil.exe 9 27->31         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Unlocker1.9.2.exe50%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\Unlocker\Unlocker.exe0%ReversingLabs
C:\Program Files\Unlocker\UnlockerCOM.dll0%ReversingLabs
C:\Program Files\Unlocker\UnlockerDriver5.sys0%ReversingLabs
C:\Program Files\Unlocker\UnlockerInject32.exe0%ReversingLabs
C:\Program Files\Unlocker\uninst.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\BExternal.dll5%ReversingLabs
C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\IEHelper.dll8%ReversingLabs
C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\BExternal.dll5%ReversingLabs
C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\IEHelper.dll8%ReversingLabs
C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\sqlite3.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe26%ReversingLabs
C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\sqlite3.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\DeltaTB.exe46%ReversingLabsWin32.PUA.BabylonToolbar
C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\InstallOptions.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\LangDLL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\System.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://babylon.com/?hp%d:%d;dsp%d:%d;hpu%d:%s;dspu%d:%s;COO_gcSCOO_scSBTRSCOO_suaopenopenieffcrBUSol0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Dit0%Avira URL Cloudsafe
https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Ova0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Pr0%Avira URL Cloudsafe
http://dl.babylon.com/0%Avira URL Cloudsafe
http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471datr0%Avira URL Cloudsafe
https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
http://search.babylon.com0%Avira URL Cloudsafe
http://info.babylon.com/setup/downloader.php0%Avira URL Cloudsafe
http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=1224710%Avira URL Cloudsafe
http://unlocker.emptyloop.com/GET0%Avira URL Cloudsafe
http://search.babylon.comICH7Q0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Poruka0%Avira URL Cloudsafe
http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpbR0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Accesso0%Avira URL Cloudsafe
http://www.babylon.com/redirects/redir.cgi?K0%Avira URL Cloudsafe
http://www.babylon.com/redirects/download.cgi?0%Avira URL Cloudsafe
http://bts.babylon.com/index.php20%Avira URL Cloudsafe
http://info.babylon.com/setup/downloader.phpIVuD0%Avira URL Cloudsafe
http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpbZ0%Avira URL Cloudsafe
http://dl.babylon.com/site/files/Setup9/dwr/DefaultClient/DefaultClient/Default-tbdat.zpb;http://dl.0%Avira URL Cloudsafe
http://www.my-online-search.com0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/T0%Avira URL Cloudsafe
http://info.babylon.com/campaigns/4D90%Avira URL Cloudsafe
http://clients.babylon.com/pro/kms6.cgipDE0%Avira URL Cloudsafe
http://stpui.babylon.com/setup_cms_url?name=&param=&lang=%d&ver=%d&bld=%d&&ver=0%Avira URL Cloudsafe
http://www.babylon.com/redirects/redir.cgi?type=machinetrans0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Juurdep0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/P0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Pesan0%Avira URL Cloudsafe
http://info.babylon.com/campaigns/0%Avira URL Cloudsafe
http://info.babylon.com/welcome/SS8D0%Avira URL Cloudsafe
http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpb;0%Avira URL Cloudsafe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
http://bts.babylon.com/index.php0%Avira URL Cloudsafe
http://www.babylon.com/redirects/purchase.cgi?0%Avira URL Cloudsafe
http://www.my-online-search.com&babsrc=SP_ofln&mntrId=&dlb=%d&babsrc=SP_def&NT_HP_TB_SP_My0%Avira URL Cloudsafe
http://stat.info-stream.net/report.php?no_policy=1&lang=0&source=setup-end&stage=91&ver=9.1.1.10&aff0%Avira URL Cloudsafe
http://babylon.com/mf0%Avira URL Cloudsafe
http://stpui.babylon.com/0%Avira URL Cloudsafe
http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471dat0%Avira URL Cloudsafe
http://babylon.com/#0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Ce0%Avira URL Cloudsafe
http://tc.babylon.com/Ginger/correct0%Avira URL Cloudsafe
http://www.babylon.com/redirects/redir.cgi?no_policy=1&type=%s&lang=%d9.1.1.10HPTBDSPukieffcrver=&&m0%Avira URL Cloudsafe
http://babylon.com:0%Avira URL Cloudsafe
http://info.babylon.com/stat/client_ga.php?name=$0%Avira URL Cloudsafe
http://stat.info-stream.net/repo0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Mesej0%Avira URL Cloudsafe
http://www.babylon.com/redirects/redir.cgi?0%Avira URL Cloudsafe
http://utils.babylon.com/country/0%Avira URL Cloudsafe
http://www.babylon.com/redirects/client.cgi?0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Ta0%Avira URL Cloudsafe
http://www.my-online-search.com/?q=0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Ky0%Avira URL Cloudsafe
http://unlocker.emptyloop.com0%Avira URL Cloudsafe
http://babylon.com/0%Avira URL Cloudsafe
http://clients.babylon.com/pro/kms6.cgi0%Avira URL Cloudsafe
http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471atK0%Avira URL Cloudsafe
http://info.babylon.com/welcome/0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/To0%Avira URL Cloudsafe
http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471.dat?0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/????0%Avira URL Cloudsafe
http://babylon.com0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Este0%Avira URL Cloudsafe
http://stat.info-stream.net/report.php?no_policy=1&lang=0&source=setup-end&stage=111&ver=9.1.1.10&af0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Tato0%Avira URL Cloudsafe
http://stp.babylon.com/downloader.php?ver=9.1.1.10&affilID=122471&guid={58179BB7-E7F9-4C19-A3E7-DD439943CF6D}&mntrId=D842ECF4BBEA1588&moldid=d84249be000000000000ecf4bbea1588&sufn=Unlocker1.9.2.exe&iev=11&ffv=1&crv=117&dwb=cr&dlb=cr&wbr=4&ibprs=NA&ibprv=0&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&avr=V2luZG93cyBEZWZlbmRlcg==&tbtp=def&tbinst=1&w64=1&cntry=CH&cat=delta&uac=1&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:0;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&lang=en&zpb=1&geo=10%Avira URL Cloudsafe
http://unlocker.emptyloop.com/This0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Acest0%Avira URL Cloudsafe
http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA15880%Avira URL Cloudsafe
http://babylon.com/m0%Avira URL Cloudsafe
http://www.babylon.com/redirects/redir.cgi?type=getting_started&lang=$0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Questo0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Denegado0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Denne0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/Odm0%Avira URL Cloudsafe
http://info.delta-search.com/uninstall/eula.html0%Avira URL Cloudsafe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
http://stat.info-stream.net/report.php?no_policy=1&lang=0&source=setup-start&stage=0&ver=9.1.1.10&af0%Avira URL Cloudsafe
http://www.babylon.com/redirects/redir.cgi?type=post_install_page&lang=$0%Avira URL Cloudsafe
http://www.my-online-search.comhttp://www.my-online-search.com/?babsrc=HP_ofln&mntrId=&dlb=%dhome&?/0%Avira URL Cloudsafe
http://stp.babylon.com/downloader.php?&lang=&zpb=1&second=1&geo=1about:blank:about:blankbfrNvgt:0%Avira URL Cloudsafe
http://bis.babylon.com/0%Avira URL Cloudsafe
http://tcm.babylon.com/UM_Consumer/UMOpeartions0%Avira URL Cloudsafe
http://www.babylon.com/redirects/redir.cgi?type=babylon6_full_text0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/)0%Avira URL Cloudsafe
http://dl.babylon.com/site/files/Setup9/dwr/DefaultClient/DefaultClient/Default-clientdat.zpb;http:/0%Avira URL Cloudsafe
http://www.babylon.com/lingoz-redirect0%Avira URL Cloudsafe
http://unlocker.emptyloop.com/See0%Avira URL Cloudsafe
http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpb0%Avira URL Cloudsafe
http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471tml0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
dl.babylon-services.com
198.143.128.244
truefalse
    		unknown
    stp.babylon-services.com
    		184.154.27.232
    		truefalse
      		unknown
      stat.babylon-services.com
      		184.154.27.232
      		truefalse
        		unknown
        stp.babylon.com
        		unknown
        		unknownfalse
          		unknown
          dl.babylon.com
          		unknown
          		unknownfalse
            		unknown
            stat.info-stream.net
            		unknown
            		unknownfalse
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://stp.babylon.com/downloader.php?ver=9.1.1.10&affilID=122471&guid={58179BB7-E7F9-4C19-A3E7-DD439943CF6D}&mntrId=D842ECF4BBEA1588&moldid=d84249be000000000000ecf4bbea1588&sufn=Unlocker1.9.2.exe&iev=11&ffv=1&crv=117&dwb=cr&dlb=cr&wbr=4&ibprs=NA&ibprv=0&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&avr=V2luZG93cyBEZWZlbmRlcg==&tbtp=def&tbinst=1&w64=1&cntry=CH&cat=delta&uac=1&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:0;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&lang=en&zpb=1&geo=1true
              • Avira URL Cloud: safe
              		unknown
              http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpbfalse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://duckduckgo.com/chrome_newtabSetup.exe, 00000002.00000002.1891296075.00000000037A0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://duckduckgo.com/ac/?q=Setup.exe, 00000002.00000002.1891296075.00000000037A0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://info.babylon.com/setup/downloader.phpSetup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://search.babylon.comDeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826341006.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826075904.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826852679.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825809134.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826245487.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888284358.000000000348C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826636430.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827261990.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827167077.0000000003417000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://dl.babylon.com/Setup.exe, 00000002.00000002.1889578094.00000000006D3000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471datrSetup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888342919.0000000003468000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888563401.0000000003468000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886689266.0000000003445000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887283130.0000000003467000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886389126.0000000003420000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886034766.000000000341D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886544155.000000000342A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://unlocker.emptyloop.com/PrUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://babylon.com/?hp%d:%d;dsp%d:%d;hpu%d:%s;dspu%d:%s;COO_gcSCOO_scSBTRSCOO_suaopenopenieffcrBUSolDeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://unlocker.emptyloop.com/DitUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://unlocker.emptyloop.com/OvaUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://unlocker.emptyloop.com/GETUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://unlocker.emptyloop.com/PorukaUnlocker.exe.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://search.babylon.comICH7QSetup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826341006.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826075904.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826852679.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825809134.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826245487.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888284358.000000000348C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826636430.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827261990.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827167077.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825979103.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887787451.0000000003470000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886689266.0000000003445000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887283130.0000000003467000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826992927.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886389126.0000000003420000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://Kernel32.dllSetDllDirectoryWDeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.drfalse
                		unknown
                http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpbRSetup.exe, 00000002.00000002.1889578094.00000000006D3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://bts.babylon.com/index.php2Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://unlocker.emptyloop.com/AccessoUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.babylon.com/redirects/download.cgi?Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.babylon.com/redirects/redir.cgi?KSetup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://info.babylon.com/setup/downloader.phpIVuDSetup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpbZSetup.exe, 00000002.00000002.1889578094.00000000006C3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://dl.babylon.com/site/files/Setup9/dwr/DefaultClient/DefaultClient/Default-tbdat.zpb;http://dl.Setup.exe, 00000002.00000003.1825654394.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.my-online-search.comSetup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://unlocker.emptyloop.com/TUnlocker.exe.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://stpui.babylon.com/setup_cms_url?name=&param=&lang=%d&ver=%d&bld=%d&&ver=DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://clients.babylon.com/pro/kms6.cgipDESetup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://unlocker.emptyloop.com/PUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.babylon.com/redirects/redir.cgi?type=machinetransSetup.exe, 00000002.00000003.1825654394.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://info.babylon.com/campaigns/4D9Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://unlocker.emptyloop.com/JuurdepUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://unlocker.emptyloop.com/PesanUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://info.babylon.com/welcome/SS8DSetup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://info.babylon.com/campaigns/DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Setup.exe, 00000002.00000002.1891296075.00000000037A0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nsis.sf.net/NSIS_ErrorErrorUnlocker1.9.2.exe, uninst.exe.0.drfalse
                • URL Reputation: safe
                		unknown
                http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpb;Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888438576.0000000003482000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891138006.0000000003484000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887787451.0000000003470000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886689266.0000000003445000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888617392.0000000003482000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887283130.0000000003467000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886389126.0000000003420000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887823999.0000000003481000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886034766.000000000341D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886544155.000000000342A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888704415.0000000003482000.00000004.00000020.00020000.00000000.sdmp, downloader[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://stat.info-stream.net/report.php?no_policy=1&lang=0&source=setup-end&stage=91&ver=9.1.1.10&affSetup.exe, 00000002.00000002.1889578094.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885763690.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885798283.00000000033B9000.00000004.00000020.00020000.00000000.sdmp, log_file.txt.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.my-online-search.com&babsrc=SP_ofln&mntrId=&dlb=%d&babsrc=SP_def&NT_HP_TB_SP_MyDeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.babylon.com/redirects/purchase.cgi?Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://nsis.sf.net/NSIS_ErrorUnlocker1.9.2.exe, uninst.exe.0.drfalse
                • URL Reputation: safe
                		unknown
                http://bts.babylon.com/index.phpDeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://babylon.com/mfielowutil.exe, 00000005.00000002.2435790422.0000000002D08000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://stpui.babylon.com/Setup.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://tc.babylon.com/Ginger/correctDeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471datSetup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888342919.0000000003468000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888563401.0000000003468000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886689266.0000000003445000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887283130.0000000003467000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886389126.0000000003420000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886034766.000000000341D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886544155.000000000342A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://babylon.com/#ielowutil.exe, 00000005.00000002.2435790422.0000000002D08000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://babylon.com:rundll32.exe, 00000004.00000002.1835738200.00000000001E0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://unlocker.emptyloop.com/CeUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.babylon.com/redirects/redir.cgi?no_policy=1&type=%s&lang=%d9.1.1.10HPTBDSPukieffcrver=&&mDeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://info.babylon.com/stat/client_ga.php?name=$DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826341006.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826075904.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826852679.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888438576.0000000003482000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825809134.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826245487.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826636430.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827261990.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827167077.0000000003417000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://stat.info-stream.net/repoSetup.exe, 00000002.00000002.1889021999.000000000017D000.00000004.00000010.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://unlocker.emptyloop.com/MesejUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.babylon.com/redirects/redir.cgi?Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://utils.babylon.com/country/DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://unlocker.emptyloop.com/TaUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.babylon.com/redirects/client.cgi?Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.my-online-search.com/?q=Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://babylon.com/Setup.exe, 00000002.00000002.1889578094.0000000000669000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889578094.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1835852814.000000000072A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1835852814.0000000000771000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000005.00000002.2435790422.0000000002D08000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000005.00000002.2435790422.0000000002D30000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://unlocker.emptyloop.com/KyUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://clients.babylon.com/pro/kms6.cgiDeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://unlocker.emptyloop.comUnlocker1.9.2.exe, 00000000.00000003.1897071636.000000000263E000.00000004.00000020.00020000.00000000.sdmp, README.TXT.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471atKSetup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888342919.0000000003468000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888563401.0000000003468000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886689266.0000000003445000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887283130.0000000003467000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886389126.0000000003420000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886034766.000000000341D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886544155.000000000342A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://info.babylon.com/welcome/DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471.dat?Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891106230.000000000347A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887787451.0000000003470000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886689266.0000000003445000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887283130.0000000003467000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886389126.0000000003420000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886034766.000000000341D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886544155.000000000342A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888320589.0000000003473000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://unlocker.emptyloop.com/ToUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://babylon.comrundll32.exe, 00000004.00000002.1835852814.000000000072A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1835852814.0000000000720000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000005.00000002.2435790422.0000000002D30000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drtrue
                • Avira URL Cloud: safe
                		unknown
                http://unlocker.emptyloop.com/EsteUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://unlocker.emptyloop.com/TatoUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://stat.info-stream.net/report.php?no_policy=1&lang=0&source=setup-end&stage=111&ver=9.1.1.10&afSetup.exe, 00000002.00000003.1885763690.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885798283.00000000033B9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://unlocker.emptyloop.com/????Unlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://unlocker.emptyloop.com/EstaUnlocker.exe.0.drfalse
                  		unknown
                  http://cs-g2-crl.thawte.com/ThawteCSG2.crl0DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Unlocker1.9.2.exe, Setup.exe.1.dr, DeltaTB.exe.0.drfalse
                    		unknown
                    http://crl.thawte.com/ThawteTimestampingCA.crl0DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Unlocker1.9.2.exe, Setup.exe.1.dr, DeltaTB.exe.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://unlocker.emptyloop.com/ThisUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://unlocker.emptyloop.com/AcestUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891170190.0000000003489000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888867282.0000000003488000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888438576.0000000003482000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887787451.0000000003470000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886689266.0000000003445000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888617392.0000000003482000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887283130.0000000003467000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886389126.0000000003420000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887823999.0000000003481000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886034766.000000000341D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886544155.000000000342A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888704415.0000000003482000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://babylon.com/mielowutil.exe, 00000005.00000002.2435790422.0000000002D30000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://unlocker.emptyloop.com/QuestoUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://unlocker.emptyloop.com/DenegadoUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.babylon.com/redirects/redir.cgi?type=getting_started&lang=$Setup.exe, 00000002.00000003.1885875778.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://unlocker.emptyloop.com/DenneUnlocker.exe.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://info.delta-search.com/uninstall/eula.htmlUnlocker1.9.2.exe, 00000000.00000003.1792880465.0000000003990000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1819489201.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794629232.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794514906.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000002.1926497169.0000000000556000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1790565433.0000000003990000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794570553.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794794163.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794412908.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1790305403.0000000003990000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1819188983.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000002.1925781626.000000000019A000.00000004.00000010.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794305651.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1681742885.000000000263D000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794248113.0000000003990000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1728487357.00000000038D0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1790350769.0000000003990000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1728675366.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794740244.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794356784.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Unlocker1.9.2.exe, 00000000.00000003.1794464519.00000000039A0000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://unlocker.emptyloop.com/OdmUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoSetup.exe, 00000002.00000002.1891296075.00000000037A0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://stat.info-stream.net/report.php?no_policy=1&lang=0&source=setup-start&stage=0&ver=9.1.1.10&afSetup.exe, 00000002.00000002.1889578094.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889578094.00000000006A3000.00000004.00000020.00020000.00000000.sdmp, log_file.txt.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://stp.babylon.com/downloader.php?&lang=&zpb=1&second=1&geo=1about:blank:about:blankbfrNvgt:DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.babylon.com/redirects/redir.cgi?type=post_install_page&lang=$DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.babylon.com/redirects/redir.cgi?type=babylon6_full_textDeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826341006.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826075904.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826852679.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825809134.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826245487.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888284358.000000000348C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826636430.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827261990.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827167077.0000000003417000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ocsp.thawte.com0DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Unlocker1.9.2.exe, Setup.exe.1.dr, DeltaTB.exe.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.my-online-search.comhttp://www.my-online-search.com/?babsrc=HP_ofln&mntrId=&dlb=%dhome&?/DeltaTB.exe, 00000001.00000003.1891713311.0000000000C81000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe, 00000002.00000000.1822765744.000000000051B000.00000002.00000001.01000000.0000000A.sdmp, Setup.exe.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tcm.babylon.com/UM_Consumer/UMOpeartionsSetup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://bis.babylon.com/DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://unlocker.emptyloop.com/)Unlocker.exe.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://dl.babylon.com/site/files/Setup9/dwr/DefaultClient/DefaultClient/Default-clientdat.zpb;http:/DeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885763690.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885875778.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://unlocker.emptyloop.com/SeeUnlocker1.9.2.exe, 00000000.00000003.1894617962.0000000002639000.00000004.00000020.00020000.00000000.sdmp, Unlocker.exe.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.babylon.com/lingoz-redirectDeltaTB.exe, 00000001.00000003.1891713311.0000000000C60000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826579285.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884922512.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1827240846.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826056059.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826926590.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825508077.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1890896423.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1826319728.00000000033BD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000002.1891231718.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1825787154.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, Babylon.dat.2.dr, Babylon.dat.1.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.my-online-search.com/?babsrc=HP_ofln&mntrId=D842ECF4BBEA1588&dlb=2&affID=122471tmlSetup.exe, 00000002.00000003.1887022882.0000000003457000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887168532.0000000003461000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884844277.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887118168.0000000003459000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888342919.0000000003468000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886488405.0000000003422000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1884982165.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1888563401.0000000003468000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886689266.0000000003445000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1887283130.0000000003467000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886389126.0000000003420000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886034766.000000000341D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1886544155.000000000342A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1885066446.0000000003417000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    198.143.128.244
                    		dl.babylon-services.comUnited States
                    		32475SINGLEHOP-LLCUSfalse
                    184.154.27.232
                    		stp.babylon-services.comUnited States
                    		32475SINGLEHOP-LLCUSfalse

                    Private

                    IP
                    127.0.0.1

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1474201
                    Start date and time:2024-07-16 14:43:25 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 35s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:14
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Unlocker1.9.2.exe
                    Detection:MAL
                    Classification:mal42.spyw.evad.winEXE@14/55@3/3
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 52%
                    • Number of executed functions: 230
                    • Number of non-executed functions: 239
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: Unlocker1.9.2.exe

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    184.154.27.232Babylon9_setup.exeGet hashmaliciousUnknownBrowse
                      IBXFrJydru.exeGet hashmaliciousUnknownBrowse
                        SecuriteInfo.com.Adware.Babylon.15.13567.exeGet hashmaliciousUnknownBrowse
                          DeltaTB.exeGet hashmaliciousUnknownBrowse
                            cf9f3c05-00c9-4008-846e-7d9a88232305.exeGet hashmaliciousUnknownBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              dl.babylon-services.comSecuriteInfo.com.Adware.Babylon.15.13567.exeGet hashmaliciousUnknownBrowse
                              • 198.143.175.67
                              DeltaTB.exeGet hashmaliciousUnknownBrowse
                              • 198.143.175.67
                              stat.babylon-services.comIBXFrJydru.exeGet hashmaliciousUnknownBrowse
                              • 184.154.27.232
                              DeltaTB.exeGet hashmaliciousUnknownBrowse
                              • 184.154.27.232
                              stp.babylon-services.comBabylon9_setup.exeGet hashmaliciousUnknownBrowse
                              • 184.154.27.232
                              IBXFrJydru.exeGet hashmaliciousUnknownBrowse
                              • 184.154.27.232
                              SecuriteInfo.com.Adware.Babylon.15.13567.exeGet hashmaliciousUnknownBrowse
                              • 184.154.27.232
                              DeltaTB.exeGet hashmaliciousUnknownBrowse
                              • 184.154.27.232
                              cf9f3c05-00c9-4008-846e-7d9a88232305.exeGet hashmaliciousUnknownBrowse
                              • 184.154.27.232

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              SINGLEHOP-LLCUSjew.ppc.elfGet hashmaliciousMiraiBrowse
                              • 65.60.54.12
                              rIMG-Scan_PO_44.exeGet hashmaliciousAgentTeslaBrowse
                              • 173.236.63.6
                              https://flowcode.com/p/8iNLSyeSA?fc=0Get hashmaliciousHTMLPhisherBrowse
                              • 198.143.164.252
                              https://track.arise-yumeco.com/b556fac5-9e35-4d53-8880-c2f16c2ede4dGet hashmaliciousUnknownBrowse
                              • 184.154.10.250
                              https://thoughtbulb.dev/nuik/?client-request-id=cuyahogacountypubliclibrary@cuyahoga.lib.oh.usGet hashmaliciousUnknownBrowse
                              • 198.143.164.252
                              PO#29949920010_RFQ-No. 8283 J-80-PM-MRQ-8025.exeGet hashmaliciousAgentTeslaBrowse
                              • 173.236.63.6
                              SecuriteInfo.com.Win32.RATX-gen.21654.3667.exeGet hashmaliciousAgentTeslaBrowse
                              • 173.236.63.6
                              rPOs,PSB-17398902,84789.exeGet hashmaliciousAgentTeslaBrowse
                              • 173.236.63.6
                              rStatementofAccountasat30MAY-JUN2024.exeGet hashmaliciousAgentTeslaBrowse
                              • 173.236.63.6
                              https://maknastudio.com/pkyoGet hashmaliciousUnknownBrowse
                              • 198.143.164.252
                              SINGLEHOP-LLCUSjew.ppc.elfGet hashmaliciousMiraiBrowse
                              • 65.60.54.12
                              rIMG-Scan_PO_44.exeGet hashmaliciousAgentTeslaBrowse
                              • 173.236.63.6
                              https://flowcode.com/p/8iNLSyeSA?fc=0Get hashmaliciousHTMLPhisherBrowse
                              • 198.143.164.252
                              https://track.arise-yumeco.com/b556fac5-9e35-4d53-8880-c2f16c2ede4dGet hashmaliciousUnknownBrowse
                              • 184.154.10.250
                              https://thoughtbulb.dev/nuik/?client-request-id=cuyahogacountypubliclibrary@cuyahoga.lib.oh.usGet hashmaliciousUnknownBrowse
                              • 198.143.164.252
                              PO#29949920010_RFQ-No. 8283 J-80-PM-MRQ-8025.exeGet hashmaliciousAgentTeslaBrowse
                              • 173.236.63.6
                              SecuriteInfo.com.Win32.RATX-gen.21654.3667.exeGet hashmaliciousAgentTeslaBrowse
                              • 173.236.63.6
                              rPOs,PSB-17398902,84789.exeGet hashmaliciousAgentTeslaBrowse
                              • 173.236.63.6
                              rStatementofAccountasat30MAY-JUN2024.exeGet hashmaliciousAgentTeslaBrowse
                              • 173.236.63.6
                              https://maknastudio.com/pkyoGet hashmaliciousUnknownBrowse
                              • 198.143.164.252

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Program Files\Unlocker\README.TXT

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1689
                              Entropy (8bit):4.70951895283198
                              Encrypted:false
                              SSDEEP:24:bQOdZha0FcSV1TRyr005QmiLB3pmNv+kFEwRywEuwChXthNl8krzcLd2ULt:Dxe41TkzH0mNBjAn3qZ2krzSDLt
                              MD5:F3B322AADB14E1B2BA9BF38972DC216C
                              SHA1:4564F088EC683F8A89894B8158A79D358693BBA8
                              SHA-256:B604FA4D14829D2D5B55F94D9B7298417ACD0949E4F4C1483A4411BC4968AFAC
                              SHA-512:9A8E5D36328A796FED7D07E82E45F001EC5891B01B54B47D20D90B6A982D1B8240F9EAB3EDDE7F5D271B3667F54D0AAEF4B21C9D1E50B265E70B3E65EE37573C
                              Malicious:false
                              Reputation:low
                              Preview:Unlocker for Windows 2000, XP, 2003, Vista and 7 both 32 and 64 bits...Copyright (C) 2005-2011 Cedrick Collomb / Empty Loop..unlocker.emptyloop.com....Using Unlocker..--------------....How often have you tried to delete or rename a file or folder and got.."Cannot delete xxx: It is being used by another person or program." ?....Unlocker is a tool which will help you overcoming this scandalous Windows..bug.....Simply right click the file or folder and select Unlocker. If the file..or folder is locked then a window will appear with a list of processes..locking the file or folder. Select the locks and click Unlock and you ..are done.....It is recommended to Unlock wisely and to close open processes locking..files or folder if any, but if only Explorer.exe is the culprit, do not..hesitate! :D....Terms of Use..------------....This software is provided "as is", without any guarantee made..as to its suitability or fitness for any particular use. It may..contain bugs, so use of this tool is at

                              C:\Program Files\Unlocker\Unlocker.exe

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):124928
                              Entropy (8bit):6.117157328512671
                              Encrypted:false
                              SSDEEP:1536:QjL8UYqusRZHN+R6iJBf232Qxl1D5ljFerDUF7TGMvB+xpgGfGlbPMcpEkAEAG+L://sRZt+R6+232QLADzMvYonfgQ/Y39
                              MD5:0A77F732624155A215F5CA54DF9B2930
                              SHA1:172BDF71343DD6544CFBE04ABBC3DEC4535F7D84
                              SHA-256:A0B651038C4301F70E4AEA506EB90EDC584A5C4CA46880C7DC2AE5EAFA6DC506
                              SHA-512:6482C9FC3B5FF9D5798DEB9965B4DFAB9BA62B889E921011696F29DD96B813194A59F76A52A88FA4962317C6A43A21122C857E4CA80C6C4360C2CEE544117352
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Reputation:low
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........q..."..."...".E."..."..."..."..."..."..."..."..."..."Rich..."........PE..d..."..P..........#..........|.................@.....................................................................................................p.......P.......................................................................................................text............................... ..`.data....d..........................@....pdata.......P......................@..@.CRT....(....`......................@..@.rsrc........p......................@..@................................................................................................................................................................................................................................................................................................................................................

                              C:\Program Files\Unlocker\Unlocker.url

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:MS Windows 95 Internet shortcut text (URL=<http://unlocker.emptyloop.com/>), ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):56
                              Entropy (8bit):4.431719878492293
                              Encrypted:false
                              SSDEEP:3:HRAbABGQYm/2oWtV6JnRyn:HRYFVm/Xo6yn
                              MD5:2043E152CBAA21E30B53B6D6C50CD780
                              SHA1:544AA2ADF641B1D7330DB20D268308BD9F680917
                              SHA-256:2253C9CEB715D173ABAE90D4836A6A506E6049FEF0FC98D1649AB57ED94707AC
                              SHA-512:865249F3979BF76C26E1455AEFC3E4B92D0B8259398D068066D3F3B9EF945EE0A78BB7616638092C120337F348A063A22A16857CC86B7450FFE55FDF5638189A
                              Malicious:false
                              Preview:[InternetShortcut]..URL=http://unlocker.emptyloop.com/..

                              C:\Program Files\Unlocker\UnlockerCOM.dll

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):20032
                              Entropy (8bit):6.120916226027237
                              Encrypted:false
                              SSDEEP:384:b0cviyVcgoH1a3FveCAmbtQ/o8DhQLMwdYJLygbPbCQW1M6jjDAa:b03nTHsFv+/oih5FLfbCPMmjl
                              MD5:5FE324D6C1DC481136742AB5FB8F6672
                              SHA1:02F2D4476006CECD771DE3CBE247E432950AE916
                              SHA-256:0A66B19BB38385A8879633DCE1272B8ACF1B4B264C88E254345EC249335B41B1
                              SHA-512:FAA76477503923D1C14A12F00D7D416E5FBB485560EA02ED1E6EF6337F9AD88BC612AF241EA61C8F9003253CCF5F66B2C7CE4A508BB2ADC761C4F36AC345195D
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*../n.~|n.~|n.~|.F.|l.~|.F.|a.~|n..|C.~|I..|o.~|I..|o.~|I..|o.~|I..|o.~|Richn.~|........................PE..d......K.........." ..... ...........".......................................p......................................................@........(.......P..|....@.......4..@....`..(....................................................................................text............ .................. ..`.data...0....0.......$..............@....pdata.......@.......&..............@..@.rsrc...|....P.......(..............@..@.reloc..P....`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                              C:\Program Files\Unlocker\UnlockerDriver5.sys

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):12352
                              Entropy (8bit):6.464105601913163
                              Encrypted:false
                              SSDEEP:192:dqD9l0Hvj1+z7PcFVyowJL/W6Mgb5+ebCfYEQpkqs1I5Zgjl50Xe:60HvozjeVYJLygbPbCQW1M6jYXe
                              MD5:9DC07E73A4ABB9ACF692113B36A5009F
                              SHA1:0C45B0FA0718E5ABA0F21F14178597A1ED3FC208
                              SHA-256:CA7176FC219515D58DCFA66EC61880ECE5617275C9B83701BB74D8B60E733D34
                              SHA-512:7BB2F07DF990689933B344D2E3061A5E1324ABA011E703130379ED24B253BDD464C9D26B8EFE2D86523F241236FF1B7EDB02919801850BB749849215B1FABF57
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S....................w......q....0;.....0;.....Rich...................PE..d.....K.........."..................0.........@....................................W........................................................A..(....p.......`..........@............................................................@..p............................text...D........................... ..`PAGE......... ...................... ..`INIT....+....0...................... ..`.rdata..R....@......................@..@.data........P......................@....pdata.......`......................@..@.rsrc........p......................@..@........................................................................................................................................................................................................................................................

                              C:\Program Files\Unlocker\UnlockerInject32.exe

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):11840
                              Entropy (8bit):6.714063708551743
                              Encrypted:false
                              SSDEEP:192:kpjAiTRs0TjebH947yowJL/W6Mgb5+ebCfYEQpkqs1I5Zgjl5w:kWIsUgHqYJLygbPbCQW1M6jk
                              MD5:5B964DBCC99EDEE45A6F235417713A93
                              SHA1:E65BB79A470A509A50B4C275C10BC10892AB11CA
                              SHA-256:3B1AFEA2711E5D731A60B41E87F4711FE1DB3345FA316BE20347376068479DD5
                              SHA-512:60DD41E0434FCC7D6D57A02D69CD47C2B74C9C18316F59AEE88DA087C22C3E8408AA94AB9738EDC1B229DB8F83E620354394AE3847E216C2BCE33DC0D3E62743
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.R...<...<...<.2.G...<...=...<.2.R...<.2.@...<.2.D...<.Rich..<.........................PE..L.../..K............................Q........ ....@..........................@..............................................t...d....0..................@...............................................................\............................text............................... ..`.data........ ......................@....rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Program Files\Unlocker\uninst.exe

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                              Category:dropped
                              Size (bytes):98302
                              Entropy (8bit):6.9288137123184175
                              Encrypted:false
                              SSDEEP:1536:LLXB65939tY6HBg4sXJH3VRRYia6S+0hyc1tb/ny+ti8wgdK8gM6srLnV+:LLk395hYXJy+Hetb/nsZh8gMJn4
                              MD5:CBC4DC3DC6588687641D7FFD626A0156
                              SHA1:3BEF23915D9469FD93BDC6DF447DD596D01F233D
                              SHA-256:DA85CD2439827EDF0C06E9B5F6780182F50DADB6608512BA86989F6905C5F6D8
                              SHA-512:6E0A86A35C6B46BEE9E0D5A1796A360BDF0DB1B79CCB9BCB8F18631EC500350F245C2E11E38C5EA4BE3846017CBFE725FC643F3FAD14695FCD683026D3C5B3C6
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@..........................@...............................................s..........hX...........................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......@...........................rsrc...hX.......Z...t..............@..@................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Babylon\Setup\Setup2.zpb

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3844
                              Entropy (8bit):7.9473327809209735
                              Encrypted:false
                              SSDEEP:96:JoZggOWDGmubGYXwfR1ZCeeIV7Bwbuq44oP:yy3WFYXwNneEIA3
                              MD5:5E6230B3B16798E23720958756AC6D9E
                              SHA1:C7BCB001C48A67D4C9D6E70E92473EBD85B30585
                              SHA-256:D49EC47F5D27A09A17E00A6EB78F49A761C9F5881EC81FB07CC49FD0A5F287B2
                              SHA-512:6B1C132F0E4FC2CA6B5E8D807671C586D84E044E4DB8380682FD4D071160177C0F7E7A6AFAE3EE74A4FBD5C65ACA0C0876948F5A42DEAFDBB685C5B7989B5AAE
                              Malicious:false
                              Preview:.x.......]....L".........=...O...k..#...-Xi;.).s_.!.Ep7.QP..:,D..Z.zK..^.2..@..w.BF.RA-.E.(u.o.}..Z..KV..U..r..%Z....y.2Gg..V^....^..H..e...A.....p...;H9..Q'aU3..m/..'..'.By..I.....A.|...=.h..B'-...>.........(..c...5..?...}...q..S.VN..Ju...v..Z.....]..f...\O].X....P;+^..U.3...t8F."..d._........A..[.TY..,.O.....4A..z...A.Z..b1..Xr.R..!z\..D..v.).Y..JD....G..u^..%.N<..ZG(..\D..J.&....L[..... .../..a.z. }..a..rs)l...-^^...........{..l...v.&...5.)...F?..R.yS.t...=~IF..!.".[`.4V...5..kIZE....qM..#...1...qW.~.....;.K....w.^....{..s.%.U|....ns./9..%..x>CY...V.k.....9y..%.x.KA].T.T....5.;..{".B..M2.....3...2.q..WU}....2..}hyo.5.<3.....4Aa.[..H.`.}...o.....Zu..['...j..\B{.7H..\.*u.....3(..`..b...eRU..,.K=nM..dx.h..o.$...TV.k1.f..3.....?.t.....q...TG.q..a.p......W..?."u].@L.D.P..kY.....^<..`..Xaq~..R.N..A*.{w.=.6..<...Xo'.hc.Ok......*.!}..5..y.e._....)aM...c.j.&M...<"..ML..x....O....m.E.=..W.xx.J.S*[OR..V........\...3.A.CK..AY..XZ.c...m..

                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\downloader[1].htm

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):274
                              Entropy (8bit):5.925546659669212
                              Encrypted:false
                              SSDEEP:6:T3C1NyQx7MwvJ043t3wuqzHBa9j4CaJaoQ3yvZR+n:j8x7QAt3JwhWaQCvv+
                              MD5:66AC3BAE1AF259D143B7E5B7ED33FCBA
                              SHA1:0DBA3F19AA54AFECEEDE904E9CCB9ACBAA7C8CD0
                              SHA-256:39192ECB5ED65522CFE1FBFDEF832648036634B856B4A036876746E28E852DF6
                              SHA-512:73187D11A31604D3478772B5DA23310D927FAFC5A9EBA44B925B9ADD44B7E56FE05702C6C2888C2D14BAC8CB155BFBE89634562D2DAAA28083CCF1F19FE34E3D
                              Malicious:false
                              Preview:!-trkInfo=[TType:5012_7];#DQ0BWQFd4nGNiYGZiYGEFYjYgNgFiFiYGZkYHZ&3ikhQ3twjPvOKSHAX9nLx022gfRz&3WAX9xLScEtukxKTi4hIF&dK8TKCKxJwcx5wcBgEwiJ2ruxMA0PcVLQ;#DQyEgeJxjYmBmYmBhBWI2IDYCYi5GVsYGARB41vZ8IgAW5QQg;$http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpb;

                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Setup2[1].zpb

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3844
                              Entropy (8bit):7.9473327809209735
                              Encrypted:false
                              SSDEEP:96:JoZggOWDGmubGYXwfR1ZCeeIV7Bwbuq44oP:yy3WFYXwNneEIA3
                              MD5:5E6230B3B16798E23720958756AC6D9E
                              SHA1:C7BCB001C48A67D4C9D6E70E92473EBD85B30585
                              SHA-256:D49EC47F5D27A09A17E00A6EB78F49A761C9F5881EC81FB07CC49FD0A5F287B2
                              SHA-512:6B1C132F0E4FC2CA6B5E8D807671C586D84E044E4DB8380682FD4D071160177C0F7E7A6AFAE3EE74A4FBD5C65ACA0C0876948F5A42DEAFDBB685C5B7989B5AAE
                              Malicious:false
                              Preview:.x.......]....L".........=...O...k..#...-Xi;.).s_.!.Ep7.QP..:,D..Z.zK..^.2..@..w.BF.RA-.E.(u.o.}..Z..KV..U..r..%Z....y.2Gg..V^....^..H..e...A.....p...;H9..Q'aU3..m/..'..'.By..I.....A.|...=.h..B'-...>.........(..c...5..?...}...q..S.VN..Ju...v..Z.....]..f...\O].X....P;+^..U.3...t8F."..d._........A..[.TY..,.O.....4A..z...A.Z..b1..Xr.R..!z\..D..v.).Y..JD....G..u^..%.N<..ZG(..\D..J.&....L[..... .../..a.z. }..a..rs)l...-^^...........{..l...v.&...5.)...F?..R.yS.t...=~IF..!.".[`.4V...5..kIZE....qM..#...1...qW.~.....;.K....w.^....{..s.%.U|....ns./9..%..x>CY...V.k.....9y..%.x.KA].T.T....5.;..{".B..M2.....3...2.q..WU}....2..}hyo.5.<3.....4Aa.[..H.`.}...o.....Zu..['...j..\B{.7H..\.*u.....3(..`..b...eRU..,.K=nM..dx.h..o.$...TV.k1.f..3.....?.t.....q...TG.q..a.p......W..?."u].@L.D.P..kY.....^<..`..Xaq~..R.N..A*.{w.=.6..<...Xo'.hc.Ok......*.!}..5..y.e._....)aM...c.j.&M...<"..ML..x....O....m.E.=..W.xx.J.S*[OR..V........\...3.A.CK..AY..XZ.c...m..

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\BExternal.dll

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\DeltaTB.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):132096
                              Entropy (8bit):6.077194684081875
                              Encrypted:false
                              SSDEEP:1536:aKpmHnzBkCQDQsjqpw/pAsRiYt5+IvNkGNr3jk2zzfrFabmhu5J0tHS+f:aKpmHnCClMSNK+ETHfrFar5J0tF
                              MD5:B212865E7E478A28A97268F960079A8D
                              SHA1:DED201AE02FB9EA3646489AFEDA49270C4620D9C
                              SHA-256:D6138AEF3F7674E2442ADD75013C86CA8FDA3D5BA69737A9B881E7F7BBC730E6
                              SHA-512:D973F9CB45D2035A8546BBDF77FA1B239A3F1E4BA2B17D32195A1CFED13FE06AAF48B91A133CEBD7E53481AB5A5E9166329B730587B46A154B193779DA6AD737
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 5%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5..w[..w[..w[.....w[.....w[.....w[..%..w[.. ..w[..5..w[..wZ.pw[.....w[.....w[..%..w[.....w[.Rich.w[.........PE..L.....P...........!.....V..........(p.......p...............................`............@.........................`...S.......d.... .......................0.......r..................................@............p......l...`....................text....U.......V.................. ..`.rdata...K...p...L...Z..............@..@.data..../..........................@....SHARDAT. ......."..................@....rsrc........ ......................@..@.reloc... ...0..."..................@..B........................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Babylon.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\DeltaTB.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12384
                              Entropy (8bit):5.999166475309639
                              Encrypted:false
                              SSDEEP:192:6SqGSumjR7rVILJ7hzEJboFI1BI1x7RpjEie/X6S8k0oP0dNdNhkAU0RSB2rBkEl:iGJmRyJyJb71C1x7R4a+0RSGPB
                              MD5:825E5733974586A0A1229A53361ED13E
                              SHA1:9EC5B8944C6727FDA6FDC3C18856884554CF6B31
                              SHA-256:0A90B96EAF5D92D33B36F73B36B7F9CE3971E5F294DA51ED04DA3FB43DD71A96
                              SHA-512:FF039E86873A1014B1F8577AEC9B4230126B41CC204A6911CD372D224B8C07996D4BB2728A06482C5E98FB21F2D525395491F29D428CDD5796A26E372AF5AD4E
                              Malicious:false
                              Preview:Ao...............................d......2.......................................................'...Babylon Trial..........2.............................................................'...Babylon..........2..............'...Englishtown..........2............................................................................'...Babylon..........2....'...Babylon Viewer..........2........................... ......'...Babylon Public..........2........................'..-Babylon Online/Offline Viewer..........2........................'..%Babylon Online Viewer..........2........................'..&Babylon Offline Viewer..........2........................'..&Babylon Premium Viewer..........2................................ ......'..#Babylon-Pro Classic..........2............................................................................'..+Babylon (Corporate Edition)..........2.......................................... ......'.."Babylon (Standard)..........2..............'...Englishtown.......

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\HtmlScreens\loading.html

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\DeltaTB.exe
                              File Type:HTML document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):644
                              Entropy (8bit):5.2453607077208835
                              Encrypted:false
                              SSDEEP:12:hnMEwuiuX4w4vy4WhPHMNUyXUoZhYpNtlVGlKN7HClolEJqNYMxhCRCBRPGu:hMNmMvy4WJHGp/YEaREJNMN5
                              MD5:F50FA4673555652289652753183FD1EE
                              SHA1:F496797F0D34EB866D6328D2FD1492B485F74D0A
                              SHA-256:AFB21B51CEAD30ED14F79293D50B9C3C7A706B5287AAD6CDE06EA44A364DF812
                              SHA-512:6E92B13343AD35A8A8C61E54CE3ABB9A28ABEEC4AA8C765326E0D1EC111C7656D8F0F349C44820FB1ABA6730C22F84F7411C0C0B24322BDAA8A977B79BAA23DA
                              Malicious:false
                              Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..</head>..<body style="width:550px; background-color:#d4e7fe">.. <div id="bdy" style="margin: 150px auto; height: 100px; width: 220px;">.. <div>.. <div style="text-align:center; font-size:17px; padding:2px; behavior: url(#default#BabDefBhv:text);">IDS_LOADING</div>.. <div style="margin:5px auto; width:32px;">.. <img id="roundProgress" src="pBar.gif" />.. </div>.. </div>.. </div>..</body>..</html>..

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\HtmlScreens\navError.html

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\DeltaTB.exe
                              File Type:HTML document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):926
                              Entropy (8bit):5.348370067881831
                              Encrypted:false
                              SSDEEP:12:hnMEwuiuX4w4vy4Wh7qJmuMu5+nulOlkkQ2VMCHMNUyXUoZhY+dDNtloNGlomqNt:hMNmMvy4Wa9XlgkkQ+MCHGp/Y+dFzsx5
                              MD5:0C464E407C81764EBC09EACBE41F0B3E
                              SHA1:245AFE550A05215E5873D8F5F21C22D12AA46B6A
                              SHA-256:770A302BC58B513472AA603AE44A365A6F4F8CBDDC13D2692F71B09F143F8A26
                              SHA-512:71070FCD243CBB3E4452874ECAF8E20E13CBBBAD0009CE543CA49601FACC1AB1906C298849D3B8FB5747DF1109F8E85946243EC7BFA0EAD97CA0AED9EC8D3DFC
                              Malicious:false
                              Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>.. <script type="text/javascript">.. function exitSetup() {... window.external.openPage('{"name":"error"}');...}.. function onXBtnPress() {... exitSetup();... return true;.. }.. </script>..</head>..<body style="width:550px; background-color:#d4e7fe">.. <div id="bdy" style="margin: 150px auto; height: 100px; width: 500px;">.. <div>.. <div style="font-size:17px; padding:2px; behavior: url(#default#BabDefBhv:text);">IDS_NAV_ERROR</div>.. <div style="margin:30px auto; width:32px;">.. <input type="button" id="exit" value="BTN_CLOSE" class="BAB_BhvElm" onclick="exitSetup()" style="behavior: url(#default#BabDefBhv:text);" />.. </div>.. </div>.. </div>..</body>..</html>..

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\HtmlScreens\pBar.gif

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\DeltaTB.exe
                              File Type:GIF image data, version 89a, 32 x 32
                              Category:dropped
                              Size (bytes):3208
                              Entropy (8bit):7.524069178961416
                              Encrypted:false
                              SSDEEP:48:3CwXprsPLjhI4TRpiPDZmjbzpB0IDmkgl/gpx2ugG1LyZtAegoA/3wlSMilKphGa:3J5YPxIRiq/qpx2F3ZtA1oC3TMnphOQ
                              MD5:26621CB27BBC94F6BAB3561791AC013B
                              SHA1:4010A489350CF59FD8F36F8E59B53E724C49CC5B
                              SHA-256:E512D5B772FEF448F724767662E3A6374230157E35CAB6F4226496ACC7AA7AD3
                              SHA-512:9A19E8F233113519B22D9F3B205F2A3C1B59669A0431A5C3EF6D7ED66882B93C8582F3BAA13DF4647BCC265D19F7C6543758623044315105479D2533B11F92C6
                              Malicious:false
                              Preview:GIF89a . ......."G....~.....Gh.]|..........6Y.$H..........!..Created with ajaxload.info.!.......!..NETSCAPE2.0.....,.... . ......Iia....bK.$.F...R.A.T.,..2S.*05//.m.p!z...0...;$.0C....I*!.HC(A@.o...!39T5.\.8)....`..d..wxG=Y..g...wHb..v.A=.0.V\.\.;........;...H.........0..t%.Hs..rY<H..........b..Z.b.OEg:...GY]..=.A.OQ.s....\b.h.9.=sg...c..e....*...f.7D..!.......,.... . ......IiY...YF5..F..R..Tb.G.J....L..d...&.Ymx...... \...@........ ....1..&R....H..4.1Q..|V..%.z.v...#j0....l.Gg{0~..<.<..[.[.h.x..G...y.........[.0....G.....P.z...h...kz..i....y....h|z.h.G..V.......\h..[........&.+..W.7.8...!..!.......,.... . ......I)1....1G5d].(..R..T2..jL.{..< .[.5.M....0..)... L...I...m..E..`....p..U....^f.%..^.......u.;..zz.}0.X....S0.ew.y.k<..%..O.......z..{....|......%......F.i.1.0......Y.....8.x.....z..@....<...............8..Y<......8.\.P.$...!......!.......,.... . ......I.....g.EU... .R.a.TB.....p>'...e..$.."...\.#E1C.n.....~...J.,..,Aa.....Uw^4.I%P....u.Q.33.{0..i1T

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\IEHelper.dll

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\DeltaTB.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.32136921936664
                              Encrypted:false
                              SSDEEP:96:/JWaDD77eJq0VOs/i5VSweLvuRBUlXVCt6:BT77Gq0ss/4SweoBwk
                              MD5:A21DE5067618D4F2DF261416315ED120
                              SHA1:7759A3318DE2ABC3755EBB7F50322C6D586B5286
                              SHA-256:6D13D2967A37BA76F840CD45DBA565C5D64938A99D886243F01713CD018E53CA
                              SHA-512:6B5C40D09A9548FDE90C1B1127A36E813525BEA6FF80D5FB0911DDEF67954B209DF44CBF4714CD00C4E2E4DA90CFC4967DB7174C28F751F7C5B881FA18CC938A
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 8%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v..............................o.......o.......o......Rich............................PE..L.....P...........!......................... ......................................V}....@..........................#..w...."..P....`.......................p......P ............................................... ..L............................text............................... ..`.rdata....... ......................@..@.data.... ...0......................@....rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\BExternal.dll

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):132096
                              Entropy (8bit):6.077194684081875
                              Encrypted:false
                              SSDEEP:1536:aKpmHnzBkCQDQsjqpw/pAsRiYt5+IvNkGNr3jk2zzfrFabmhu5J0tHS+f:aKpmHnCClMSNK+ETHfrFar5J0tF
                              MD5:B212865E7E478A28A97268F960079A8D
                              SHA1:DED201AE02FB9EA3646489AFEDA49270C4620D9C
                              SHA-256:D6138AEF3F7674E2442ADD75013C86CA8FDA3D5BA69737A9B881E7F7BBC730E6
                              SHA-512:D973F9CB45D2035A8546BBDF77FA1B239A3F1E4BA2B17D32195A1CFED13FE06AAF48B91A133CEBD7E53481AB5A5E9166329B730587B46A154B193779DA6AD737
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 5%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5..w[..w[..w[.....w[.....w[.....w[..%..w[.. ..w[..5..w[..wZ.pw[.....w[.....w[..%..w[.....w[.Rich.w[.........PE..L.....P...........!.....V..........(p.......p...............................`............@.........................`...S.......d.... .......................0.......r..................................@............p......l...`....................text....U.......V.................. ..`.rdata...K...p...L...Z..............@..@.data..../..........................@....SHARDAT. ......."..................@....rsrc........ ......................@..@.reloc... ...0..."..................@..B........................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\Babylon.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12384
                              Entropy (8bit):5.999166475309639
                              Encrypted:false
                              SSDEEP:192:6SqGSumjR7rVILJ7hzEJboFI1BI1x7RpjEie/X6S8k0oP0dNdNhkAU0RSB2rBkEl:iGJmRyJyJb71C1x7R4a+0RSGPB
                              MD5:825E5733974586A0A1229A53361ED13E
                              SHA1:9EC5B8944C6727FDA6FDC3C18856884554CF6B31
                              SHA-256:0A90B96EAF5D92D33B36F73B36B7F9CE3971E5F294DA51ED04DA3FB43DD71A96
                              SHA-512:FF039E86873A1014B1F8577AEC9B4230126B41CC204A6911CD372D224B8C07996D4BB2728A06482C5E98FB21F2D525395491F29D428CDD5796A26E372AF5AD4E
                              Malicious:false
                              Preview:Ao...............................d......2.......................................................'...Babylon Trial..........2.............................................................'...Babylon..........2..............'...Englishtown..........2............................................................................'...Babylon..........2....'...Babylon Viewer..........2........................... ......'...Babylon Public..........2........................'..-Babylon Online/Offline Viewer..........2........................'..%Babylon Online Viewer..........2........................'..&Babylon Offline Viewer..........2........................'..&Babylon Premium Viewer..........2................................ ......'..#Babylon-Pro Classic..........2............................................................................'..+Babylon (Corporate Edition)..........2.......................................... ......'.."Babylon (Standard)..........2..............'...Englishtown.......

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\HtmlScreens\loading.html

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:HTML document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):644
                              Entropy (8bit):5.2453607077208835
                              Encrypted:false
                              SSDEEP:12:hnMEwuiuX4w4vy4WhPHMNUyXUoZhYpNtlVGlKN7HClolEJqNYMxhCRCBRPGu:hMNmMvy4WJHGp/YEaREJNMN5
                              MD5:F50FA4673555652289652753183FD1EE
                              SHA1:F496797F0D34EB866D6328D2FD1492B485F74D0A
                              SHA-256:AFB21B51CEAD30ED14F79293D50B9C3C7A706B5287AAD6CDE06EA44A364DF812
                              SHA-512:6E92B13343AD35A8A8C61E54CE3ABB9A28ABEEC4AA8C765326E0D1EC111C7656D8F0F349C44820FB1ABA6730C22F84F7411C0C0B24322BDAA8A977B79BAA23DA
                              Malicious:false
                              Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..</head>..<body style="width:550px; background-color:#d4e7fe">.. <div id="bdy" style="margin: 150px auto; height: 100px; width: 220px;">.. <div>.. <div style="text-align:center; font-size:17px; padding:2px; behavior: url(#default#BabDefBhv:text);">IDS_LOADING</div>.. <div style="margin:5px auto; width:32px;">.. <img id="roundProgress" src="pBar.gif" />.. </div>.. </div>.. </div>..</body>..</html>..

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\HtmlScreens\navError.html

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:HTML document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):926
                              Entropy (8bit):5.348370067881831
                              Encrypted:false
                              SSDEEP:12:hnMEwuiuX4w4vy4Wh7qJmuMu5+nulOlkkQ2VMCHMNUyXUoZhY+dDNtloNGlomqNt:hMNmMvy4Wa9XlgkkQ+MCHGp/Y+dFzsx5
                              MD5:0C464E407C81764EBC09EACBE41F0B3E
                              SHA1:245AFE550A05215E5873D8F5F21C22D12AA46B6A
                              SHA-256:770A302BC58B513472AA603AE44A365A6F4F8CBDDC13D2692F71B09F143F8A26
                              SHA-512:71070FCD243CBB3E4452874ECAF8E20E13CBBBAD0009CE543CA49601FACC1AB1906C298849D3B8FB5747DF1109F8E85946243EC7BFA0EAD97CA0AED9EC8D3DFC
                              Malicious:false
                              Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>.. <script type="text/javascript">.. function exitSetup() {... window.external.openPage('{"name":"error"}');...}.. function onXBtnPress() {... exitSetup();... return true;.. }.. </script>..</head>..<body style="width:550px; background-color:#d4e7fe">.. <div id="bdy" style="margin: 150px auto; height: 100px; width: 500px;">.. <div>.. <div style="font-size:17px; padding:2px; behavior: url(#default#BabDefBhv:text);">IDS_NAV_ERROR</div>.. <div style="margin:30px auto; width:32px;">.. <input type="button" id="exit" value="BTN_CLOSE" class="BAB_BhvElm" onclick="exitSetup()" style="behavior: url(#default#BabDefBhv:text);" />.. </div>.. </div>.. </div>..</body>..</html>..

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\HtmlScreens\pBar.gif

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:GIF image data, version 89a, 32 x 32
                              Category:dropped
                              Size (bytes):3208
                              Entropy (8bit):7.524069178961416
                              Encrypted:false
                              SSDEEP:48:3CwXprsPLjhI4TRpiPDZmjbzpB0IDmkgl/gpx2ugG1LyZtAegoA/3wlSMilKphGa:3J5YPxIRiq/qpx2F3ZtA1oC3TMnphOQ
                              MD5:26621CB27BBC94F6BAB3561791AC013B
                              SHA1:4010A489350CF59FD8F36F8E59B53E724C49CC5B
                              SHA-256:E512D5B772FEF448F724767662E3A6374230157E35CAB6F4226496ACC7AA7AD3
                              SHA-512:9A19E8F233113519B22D9F3B205F2A3C1B59669A0431A5C3EF6D7ED66882B93C8582F3BAA13DF4647BCC265D19F7C6543758623044315105479D2533B11F92C6
                              Malicious:false
                              Preview:GIF89a . ......."G....~.....Gh.]|..........6Y.$H..........!..Created with ajaxload.info.!.......!..NETSCAPE2.0.....,.... . ......Iia....bK.$.F...R.A.T.,..2S.*05//.m.p!z...0...;$.0C....I*!.HC(A@.o...!39T5.\.8)....`..d..wxG=Y..g...wHb..v.A=.0.V\.\.;........;...H.........0..t%.Hs..rY<H..........b..Z.b.OEg:...GY]..=.A.OQ.s....\b.h.9.=sg...c..e....*...f.7D..!.......,.... . ......IiY...YF5..F..R..Tb.G.J....L..d...&.Ymx...... \...@........ ....1..&R....H..4.1Q..|V..%.z.v...#j0....l.Gg{0~..<.<..[.[.h.x..G...y.........[.0....G.....P.z...h...kz..i....y....h|z.h.G..V.......\h..[........&.+..W.7.8...!..!.......,.... . ......I)1....1G5d].(..R..T2..jL.{..< .[.5.M....0..)... L...I...m..E..`....p..U....^f.%..^.......u.;..zz.}0.X....S0.ew.y.k<..%..O.......z..{....|......%......F.i.1.0......Y.....8.x.....z..@....<...............8..Y<......8.\.P.$...!......!.......,.... . ......I.....g.EU... .R.a.TB.....p>'...e..$.."...\.#E1C.n.....~...J.,..,Aa.....Uw^4.I%P....u.Q.33.{0..i1T

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\IEHelper.dll

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.32136921936664
                              Encrypted:false
                              SSDEEP:96:/JWaDD77eJq0VOs/i5VSweLvuRBUlXVCt6:BT77Gq0ss/4SweoBwk
                              MD5:A21DE5067618D4F2DF261416315ED120
                              SHA1:7759A3318DE2ABC3755EBB7F50322C6D586B5286
                              SHA-256:6D13D2967A37BA76F840CD45DBA565C5D64938A99D886243F01713CD018E53CA
                              SHA-512:6B5C40D09A9548FDE90C1B1127A36E813525BEA6FF80D5FB0911DDEF67954B209DF44CBF4714CD00C4E2E4DA90CFC4967DB7174C28F751F7C5B881FA18CC938A
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 8%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v..............................o.......o.......o......Rich............................PE..L.....P...........!......................... ......................................V}....@..........................#..w...."..P....`.......................p......P ............................................... ..L............................text............................... ..`.rdata....... ......................@..@.data.... ...0......................@....rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\Setup2.zpb

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3844
                              Entropy (8bit):7.9473327809209735
                              Encrypted:false
                              SSDEEP:96:JoZggOWDGmubGYXwfR1ZCeeIV7Bwbuq44oP:yy3WFYXwNneEIA3
                              MD5:5E6230B3B16798E23720958756AC6D9E
                              SHA1:C7BCB001C48A67D4C9D6E70E92473EBD85B30585
                              SHA-256:D49EC47F5D27A09A17E00A6EB78F49A761C9F5881EC81FB07CC49FD0A5F287B2
                              SHA-512:6B1C132F0E4FC2CA6B5E8D807671C586D84E044E4DB8380682FD4D071160177C0F7E7A6AFAE3EE74A4FBD5C65ACA0C0876948F5A42DEAFDBB685C5B7989B5AAE
                              Malicious:false
                              Preview:.x.......]....L".........=...O...k..#...-Xi;.).s_.!.Ep7.QP..:,D..Z.zK..^.2..@..w.BF.RA-.E.(u.o.}..Z..KV..U..r..%Z....y.2Gg..V^....^..H..e...A.....p...;H9..Q'aU3..m/..'..'.By..I.....A.|...=.h..B'-...>.........(..c...5..?...}...q..S.VN..Ju...v..Z.....]..f...\O].X....P;+^..U.3...t8F."..d._........A..[.TY..,.O.....4A..z...A.Z..b1..Xr.R..!z\..D..v.).Y..JD....G..u^..%.N<..ZG(..\D..J.&....L[..... .../..a.z. }..a..rs)l...-^^...........{..l...v.&...5.)...F?..R.yS.t...=~IF..!.".[`.4V...5..kIZE....qM..#...1...qW.~.....;.K....w.^....{..s.%.U|....ns./9..%..x>CY...V.k.....9y..%.x.KA].T.T....5.;..{".B..M2.....3...2.q..WU}....2..}hyo.5.<3.....4Aa.[..H.`.}...o.....Zu..['...j..\B{.7H..\.*u.....3(..`..b...eRU..,.K=nM..dx.h..o.$...TV.k1.f..3.....?.t.....q...TG.q..a.p......W..?."u].@L.D.P..kY.....^<..`..Xaq~..R.N..A*.{w.=.6..<...Xo'.hc.Ok......*.!}..5..y.e._....)aM...c.j.&M...<"..ML..x....O....m.E.=..W.xx.J.S*[OR..V........\...3.A.CK..AY..XZ.c...m..

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\SetupStrings.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):91790
                              Entropy (8bit):7.9969876797429755
                              Encrypted:true
                              SSDEEP:1536:YYMRZJnf4lTn61qnl4nJszUaFsQZFWT9a5wSFU/BTi5MjmMoa7OYCVumZJBE:YYgJmOs4nJwFRZFSa5vUoumaE8mZJBE
                              MD5:407846797C5BA247ABEB5FA7C0C0BA05
                              SHA1:44386455EED8E74D75E95E9E81E96A19F0B27884
                              SHA-256:0147B5B11B935310752666FCF1E6AFC922B76FF03D01A0D1EE2BABEAC10CA1E3
                              SHA-512:7399A9228F971698DB7362AAD28D3F9694C0BF453D4529E48BC7869AF0960452CFE1A5F0A5754E7D567D81B5AA1E35BE05A9E36EC745E5470D20FD44A61D20AF
                              Malicious:false
                              Preview:C.e....x..k.\...D6v......}....R.cc.4m......d..c.;.2O..*3O..<%..{........X`C.....z Q..&:.;.g&J1..NL..V..L.D..wz.L...{.GV...q.#.*.>{...z|k...#K...G?...&.......f.^..7....F.ma.....,<.\ei.4...f....{...^'.&b.u.H...o........&.>4..o2..<}{8.{....t,=.b.N.`..T...i...:..n...p.w0LBo*....-....5..7.4..{...z..n.t+.5.4.._.v..L.........i.g...!.@..l..N)..........!=.s..`......L.@. 9s.z.L..a..o...Z....OWj.V.^.t...p.^....q.]..ye.{.4....n...7...f38.b7.[.t..o..?..../z..3G.Vi...T.....u.~~Y.>...b.?....4B`.-.+.m...(<.b..{3.d..~....c.N..n.Q.Vj...4.q...m.f.wq.[>....Nw..7...`a,-.Ga.....|..o......FS.?......w3....Cu.#>s...0........V.'.-X.8..%...J.["......&,....Jm...v..{..K.o.......O..t..?.....>w....7..._.....T...?`..._R.E.v...L.I.*./j....#....]Q....OH.J..+7.?7.)..X..+W.?=.6Y./.\1.O.^5.P4...~..I..~$h.bE._/.|...Q4.m.p..u.ho..o~St..4n.i.b...".......V.U../.....d=..K+W...o..+...t.....[ae[.....u......{.o..U..B.S?K*W...B..?..k...cc3.....o...d...............U#.

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\bab033.tbinst.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):205
                              Entropy (8bit):4.9535990881965635
                              Encrypted:false
                              SSDEEP:3:SC2nnnPjnu5AqBQW1ALepBTY2EUHgLJpB1GHGDusAY75E8SlQkQGEie0GUGl:SDnPoPB/mLepBREUALJv1TX9EDKJ5sGl
                              MD5:90713AB7A74884CD36A5FB4CFCDECE8A
                              SHA1:7BB56D08FD69A98E543B923BD0A9156F92A9C473
                              SHA-256:BC40813F6D07DBC1A4D4C74363460D1AD6EE76275729DE4C4F10EC40D8CC46EB
                              SHA-512:639D68135FB54264F2E21081D6CA9FFE73A94035982F4A2D7133D6D402CDD3EF4A695EEB61AD173DC6D1B8167D1F5DF2BE61A972C96F07AC357ECEC887A0D191
                              Malicious:false
                              Preview:A>..................c.......e..HKEY_NONE........babtb1........8..babylonsig=0000ddc5393a3898d6fab33f1b7634f4cacf2f4dc9ddfcbcc1defbd0ce593049:0000d32e061a0029c5ccdae47322435ba6e55cac53459f5d334a8ccfc03203ca

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\bab091.norecovericon.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):174
                              Entropy (8bit):4.747151880874695
                              Encrypted:false
                              SSDEEP:3:L2lhgnnn/9HNhcGVUDTERd8oDFLSbhlVEHgUVwkdHYzHcLSTp43FQClB/YcYN:LChgnl8GVUDTERCoDt8V8PVwkFYqSVgE
                              MD5:4F6E1FDBEF102CDBD379FDAC550B9F48
                              SHA1:5DA6EE5B88A4040C80E5269E0CD2B0880B20659C
                              SHA-256:E58EA352C050E6353FB5B4FA32A97800298C1603489D3B47794509AF6C89EC4C
                              SHA-512:54EFC9BDE44F332932A97396E59ECA5B6EA1AC72F929CCFFA1BDAB96DC3AE8D61E126ADBD26D12D0BC83141CEE03B24AD2BADA411230C4708B7A9AE9C60AECBE
                              Malicious:false
                              Preview:A...................j........<\...babylonsig=000073e9c01f6a45cc864dc02a0f7bf8bcabc4db855fc5bd7a04d0abc34be5df:0000050db25f8bdf7e3b9e906bf562b69d8997079c552e0c644fd006193bd428

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\bab148.spreg.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):249
                              Entropy (8bit):5.365979053267958
                              Encrypted:false
                              SSDEEP:6:t8knqres54xUSIJY7rsNXVO5HzVUTA010HkiYKoYb7orHTMS:t8knqPCxUNYXsFcNzVUM0109Y6/ozTT
                              MD5:A4AF0A0C254B38F2F9EECBF0E00B08FE
                              SHA1:EF730BCE77699730DDA378DC444B997CE7CEEA7A
                              SHA-256:810E0E32D54B9E1557DA7CCF1CA9F6354814E90DADC6B4AF5E1CBDF87FAC925A
                              SHA-512:B74596E55E75413303559C135DB393A04D6FD6CBAB147A51AC2F46435F52B92B82868DE4E67917A7B388D82C672FA36B525B88E2EEFE7EC40695F028395DCD84
                              Malicious:false
                              Preview:A@i....................@YHKEY_CLASSES_ROOT\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data...........babylonsig=000100374627dcb412ef9c7f6e6383eb408216ef2e8c99cab4a28ea690db202a:00006cc208e02b54e138d1ec1b02ef66d0b7f8e02d0d3a2c12c6a72548b0fc07

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\bab187.wl.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):234
                              Entropy (8bit):5.1257718700950665
                              Encrypted:false
                              SSDEEP:3:elm7gnnn7nlun8FxIEyLdKC1xZ1jPAUFA9EHANrQ3wV39VuVUjKGBTc6+HYXDwDe:fgn8n8zIxdK2HG7EgNEg39MmIYXUDQQU
                              MD5:6358860CD0C336C1F91F86BE701D77C4
                              SHA1:5DD38B818BF0860B4C5144BA670A759D4345E4EC
                              SHA-256:2ED42E3C958EB21352BAE4B00DB2FA5BE94149ABC64EEC93E5258B9C4A715457
                              SHA-512:7DF3B3E1487D3A65000B6208969F1E695815133C052F369BEB36877FE5C6F64D979AEFD030A193B04A5E46FB0D97A3CC06837AA381EFE6BC24A0C084C768DAC1
                              Malicious:false
                              Preview:A@Z..............2........."search.babylon.com.......$www.claro-search.com...... .........9...babylonsig=000014b501afb12514e838be35fd24590f9f095658a0cdd234df33a6003ea621:0000627597f0acd7d524976ccd69bab0cb4198771d23d12f21d1af554430d7ef

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\bab307.sp_pop0.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):178
                              Entropy (8bit):4.797553801917334
                              Encrypted:false
                              SSDEEP:3:PC2nnnxnzkS2gfE8JfizV3RT3d/7lkVVYQdyFE6MBvhShRO7H/bSGPX:62n+S2V8Vu3139lkVVYX+NB8ADT1PX
                              MD5:0B7BE9C4B72C2C5166BFD61CA5EBBFED
                              SHA1:AEA0AA4E8226C1B4EFCE92E909DA773744BAA6D4
                              SHA-256:673BF972D308BC6108360575608CF72F393413F2D3993489B06DA4A6EFC749BD
                              SHA-512:4DCD7EA01B05550ACB00B71E7E9FDD52A04FE1CC574655030DCAE94B87DAD86BFB7973ADF9185DE03BCACB100FFF758B1A2F928FCB951E2B31E320860A2226D8
                              Malicious:false
                              Preview:A#..............2.................b+..babylonsig=0000b7d47988ec9b6d29c69c2d65aa0453a80949ffe47b173bcbcbaf1664b37f:0000d475e18513509c850255a7e329dacbd702f4edee04be1371ccd95bc05742

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\bab456.TB_OldWay.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):174
                              Entropy (8bit):4.752125358171384
                              Encrypted:false
                              SSDEEP:3:L2lhgnnnShk1X3slFi0U6tgFnlHOW8O+NYXnbcE0aBSVXdE1TbSXQK:LChgnShklvkWFnd+2XbciSV0SXQK
                              MD5:7E72D256E34635D351092955D1F8516B
                              SHA1:7F240F8F4BD61AE59247D84D0EC85F5BC8729F36
                              SHA-256:39EB1667A67149B5D930E5408896027E3C3FC06282735E61CB8D85F5B38F587C
                              SHA-512:621EB4BF2864DB2FA0F861C233CED790124E9060C081948BEB7117F8C058A36ECCA23EE05CE2D6D42AF15533C050F648D276589682D91DFE699EBE871CC9AE8C
                              Malicious:false
                              Preview:A..............................o|.babylonsig=0000f7ffd199a6d07f03f6b2b8764a34a26e4dc1ed5ba9a3d998872127314113:0000cb9730cf6e41158f8f209a78d8121f40b07026490a300c0a084fb724d516

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\kstp.txt

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Preview:1

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exe

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):8704
                              Entropy (8bit):4.98329973703044
                              Encrypted:false
                              SSDEEP:96:TvYfTLHRm6VMp8PS5JTMNF4m1AcFM8S6Y3+IsONTv2e6BL:TvY+8PS5JwHV1Te8S6YW6Tv2e6
                              MD5:5790A04F78C61C3CAEA7DDD6F01829D2
                              SHA1:9D783D964338A5378280DD3C3B72519D11F73FFA
                              SHA-256:726B0E7E515F7BD62C912B094FA95C7C2285A44E03D264F5DD9E70729C0E9606
                              SHA-512:9134FC02095E313FCB528FA32C8534929FDDFB7B7B139A829F2B3EB32CD4C606F6D2EC6DFF57A890EA250CE1430EB272461ACCFE05164BD4CFA496C0A1474AD0
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.BSF..SF..SF....P.RF....S.[F..Z>..XF..SF..aF....R.VF....T.RF....Q.RF..RichSF..................PE..L...*.R..................................... ....@..........................p............@.................................H&..P....P.......................`......p ..8............................&..@............ ..h............................text...*........................... ..`.rdata..,.... ......................@..@.data........0......................@....CRT.........@......................@..@.rsrc........P......................@..@.reloc..B....`......................@..B................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\sqlite3.dll

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):520234
                              Entropy (8bit):6.562174410690013
                              Encrypted:false
                              SSDEEP:6144:RgEF6lmEVKtkDCQ/kUrc7dBLhuKgrQCjBXPTnrKcCxcfKvrLJLqgx5YMk4HJ0yPF:GEEdkUrc7RuKcQCdGVtT0MkCwwV/Hn
                              MD5:0F66E8E2340569FB17E774DAC2010E31
                              SHA1:406BB6854E7384FF77C0B847BF2F24F3315874A3
                              SHA-256:DE818C832308B82C2FABD5D3D4339C489E6F4E9D32BB8152C0DCD8359392695F
                              SHA-512:39275DF6E210836286E62A95ACE7F66C7D2736A07B80F9B7E9BD2A716A6D074C79DEAE54E2D21505B74BAC63DF0328D6780A2129CDFDA93AEC1F75B523DA9E05
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h..K........... ...8.$...t...............@.....`.......................................... ......................`..,.......P...............................H!...................................................................................text....#.......$..................`..`.data...8....@.......(..............@....bss.........P...........................edata..,....`.......6..............@....idata..P............N..............@....reloc..H!......."...V..............@....stab...l............x.................B.stabstr...............................B................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\DeltaTB.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):1898992
                              Entropy (8bit):5.743047590845145
                              Encrypted:false
                              SSDEEP:24576:knARLFkMxNcIs5WLDbZfGG98dhNmpejZCPiXnE2yYH0e8U07:BFkw7s5WcYkjZCwE2dH0e8UG
                              MD5:26F6D1B6756A83DE9755A05F7C030D75
                              SHA1:935F58155F74B051F9123B6022B7D358B52B146F
                              SHA-256:2ACAB7C986BBF80578C3BD998DD2D853257719CEB74C9D30BB4EA28952403D5B
                              SHA-512:AF9603572BDDB6244A7AB0484CB3AC9ED7C91B1CEA3E3F8C8886478930DBC102925B45ED094EAA2801755644E3BB4A4C0685A423F937F4B02AF16FEEC56E4F6F
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 26%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........U........................................w............<.......<..................#...................Rich............PE..L...O<.Q.....................N......vb............@........................................................................H...T....P.. ?..........................0...................................@............................................text...U........................... ..`.rdata..VR.......T..................@..@.data....1..........................@....rsrc... ?...P...@..................@..@........................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\SetupStrings.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\DeltaTB.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):91790
                              Entropy (8bit):7.9969876797429755
                              Encrypted:true
                              SSDEEP:1536:YYMRZJnf4lTn61qnl4nJszUaFsQZFWT9a5wSFU/BTi5MjmMoa7OYCVumZJBE:YYgJmOs4nJwFRZFSa5vUoumaE8mZJBE
                              MD5:407846797C5BA247ABEB5FA7C0C0BA05
                              SHA1:44386455EED8E74D75E95E9E81E96A19F0B27884
                              SHA-256:0147B5B11B935310752666FCF1E6AFC922B76FF03D01A0D1EE2BABEAC10CA1E3
                              SHA-512:7399A9228F971698DB7362AAD28D3F9694C0BF453D4529E48BC7869AF0960452CFE1A5F0A5754E7D567D81B5AA1E35BE05A9E36EC745E5470D20FD44A61D20AF
                              Malicious:false
                              Preview:C.e....x..k.\...D6v......}....R.cc.4m......d..c.;.2O..*3O..<%..{........X`C.....z Q..&:.;.g&J1..NL..V..L.D..wz.L...{.GV...q.#.*.>{...z|k...#K...G?...&.......f.^..7....F.ma.....,<.\ei.4...f....{...^'.&b.u.H...o........&.>4..o2..<}{8.{....t,=.b.N.`..T...i...:..n...p.w0LBo*....-....5..7.4..{...z..n.t+.5.4.._.v..L.........i.g...!.@..l..N)..........!=.s..`......L.@. 9s.z.L..a..o...Z....OWj.V.^.t...p.^....q.]..ye.{.4....n...7...f38.b7.[.t..o..?..../z..3G.Vi...T.....u.~~Y.>...b.?....4B`.-.+.m...(<.b..{3.d..~....c.N..n.Q.Vj...4.q...m.f.wq.[>....Nw..7...`a,-.Ga.....|..o......FS.?......w3....Cu.#>s...0........V.'.-X.8..%...J.["......&,....Jm...v..{..K.o.......O..t..?.....>w....7..._.....T...?`..._R.E.v...L.I.*./j....#....]Q....OH.J..+7.?7.)..X..+W.?=.6Y./.\1.O.^5.P4...~..I..~$h.bE._/.|...Q4.m.p..u.ho..o~St..4n.i.b...".......V.U../.....d=..K+W...o..+...t.....[ae[.....u......{.o..U..B.S?K*W...B..?..k...cc3.....o...d...............U#.

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\bab033.tbinst.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\DeltaTB.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):205
                              Entropy (8bit):4.9535990881965635
                              Encrypted:false
                              SSDEEP:3:SC2nnnPjnu5AqBQW1ALepBTY2EUHgLJpB1GHGDusAY75E8SlQkQGEie0GUGl:SDnPoPB/mLepBREUALJv1TX9EDKJ5sGl
                              MD5:90713AB7A74884CD36A5FB4CFCDECE8A
                              SHA1:7BB56D08FD69A98E543B923BD0A9156F92A9C473
                              SHA-256:BC40813F6D07DBC1A4D4C74363460D1AD6EE76275729DE4C4F10EC40D8CC46EB
                              SHA-512:639D68135FB54264F2E21081D6CA9FFE73A94035982F4A2D7133D6D402CDD3EF4A695EEB61AD173DC6D1B8167D1F5DF2BE61A972C96F07AC357ECEC887A0D191
                              Malicious:false
                              Preview:A>..................c.......e..HKEY_NONE........babtb1........8..babylonsig=0000ddc5393a3898d6fab33f1b7634f4cacf2f4dc9ddfcbcc1defbd0ce593049:0000d32e061a0029c5ccdae47322435ba6e55cac53459f5d334a8ccfc03203ca

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\bab091.norecovericon.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\DeltaTB.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):174
                              Entropy (8bit):4.747151880874695
                              Encrypted:false
                              SSDEEP:3:L2lhgnnn/9HNhcGVUDTERd8oDFLSbhlVEHgUVwkdHYzHcLSTp43FQClB/YcYN:LChgnl8GVUDTERCoDt8V8PVwkFYqSVgE
                              MD5:4F6E1FDBEF102CDBD379FDAC550B9F48
                              SHA1:5DA6EE5B88A4040C80E5269E0CD2B0880B20659C
                              SHA-256:E58EA352C050E6353FB5B4FA32A97800298C1603489D3B47794509AF6C89EC4C
                              SHA-512:54EFC9BDE44F332932A97396E59ECA5B6EA1AC72F929CCFFA1BDAB96DC3AE8D61E126ADBD26D12D0BC83141CEE03B24AD2BADA411230C4708B7A9AE9C60AECBE
                              Malicious:false
                              Preview:A...................j........<\...babylonsig=000073e9c01f6a45cc864dc02a0f7bf8bcabc4db855fc5bd7a04d0abc34be5df:0000050db25f8bdf7e3b9e906bf562b69d8997079c552e0c644fd006193bd428

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\bab148.spreg.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\DeltaTB.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):249
                              Entropy (8bit):5.365979053267958
                              Encrypted:false
                              SSDEEP:6:t8knqres54xUSIJY7rsNXVO5HzVUTA010HkiYKoYb7orHTMS:t8knqPCxUNYXsFcNzVUM0109Y6/ozTT
                              MD5:A4AF0A0C254B38F2F9EECBF0E00B08FE
                              SHA1:EF730BCE77699730DDA378DC444B997CE7CEEA7A
                              SHA-256:810E0E32D54B9E1557DA7CCF1CA9F6354814E90DADC6B4AF5E1CBDF87FAC925A
                              SHA-512:B74596E55E75413303559C135DB393A04D6FD6CBAB147A51AC2F46435F52B92B82868DE4E67917A7B388D82C672FA36B525B88E2EEFE7EC40695F028395DCD84
                              Malicious:false
                              Preview:A@i....................@YHKEY_CLASSES_ROOT\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data...........babylonsig=000100374627dcb412ef9c7f6e6383eb408216ef2e8c99cab4a28ea690db202a:00006cc208e02b54e138d1ec1b02ef66d0b7f8e02d0d3a2c12c6a72548b0fc07

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\bab187.wl.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\DeltaTB.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):234
                              Entropy (8bit):5.1257718700950665
                              Encrypted:false
                              SSDEEP:3:elm7gnnn7nlun8FxIEyLdKC1xZ1jPAUFA9EHANrQ3wV39VuVUjKGBTc6+HYXDwDe:fgn8n8zIxdK2HG7EgNEg39MmIYXUDQQU
                              MD5:6358860CD0C336C1F91F86BE701D77C4
                              SHA1:5DD38B818BF0860B4C5144BA670A759D4345E4EC
                              SHA-256:2ED42E3C958EB21352BAE4B00DB2FA5BE94149ABC64EEC93E5258B9C4A715457
                              SHA-512:7DF3B3E1487D3A65000B6208969F1E695815133C052F369BEB36877FE5C6F64D979AEFD030A193B04A5E46FB0D97A3CC06837AA381EFE6BC24A0C084C768DAC1
                              Malicious:false
                              Preview:A@Z..............2........."search.babylon.com.......$www.claro-search.com...... .........9...babylonsig=000014b501afb12514e838be35fd24590f9f095658a0cdd234df33a6003ea621:0000627597f0acd7d524976ccd69bab0cb4198771d23d12f21d1af554430d7ef

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\bab307.sp_pop0.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\DeltaTB.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):178
                              Entropy (8bit):4.797553801917334
                              Encrypted:false
                              SSDEEP:3:PC2nnnxnzkS2gfE8JfizV3RT3d/7lkVVYQdyFE6MBvhShRO7H/bSGPX:62n+S2V8Vu3139lkVVYX+NB8ADT1PX
                              MD5:0B7BE9C4B72C2C5166BFD61CA5EBBFED
                              SHA1:AEA0AA4E8226C1B4EFCE92E909DA773744BAA6D4
                              SHA-256:673BF972D308BC6108360575608CF72F393413F2D3993489B06DA4A6EFC749BD
                              SHA-512:4DCD7EA01B05550ACB00B71E7E9FDD52A04FE1CC574655030DCAE94B87DAD86BFB7973ADF9185DE03BCACB100FFF758B1A2F928FCB951E2B31E320860A2226D8
                              Malicious:false
                              Preview:A#..............2.................b+..babylonsig=0000b7d47988ec9b6d29c69c2d65aa0453a80949ffe47b173bcbcbaf1664b37f:0000d475e18513509c850255a7e329dacbd702f4edee04be1371ccd95bc05742

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\bab456.TB_OldWay.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\DeltaTB.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):174
                              Entropy (8bit):4.752125358171384
                              Encrypted:false
                              SSDEEP:3:L2lhgnnnShk1X3slFi0U6tgFnlHOW8O+NYXnbcE0aBSVXdE1TbSXQK:LChgnShklvkWFnd+2XbciSV0SXQK
                              MD5:7E72D256E34635D351092955D1F8516B
                              SHA1:7F240F8F4BD61AE59247D84D0EC85F5BC8729F36
                              SHA-256:39EB1667A67149B5D930E5408896027E3C3FC06282735E61CB8D85F5B38F587C
                              SHA-512:621EB4BF2864DB2FA0F861C233CED790124E9060C081948BEB7117F8C058A36ECCA23EE05CE2D6D42AF15533C050F648D276589682D91DFE699EBE871CC9AE8C
                              Malicious:false
                              Preview:A..............................o|.babylonsig=0000f7ffd199a6d07f03f6b2b8764a34a26e4dc1ed5ba9a3d998872127314113:0000cb9730cf6e41158f8f209a78d8121f40b07026490a300c0a084fb724d516

                              C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\sqlite3.dll

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\DeltaTB.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):520234
                              Entropy (8bit):6.562174410690013
                              Encrypted:false
                              SSDEEP:6144:RgEF6lmEVKtkDCQ/kUrc7dBLhuKgrQCjBXPTnrKcCxcfKvrLJLqgx5YMk4HJ0yPF:GEEdkUrc7RuKcQCdGVtT0MkCwwV/Hn
                              MD5:0F66E8E2340569FB17E774DAC2010E31
                              SHA1:406BB6854E7384FF77C0B847BF2F24F3315874A3
                              SHA-256:DE818C832308B82C2FABD5D3D4339C489E6F4E9D32BB8152C0DCD8359392695F
                              SHA-512:39275DF6E210836286E62A95ACE7F66C7D2736A07B80F9B7E9BD2A716A6D074C79DEAE54E2D21505B74BAC63DF0328D6780A2129CDFDA93AEC1F75B523DA9E05
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h..K........... ...8.$...t...............@.....`.......................................... ......................`..,.......P...............................H!...................................................................................text....#.......$..................`..`.data...8....@.......(..............@....bss.........P...........................edata..,....`.......6..............@....idata..P............N..............@....reloc..H!......."...V..............@....stab...l............x.................B.stabstr...............................B................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\DeltaTB.exe

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):785904
                              Entropy (8bit):7.996461190547012
                              Encrypted:true
                              SSDEEP:12288:XSsZfDKTpv0aNjLDiIx56qQDtOZTIzOjAWe0YiZ2PADaRx6Zfuc//yTuXbdir7+:XSiGTpTLDxxwqQcqOj5eyHox6ZGmAuXr
                              MD5:EB2764885565B6C01CB32E5F51F213B3
                              SHA1:CC41CADBBD6BA6ED0BFDD17798B4C9F94D7955E0
                              SHA-256:D7146999FF94B3AE092F3213DDF0217615F1D38798393B66778D11AAE2B68EAF
                              SHA-512:AC88795B2E8260ACE9EB57D2A3FDC4AADB18E2CB0AFD780459F51D25F83B34F7033425DC712655E423EBA4E011FD2776F53463042F2C2D9DD427554C04CC840E
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 46%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aJh.%+..%+..%+..,S..$+..,S..-+....}. +..%+..;+..,S..-+..,S..$+..Rich%+..........PE..L...Ri@Q.....................................@....@.......................... .......\....@.................................LB..<....`..(............................@...............................................@..x............................text....-.......................... ..`.rdata..L....@.......2..............@..@.data........P.......8..............@....rsrc...(....`.......:..............@..@.reloc..L...........................@..B........................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\Delta.ini

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:Generic INItialization configuration [Field 1]
                              Category:dropped
                              Size (bytes):2011
                              Entropy (8bit):5.350840205875144
                              Encrypted:false
                              SSDEEP:24:51ObX1eYfWrjBP9GT4KemQf6ongzDnDopP1TSpnUU+dXdiRR8J7vEV/kdWHr8Xd:2TadwczmQiongzDnITGnUaMAV8dWwt
                              MD5:821CA6FA2185452B03D3F053C9222B5F
                              SHA1:BA30453214D4A1F875CD192B072998312674D1BD
                              SHA-256:17067EC8EBA6511C381F4751D808BFBC9015C5B8A8AF471FAB7C542F0333F2E2
                              SHA-512:6D3E4381556DF1898FF718B23ADBAC78147F64F4A61D960CD4685E3BDD8072DCA52AD8E491B6FD21D73C4BAFEEB085EC01DFC8C5F50AF7CB3B39A5DD3DB9F937
                              Malicious:false
                              Preview:[Settings]..NumFields=13..RTL=0..State=0....[Field 1]..Type=RadioButton..Text=Quick (Recommended)..Left=50..Right=280..Top=0..Bottom=8..Flags=NOTABSTOP|NOTIFY..State=1..HWND=197282....[Field 2]..Type=Bitmap..Text=C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\delta_logo_small.bmp..Left=0..Right=35..Top=0..Bottom=135..Flags=NOTABSTOP..HWND=197234....[Field 3]..Type=checkbox..Text=Install Delta toolbar..Left=62..Right=-10..Top=76..Bottom=84..State=1..Flags=DISABLED..HWND=197286....[Field 4]..Type=checkbox..Text=Make Delta my default search engine..Left=72..Right=-10..Top=88..Bottom=96..State=1..Flags=DISABLED..HWND=1114778....[Field 5]..Type=checkbox..Text=Make Delta my default homepage and new tab..Left=72..Right=-10..Top=100..Bottom=108..State=1..Flags=DISABLED..HWND=393242....[Field 6]..Type=label..Text=By clicking next you accept the..Left=50..Right=149..Top=130..Bottom=138..Flags=NOTABSTOP..HWND=66690....[Field 7]..Type=Link..Text=legal terms..Left=150..Right=186..Top=130..Bottom=138

                              C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\InstallOptions.dll

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):14848
                              Entropy (8bit):5.550299117674118
                              Encrypted:false
                              SSDEEP:192:86d+dHXLHQOPiY53uiUdigyU+WsPdc/A1A+2jwK72dwF7dBEnbok:86UdHXcIiY535zBt2jw+BEnbo
                              MD5:325B008AEC81E5AAA57096F05D4212B5
                              SHA1:27A2D89747A20305B6518438EFF5B9F57F7DF5C3
                              SHA-256:C9CD5C9609E70005926AE5171726A4142FFBCCCC771D307EFCD195DAFC1E6B4B
                              SHA-512:18362B3AEE529A27E85CC087627ECF6E2D21196D725F499C4A185CB3A380999F43FF1833A8EBEC3F5BA1D3A113EF83185770E663854121F2D8B885790115AFDF
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.p..q.,.q.,.q.,.q.,@q.,.~C,.q.,\R.,.q.,\R/,.q.,.w.,.q.,.Q.,.q.,Rich.q.,........................PE..L......K...........!.........<.......).......0.......................................................................8..p...81.......p..........................@....................................................0..8............................text...@........................... ..`.rdata.......0....... ..............@..@.data... (...@.......*..............@....rsrc........p.......2..............@..@.reloc...............4..............@..B........................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\LangDLL.dll

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):5632
                              Entropy (8bit):3.951555564830228
                              Encrypted:false
                              SSDEEP:48:iV6pAvmNC6iMPUptxEZK65x/AmvycNSmwVsOYJyvrpXptp/JvR0Jlof5d2:2811GED5ZTvycNSmwVsTJuftpZR0Sd2
                              MD5:9384F4007C492D4FA040924F31C00166
                              SHA1:ABA37FAEF30D7C445584C688A0B5638F5DB31C7B
                              SHA-256:60A964095AF1BE79F6A99B22212FEFE2D16F5A0AFD7E707D14394E4143E3F4F5
                              SHA-512:68F158887E24302673227ADFFC688FD3EDABF097D7F5410F983E06C6B9C7344CA1D8A45C7FA05553ADCC5987993DF3A298763477168D4842E554C4EB93B9AAAF
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................~..........z.....B....Rich..........PE..L......K...........!......................... ...............................`......................................p"..I...` ..P....@..`....................P....................................................... ..`............................text...l........................... ..`.rdata....... ......................@..@.data...l....0......................@....rsrc...`....@......................@..@.reloc..@....P......................@..B................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\System.dll

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):11264
                              Entropy (8bit):5.568877095847681
                              Encrypted:false
                              SSDEEP:192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
                              MD5:C17103AE9072A06DA581DEC998343FC1
                              SHA1:B72148C6BDFAADA8B8C3F950E610EE7CF1DA1F8D
                              SHA-256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
                              SHA-512:D32A71AAEF18E993F28096D536E41C4D016850721B31171513CE28BBD805A54FD290B7C3E9D935F72E676A1ACFB4F0DCC89D95040A0DD29F2B6975855C18986F
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L......K...........!................0).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text...1........................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\delta_logo_small.bmp

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:PC bitmap, Windows 3.x format, 50 x 46 x 32, resolution 5905 x 5905 px/m, cbSize 9254, bits offset 54
                              Category:dropped
                              Size (bytes):9275
                              Entropy (8bit):5.943259792257716
                              Encrypted:false
                              SSDEEP:192:NFwO6xAA7skBZgZIY1nIcg9tmZ0Hcy7y5q7WvbVZE8qObUO5wG3:6JYOqIhP9tmZ0Hcy7y5q7WvbUs3
                              MD5:2786F736B7A2022A9117FA8CDDF7269B
                              SHA1:FEEFBA3044896EABE63545DF3FC50056C7663002
                              SHA-256:C92E8E901C8FF0B2384840200D2A22A9FD357F6A3D8784E5DA6F93CD863D3CAD
                              SHA-512:F9160AD0D4B429250BD7B0701CEAB4E7AAA643BB478309B7F684C12BA6EC3FB6F9F50141A347302314923929D74E9F5C1A6F2672F0056B0801215CDD64A030EB
                              Malicious:false
                              Preview:BM&$......6...(...2......... ........................................................................................._..<..&.r...Z...I.x...............................................v....}...u.Z..........................................................................................................3.|.%....O..L...U...`...k...u..j.{.....................................S..9...)....|...y...|................................................................................................m...H.j..B...9...F...R...]...h...q...{.....................................m...Z...F...4...%.....}...x...s...u.......................................................................................,R7.."...5...A...M...X...d...q...c...M..RK/.T7$.B...<...=...>...B ..|...........l...T...?.../.....~...z...w...s...m.?.............................................................................."6'..".......:...F...S...Z...L..1...;...=...@...C...E...G...H...J"......................h...O...;...).....

                              C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\ioSpecial.ini

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:Generic INItialization configuration [Field 1]
                              Category:dropped
                              Size (bytes):558
                              Entropy (8bit):5.3825164312301155
                              Encrypted:false
                              SSDEEP:12:lOuf9VTsAgQRvAYfghX4gNhBLfP4gNDHFl8s3Nw:1TdRvAYfghX1JP1ZHF1y
                              MD5:1ECF0C6B4F3DD5E981C9EA07D7D64011
                              SHA1:36C673C564D6A0D7009259399C3FE126EA128785
                              SHA-256:25A0EFF83CB850CDD4E7E69130BB7106FD58B2831FDB539377FF6C95D5BEF56D
                              SHA-512:3076AF1E9327AAAF8783E9E1050BD35A97004691D0EA702857E942C11E3D7C4AEB544F49309EEADA6ABABD1B720DF3870F5CA5EEB75EC915579AF4CC911C2E91
                              Malicious:false
                              Preview:[Settings]..Rect=1044..NumFields=3..RTL=0..NextButtonText=&Finish..CancelEnabled=..State=0..[Field 1]..Type=bitmap..Left=0..Right=109..Top=0..Bottom=193..Flags=RESIZETOFIT..Text=C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\modern-wizard.bmp..HWND=328834..[Field 2]..Type=label..Left=120..Right=315..Top=10..Text=Completing the Unlocker 1.9.2 Setup Wizard..Bottom=38..HWND=394302..[Field 3]..Type=label..Left=120..Right=315..Top=45..Bottom=185..Text=Unlocker 1.9.2 has been installed on your computer.\r\n\r\nClick Finish to close this wizard...HWND=524936..

                              C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\modern-wizard.bmp

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
                              Category:dropped
                              Size (bytes):26494
                              Entropy (8bit):1.9568109962493656
                              Encrypted:false
                              SSDEEP:24:Qwika6aSaaDaVYoG6abuJsnZs5GhI11BayNXPcDrSsUWcSphsWwlEWqCl6aHAX2x:Qoi47a5G8SddzKFIcsOz3Xz
                              MD5:CBE40FD2B1EC96DAEDC65DA172D90022
                              SHA1:366C216220AA4329DFF6C485FD0E9B0F4F0A7944
                              SHA-256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
                              SHA-512:62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
                              Malicious:false
                              Preview:BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

                              C:\Users\user\AppData\Roaming\Babylon\log_file.txt

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (707), with CRLF line terminators
                              Category:dropped
                              Size (bytes):2650
                              Entropy (8bit):5.575820178873435
                              Encrypted:false
                              SSDEEP:48:JLzpvm4uqgC4dlBp7AsrDOQ61zDptGIBXkn1/xTNcv+lTpltGu+kn1/xTNJma:BzpvJuqgdl37AsrDOQ61zDXQn1ZNcvGv
                              MD5:928F4C830FF1AAFD18F872ABAB37BA7A
                              SHA1:76A0C7A6F65F36D9A7B36E013962DC5CF501261C
                              SHA-256:79AF45FFCE39EA34863D7C69CBEF381E5FB0B53191251A9E03BA056028DF8F1A
                              SHA-512:20E1A898FEF75CDB5F408C8AEBAFCDE452861A47976A60A9DD02F655173AAE25FE7F2CE6C27B7C7B55687094A3DEAAFE3C6608B2F7EED99DC7DEAAAD34ABF82E
                              Malicious:false
                              Preview:...----------- 16/07/24 - running v9.1.1.10 on 468325 (user:user) -----------.. Windows Path: C:\Windows..08:44:31 (Setup)-Command line: -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt...08:44:31 (Client)-LM file is C:\ProgramData\Babylon\BabAll.dat...08:44:31 (Client)-LM imported to file...08:44:31 (Client)-LM file access denied...08:44:32 (Setup)-UI lang: 0, src: 4...08:44:34 (Setup)-SourceDir: C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\...08:44:34 (Setup)-InstallDir: C:\Program Files (x86)\Babylon\Babylon-Pro\...08:44:34 (Setup)-SilentInstall: 1...08:44:34 (Setup)-MinRequirements: 0...08:44:34 (Setup)-IsUpgrade: 0...08:44:34 (Setup)-TBInstallState: 4...08:44:34 (Setup)-SetupType: 50...08:44:34 (Setup)-SetupFlags: 42...08:44:34 (Setup)-PrevVersion: 0...08:44:34 (Setup)-TBInstall: 1...08:44:35 (Setup)-Report: http://stat.info-stream.net/report.php?no_policy=1&lang=0&source=setup-star

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker\README.lnk

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Mar 31 20:28:36 2011, mtime=Tue Jul 16 11:44:38 2024, atime=Thu Mar 31 20:28:36 2011, length=1689, window=hide
                              Category:dropped
                              Size (bytes):877
                              Entropy (8bit):4.53096662869868
                              Encrypted:false
                              SSDEEP:12:8mTMcXYXih9FGbdpF4yy84ky3Y+K9MYjAqucSmbdpMxqtbdpMx8JvBmV:8mYTdEI19M8AqYCd+8d+qJvBm
                              MD5:7B9D822EA20787D698A701922E12C1E9
                              SHA1:F9C8AD3219650FC369EB50D05BA38D0736CD3862
                              SHA-256:CA0E1E7ABE37B485F93F8F59E356F5984503FA27B057E3C2177A496912453BEE
                              SHA-512:D70B1B0E88957E249C6F5BAB11EF45CECE85ACF5DD727B2997336376D789413AD01376B5F663F860CA3C3BFACA64C9F225FC9CA74FF51241E286F9C00C7D79BC
                              Malicious:false
                              Preview:L..................F.... ....ZJ.}....I..}....ZJ.}...........................u....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I.X.e....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....Z.1......X.e..Unlocker..B.......X.e.X.e....V.....................f...U.n.l.o.c.k.e.r.....`.2......>.. .README.TXT..F......>...X.e.............................R.E.A.D.M.E...T.X.T.......S...............-.......R............IB......C:\Program Files\Unlocker\README.TXT..<.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.U.n.l.o.c.k.e.r.\.R.E.A.D.M.E...T.X.T...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.U.n.l.o.c.k.e.r.`.......X.......468325...........hT..CrF.f4... .i.T..b...,.......hT..CrF.f4... .i.T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker\Start Unlocker.lnk

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Jan 9 23:32:34 2013, mtime=Tue Jul 16 11:44:38 2024, atime=Wed Jan 9 23:32:34 2013, length=124928, window=hide
                              Category:dropped
                              Size (bytes):889
                              Entropy (8bit):4.448393624910129
                              Encrypted:false
                              SSDEEP:12:8mCLtBYX7Th9hNv0dpF4yy84hxPeeiIjEjAYuc2bdpMxAxQbdpMx8JzBmV:8mCKrv0dYeehUAY8d+iid+qJzBm
                              MD5:AF2831201955807578FE767B27B49346
                              SHA1:6CFD9520F5A00F198657A731495DFD818D59E3EE
                              SHA-256:AB1F3486957FA3F6A89B0D29DF6CBD651A388738957007C3B7E719E2BB1CCFBE
                              SHA-512:42CC1AC5D0AE84EE7351E62C423E44DD4FBF47A2C73D20EA38669F212AF9F6872796AF0A2112E3B1533EA3CB287804A1D533BF7220FAC84C6FF67CF27A961B0F
                              Malicious:false
                              Preview:L..................F.... ....}.......r..}....}..............................{....P.O. .:i.....+00.../C:\.....................1......X.e..PROGRA~1..t......O.I.X.e....B...............J......e..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....Z.1......X.e..Unlocker..B.......X.e.X.e....V.....................S...U.n.l.o.c.k.e.r.....f.2.....*B.. .Unlocker.exe..J......*B...X.e.............................U.n.l.o.c.k.e.r...e.x.e.......U...............-.......T............IB......C:\Program Files\Unlocker\Unlocker.exe..>.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.U.n.l.o.c.k.e.r.\.U.n.l.o.c.k.e.r...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.U.n.l.o.c.k.e.r.`.......X.......468325...........hT..CrF.f4... .k.T..b...,.......hT..CrF.f4... .k.T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker\Uninstall.lnk

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                              Category:dropped
                              Size (bytes):593
                              Entropy (8bit):2.7913299530091704
                              Encrypted:false
                              SSDEEP:6:4xtCl0TMl//A9LY/dlrtmlXP/lGMy0fK1KRSAtSbdlrMrl6HRSAVlubdlrMrlF:8wl0TkXXdpsFFK4qbdpMxEsbdpMxF
                              MD5:2D83A59CB7C11AA6B7801CEF69A0B189
                              SHA1:D1CE98D8A3B9CDA21A97A4B9641E9E29C645C458
                              SHA-256:130A70D4025BE067A40B01F45C996A915E78CAF01CA0AA08BF56DD13F718252E
                              SHA-512:DD758D1D281C4FB8D96480A1FE90723C940497170E215589ED50B7B8D3DB1610F313D5696C629CC0DEFE8BB403CD4D49F5BF458152FCFE9AE25430C3A9BE2BAC
                              Malicious:false
                              Preview:L..................F........................................................Q....P.O. .:i.....+00.../C:\...................h.1...........Program Files.L............................................P.r.o.g.r.a.m. .F.i.l.e.s.....Z.1...........Unlocker..B............................................U.n.l.o.c.k.e.r.....`.2...........uninst.exe..F............................................u.n.i.n.s.t...e.x.e.......<.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.U.n.l.o.c.k.e.r.\.u.n.i.n.s.t...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.U.n.l.o.c.k.e.r.....

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker\Website.lnk

                              Download File
                              Process:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Jul 16 11:44:38 2024, mtime=Tue Jul 16 11:44:38 2024, atime=Tue Jul 16 11:44:38 2024, length=56, window=hide
                              Category:dropped
                              Size (bytes):889
                              Entropy (8bit):4.467438922708606
                              Encrypted:false
                              SSDEEP:12:8mYCBYX7Th9hNv0dpF4yy846gtBjEjAYuc8SbdpMxAxrbdpMx8Ju+nBmV:8mYFrv0doUAYFd+iBd+qJfBm
                              MD5:53A21DD07780BE13C515B4094922E949
                              SHA1:E0E2081F2B0D4C60A5E83F8823192CE14D8C96AB
                              SHA-256:67B6B66FA1FBF8C81298287A8EA0924B19959D820353CDC9BDD4D8E5C6C3BDA0
                              SHA-512:5AE762050E0D8BA256DA56D37929BF9FF69F58531E53B852E1B31117C5A42F1C365A440A08BF5FC9B4041C12C63A3791AC3E642C5E3BD8F53369273AEB4DAE3B
                              Malicious:false
                              Preview:L..................F.... ...O...}...O...}...O...}...8.......................{....P.O. .:i.....+00.../C:\.....................1......X.e..PROGRA~1..t......O.I.X.e....B...............J......e..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....Z.1......X.e..Unlocker..B.......X.e.X.e....V.........................U.n.l.o.c.k.e.r.....f.2.8....X.e .Unlocker.url..J.......X.e.X.e....|......................i..U.n.l.o.c.k.e.r...u.r.l.......U...............-.......T............IB......C:\Program Files\Unlocker\Unlocker.url..>.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.U.n.l.o.c.k.e.r.\.U.n.l.o.c.k.e.r...u.r.l...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.U.n.l.o.c.k.e.r.`.......X.......468325...........hT..CrF.f4... ...T..b...,.......hT..CrF.f4... ...T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                              Entropy (8bit):7.958432599476033
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 92.16%
                              • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:Unlocker1.9.2.exe
                              File size:1'078'591 bytes
                              MD5:1e02d6aa4a199448719113ae3926afb2
                              SHA1:f1eff6451ced129c0e5c0a510955f234a01158a0
                              SHA256:fb6b1171776554a808c62f4045f5167603f70bf7611de64311ece0624b365397
                              SHA512:7d0f1416beb8c141ee992fe594111042309690c00741dff8f9f31b4652ed6a96b57532780e3169391440076d7ace63966fab526a076adcdc7f7ab389b4d0ff98
                              SSDEEP:24576:eLMeYSiGTpTLDxxwqQcqOj5eyHox6ZGmAuXE7ZBlbT:+PbVvwqQpoLHontDrlbT
                              TLSH:C235231333E1E96AC1190B70A7DBD7B62772F3E22319874B7B0443AB5C252096F21E95
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z.........

                              File Icon

                              Icon Hash:2d2e3797b32b2b99

                              Static PE Info

                              General

                              Entrypoint:0x4030cb
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              DLL Characteristics:TERMINAL_SERVER_AWARE
                              Time Stamp:0x4B1AE3C1 [Sat Dec 5 22:50:41 2009 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:7fa974366048f9c551ef45714595665e

                              Entrypoint Preview

                              Instruction
                              sub esp, 00000180h
                              push ebx
                              push ebp
                              push esi
                              xor ebx, ebx
                              push edi
                              mov dword ptr [esp+18h], ebx
                              mov dword ptr [esp+10h], 00409160h
                              xor esi, esi
                              mov byte ptr [esp+14h], 00000020h
                              call dword ptr [00407030h]
                              push 00008001h
                              call dword ptr [004070B0h]
                              push ebx
                              call dword ptr [0040727Ch]
                              push 00000008h
                              mov dword ptr [00423F38h], eax
                              call 00007F3BD4C21786h
                              mov dword ptr [00423E84h], eax
                              push ebx
                              lea eax, dword ptr [esp+34h]
                              push 00000160h
                              push eax
                              push ebx
                              push 0041F430h
                              call dword ptr [00407158h]
                              push 00409154h
                              push 00423680h
                              call 00007F3BD4C21439h
                              call dword ptr [004070ACh]
                              mov edi, 00429000h
                              push eax
                              push edi
                              call 00007F3BD4C21427h
                              push ebx
                              call dword ptr [0040710Ch]
                              cmp byte ptr [00429000h], 00000022h
                              mov dword ptr [00423E80h], eax
                              mov eax, edi
                              jne 00007F3BD4C1EB9Ch
                              mov byte ptr [esp+14h], 00000022h
                              mov eax, 00429001h
                              push dword ptr [esp+14h]
                              push eax
                              call 00007F3BD4C20F1Ah
                              push eax
                              call dword ptr [0040721Ch]
                              mov dword ptr [esp+1Ch], eax
                              jmp 00007F3BD4C1EBF5h
                              cmp cl, 00000020h
                              jne 00007F3BD4C1EB98h
                              inc eax
                              cmp byte ptr [eax], 00000020h
                              je 00007F3BD4C1EB8Ch
                              cmp byte ptr [eax], 00000022h
                              mov byte ptr [eax+eax+00h], 00000000h

                              Rich Headers

                              Programming Language:
                              • [EXP] VC++ 6.0 SP5 build 8804

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2e0000x5868.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x58d20x5a00c69726ed422d3dcfdec9731986daa752False0.665234375data6.4331003482809646IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x70000x11900x1200a2c7710fa66fcbb43c7ef0ab9eea5e9aFalse0.4453125data5.179763757809345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0x90000x1af780x400e59cdcb732e4bfbc84cc61dd68354f78False0.55078125data4.617802320695973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .ndata0x240000xa0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x2e0000x58680x5a008b67078cff291e2e620913fd415535faFalse0.15108506944444444data3.417266606112887IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_BITMAP0x2ea780x666Device independent bitmap graphic, 96 x 16 x 8, image size 1538, resolution 2868 x 2868 px/m, 15 important colorsEnglishUnited States0.18192918192918192
                              RT_ICON0x2f0e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024EnglishUnited States0.2378158844765343
                              RT_ICON0x2f9880x568Device independent bitmap graphic, 16 x 32 x 8, image size 256EnglishUnited States0.20809248554913296
                              RT_DIALOG0x2fef00xb4dataEnglishUnited States0.6111111111111112
                              RT_DIALOG0x2ffa80x120dataEnglishUnited States0.5138888888888888
                              RT_DIALOG0x300c80x118dataEnglishUnited States0.5428571428571428
                              RT_DIALOG0x301e00x202dataEnglishUnited States0.4085603112840467
                              RT_DIALOG0x303e80xf8dataEnglishUnited States0.6290322580645161
                              RT_DIALOG0x304e00xeedataEnglishUnited States0.6260504201680672
                              RT_DIALOG0x305d00xb4dataEnglishUnited States0.6888888888888889
                              RT_DIALOG0x306880x120dataEnglishUnited States0.5381944444444444
                              RT_DIALOG0x307a80x118dataEnglishUnited States0.5857142857142857
                              RT_DIALOG0x308c00x202dataEnglishUnited States0.42217898832684825
                              RT_DIALOG0x30ac80xf8dataEnglishUnited States0.6653225806451613
                              RT_DIALOG0x30bc00xeedataEnglishUnited States0.6512605042016807
                              RT_DIALOG0x30cb00xb4dataEnglishUnited States0.6888888888888889
                              RT_DIALOG0x30d680x120dataEnglishUnited States0.5381944444444444
                              RT_DIALOG0x30e880x118dataEnglishUnited States0.5857142857142857
                              RT_DIALOG0x30fa00x202dataEnglishUnited States0.42217898832684825
                              RT_DIALOG0x311a80xf8dataEnglishUnited States0.6653225806451613
                              RT_DIALOG0x312a00xeedataEnglishUnited States0.6512605042016807
                              RT_DIALOG0x313900xb4dataEnglishUnited States0.6888888888888889
                              RT_DIALOG0x314480x120dataEnglishUnited States0.5381944444444444
                              RT_DIALOG0x315680x118dataEnglishUnited States0.5857142857142857
                              RT_DIALOG0x316800x202dataEnglishUnited States0.42217898832684825
                              RT_DIALOG0x318880xf8dataEnglishUnited States0.6653225806451613
                              RT_DIALOG0x319800xeedataEnglishUnited States0.6512605042016807
                              RT_DIALOG0x31a700xacdataEnglishUnited States0.6337209302325582
                              RT_DIALOG0x31b200x118dataEnglishUnited States0.5321428571428571
                              RT_DIALOG0x31c380x110dataEnglishUnited States0.5551470588235294
                              RT_DIALOG0x31d480x1fadataEnglishUnited States0.40118577075098816
                              RT_DIALOG0x31f480xf0dataEnglishUnited States0.6666666666666666
                              RT_DIALOG0x320380xe6dataEnglishUnited States0.6565217391304348
                              RT_DIALOG0x321200xa0dataEnglishUnited States0.60625
                              RT_DIALOG0x321c00x10cdataEnglishUnited States0.5111940298507462
                              RT_DIALOG0x322d00x104dataEnglishUnited States0.5346153846153846
                              RT_DIALOG0x323d80x1eedataEnglishUnited States0.38866396761133604
                              RT_DIALOG0x325c80xe4dataEnglishUnited States0.6447368421052632
                              RT_DIALOG0x326b00xdadataEnglishUnited States0.6422018348623854
                              RT_DIALOG0x327900xa0dataEnglishUnited States0.6
                              RT_DIALOG0x328300x10cdataEnglishUnited States0.5111940298507462
                              RT_DIALOG0x329400x104dataEnglishUnited States0.5346153846153846
                              RT_DIALOG0x32a480x1eedataEnglishUnited States0.3866396761133603
                              RT_DIALOG0x32c380xe4dataEnglishUnited States0.6359649122807017
                              RT_DIALOG0x32d200xdadataEnglishUnited States0.6376146788990825
                              RT_DIALOG0x32e000xa4dataEnglishUnited States0.6158536585365854
                              RT_DIALOG0x32ea80x110dataEnglishUnited States0.5183823529411765
                              RT_DIALOG0x32fb80x108dataEnglishUnited States0.5416666666666666
                              RT_DIALOG0x330c00x1f2dataEnglishUnited States0.39759036144578314
                              RT_DIALOG0x332b80xe8dataEnglishUnited States0.6508620689655172
                              RT_DIALOG0x333a00xdedataEnglishUnited States0.6486486486486487
                              RT_GROUP_ICON0x334800x22dataEnglishUnited States0.9705882352941176
                              RT_MANIFEST0x334a80x3beXML 1.0 document, ASCII text, with very long lines (958), with no line terminatorsEnglishUnited States0.5198329853862212

                              Imports

                              DLLImport
                              KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
                              USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                              SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                              ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                              ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                              VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                              2024-07-16T14:44:37.431977+0200TCP2012735ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE)4973480192.168.2.4198.143.128.244
                              2024-07-16T14:44:38.291598+0200TCP2012735ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE)4973680192.168.2.4184.154.27.232
                              2024-07-16T14:44:37.790287+0200TCP2012735ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE)4973180192.168.2.4184.154.27.232
                              2024-07-16T14:44:36.804732+0200TCP2012735ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE)4973280192.168.2.4184.154.27.232

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jul 16, 2024 14:44:36.256337881 CEST4973180192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:36.259653091 CEST4973280192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:36.262687922 CEST8049731184.154.27.232192.168.2.4
                              Jul 16, 2024 14:44:36.262811899 CEST4973180192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:36.262923956 CEST4973180192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:36.265388012 CEST8049732184.154.27.232192.168.2.4
                              Jul 16, 2024 14:44:36.265525103 CEST4973280192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:36.265708923 CEST4973280192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:36.267719984 CEST8049731184.154.27.232192.168.2.4
                              Jul 16, 2024 14:44:36.270896912 CEST8049732184.154.27.232192.168.2.4
                              Jul 16, 2024 14:44:36.792442083 CEST8049731184.154.27.232192.168.2.4
                              Jul 16, 2024 14:44:36.792510986 CEST4973180192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:36.804668903 CEST8049732184.154.27.232192.168.2.4
                              Jul 16, 2024 14:44:36.804732084 CEST4973280192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:36.870048046 CEST4973480192.168.2.4198.143.128.244
                              Jul 16, 2024 14:44:36.874948025 CEST8049734198.143.128.244192.168.2.4
                              Jul 16, 2024 14:44:36.875020981 CEST4973480192.168.2.4198.143.128.244
                              Jul 16, 2024 14:44:36.875169039 CEST4973480192.168.2.4198.143.128.244
                              Jul 16, 2024 14:44:36.879928112 CEST8049734198.143.128.244192.168.2.4
                              Jul 16, 2024 14:44:37.431907892 CEST8049734198.143.128.244192.168.2.4
                              Jul 16, 2024 14:44:37.431931973 CEST8049734198.143.128.244192.168.2.4
                              Jul 16, 2024 14:44:37.431947947 CEST8049734198.143.128.244192.168.2.4
                              Jul 16, 2024 14:44:37.431963921 CEST8049734198.143.128.244192.168.2.4
                              Jul 16, 2024 14:44:37.431977034 CEST4973480192.168.2.4198.143.128.244
                              Jul 16, 2024 14:44:37.432013035 CEST4973480192.168.2.4198.143.128.244
                              Jul 16, 2024 14:44:37.432113886 CEST4973480192.168.2.4198.143.128.244
                              Jul 16, 2024 14:44:37.781819105 CEST4973180192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:37.786686897 CEST8049731184.154.27.232192.168.2.4
                              Jul 16, 2024 14:44:37.790188074 CEST8049731184.154.27.232192.168.2.4
                              Jul 16, 2024 14:44:37.790287018 CEST4973180192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:37.790412903 CEST4973180192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:37.791094065 CEST4973680192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:37.796684980 CEST8049731184.154.27.232192.168.2.4
                              Jul 16, 2024 14:44:37.796699047 CEST8049736184.154.27.232192.168.2.4
                              Jul 16, 2024 14:44:37.796796083 CEST4973680192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:37.797085047 CEST4973680192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:37.801683903 CEST8049732184.154.27.232192.168.2.4
                              Jul 16, 2024 14:44:37.801758051 CEST4973280192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:37.802401066 CEST8049736184.154.27.232192.168.2.4
                              Jul 16, 2024 14:44:38.291377068 CEST8049736184.154.27.232192.168.2.4
                              Jul 16, 2024 14:44:38.291598082 CEST4973680192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:38.993791103 CEST4973480192.168.2.4198.143.128.244
                              Jul 16, 2024 14:44:38.994165897 CEST4973680192.168.2.4184.154.27.232
                              Jul 16, 2024 14:44:38.994206905 CEST4973280192.168.2.4184.154.27.232

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jul 16, 2024 14:44:35.974952936 CEST6389553192.168.2.41.1.1.1
                              Jul 16, 2024 14:44:36.082061052 CEST5357153192.168.2.41.1.1.1
                              Jul 16, 2024 14:44:36.251116991 CEST53638951.1.1.1192.168.2.4
                              Jul 16, 2024 14:44:36.258400917 CEST53535711.1.1.1192.168.2.4
                              Jul 16, 2024 14:44:36.815126896 CEST5721953192.168.2.41.1.1.1
                              Jul 16, 2024 14:44:36.869319916 CEST53572191.1.1.1192.168.2.4
                              Jul 16, 2024 14:45:04.182368040 CEST5362105162.159.36.2192.168.2.4
                              Jul 16, 2024 14:45:04.660298109 CEST53580501.1.1.1192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Jul 16, 2024 14:44:35.974952936 CEST192.168.2.41.1.1.10x5704Standard query (0)stat.info-stream.netA (IP address)IN (0x0001)false
                              Jul 16, 2024 14:44:36.082061052 CEST192.168.2.41.1.1.10x433dStandard query (0)stp.babylon.comA (IP address)IN (0x0001)false
                              Jul 16, 2024 14:44:36.815126896 CEST192.168.2.41.1.1.10xd277Standard query (0)dl.babylon.comA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Jul 16, 2024 14:44:36.251116991 CEST1.1.1.1192.168.2.40x5704No error (0)stat.info-stream.netstat.babylon-services.comCNAME (Canonical name)IN (0x0001)false
                              Jul 16, 2024 14:44:36.251116991 CEST1.1.1.1192.168.2.40x5704No error (0)stat.babylon-services.com184.154.27.232A (IP address)IN (0x0001)false
                              Jul 16, 2024 14:44:36.258400917 CEST1.1.1.1192.168.2.40x433dNo error (0)stp.babylon.comstp.babylon-services.comCNAME (Canonical name)IN (0x0001)false
                              Jul 16, 2024 14:44:36.258400917 CEST1.1.1.1192.168.2.40x433dNo error (0)stp.babylon-services.com184.154.27.232A (IP address)IN (0x0001)false
                              Jul 16, 2024 14:44:36.869319916 CEST1.1.1.1192.168.2.40xd277No error (0)dl.babylon.comdl.babylon-services.comCNAME (Canonical name)IN (0x0001)false
                              Jul 16, 2024 14:44:36.869319916 CEST1.1.1.1192.168.2.40xd277No error (0)dl.babylon-services.com198.143.128.244A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • stat.info-stream.net
                              • stp.babylon.com
                              • dl.babylon.com

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449731184.154.27.232807396C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              TimestampBytes transferredDirectionData
                              Jul 16, 2024 14:44:36.262923956 CEST579OUTGET /report.php?no_policy=1&lang=0&source=setup-start&stage=0&ver=9.1.1.10&affilID=122471&guid={58179BB7-E7F9-4C19-A3E7-DD439943CF6D}&mntrId=D842ECF4BBEA1588&moldid=d84249be000000000000ecf4bbea1588&sufn=Unlocker1.9.2.exe&iev=11&ffv=1&crv=117&dwb=cr&dlb=cr&wbr=4&ibprs=NA&ibprv=0&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&avr=V2luZG93cyBEZWZlbmRlcg==&tbtp=def&tbinst=1&w64=1&cntry=CH&cat=delta&uac=1&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:0;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0 HTTP/1.1
                              User-Agent: Babylon
                              Host: stat.info-stream.net
                              Cache-Control: no-cache
                              Jul 16, 2024 14:44:36.792442083 CEST179INHTTP/1.1 200 OK
                              Date: Tue, 16 Jul 2024 12:44:36 GMT
                              Server: Apache
                              Transfer-Encoding: chunked
                              Content-Type: image/gif
                              Data Raw: 32 62 0d 0a 47 49 46 38 39 61 01 00 01 00 80 00 00 ff ff ff 00 00 00 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 02 44 01 00 3b 0d 0a 30 0d 0a 0d 0a
                              Data Ascii: 2bGIF89a!,D;0
                              Jul 16, 2024 14:44:37.781819105 CEST745OUTGET /report.php?no_policy=1&lang=0&source=setup-end&stage=91&ver=9.1.1.10&affilID=122471&guid={58179BB7-E7F9-4C19-A3E7-DD439943CF6D}&mntrId=D842ECF4BBEA1588&moldid=d84249be000000000000ecf4bbea1588&sufn=Unlocker1.9.2.exe&iev=11&ffv=1&crv=117&dwb=cr&dlb=cr&wbr=4&ibprs=NA&ibprv=0&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&avr=V2luZG93cyBEZWZlbmRlcg==&tbtp=def&tbinst=1&w64=1&cntry=CH&cat=delta&uac=1&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:0;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&hp=4&dsp=4&tb=4&hpx=0&dspx=0&rvrt=0&excd=0&stm=1&nvs=0&dnld=100&dcnt=1&dtot=1&dlerr=200&dltm=0&dlsz=3844&dsflr=0&errurl=Setup2.zpb&hpc=1998245871&spc=1998245871&tbx=0 HTTP/1.1
                              User-Agent: Babylon
                              Host: stat.info-stream.net
                              Cache-Control: no-cache


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.449732184.154.27.232807396C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              TimestampBytes transferredDirectionData
                              Jul 16, 2024 14:44:36.265708923 CEST575OUTGET /downloader.php?ver=9.1.1.10&affilID=122471&guid={58179BB7-E7F9-4C19-A3E7-DD439943CF6D}&mntrId=D842ECF4BBEA1588&moldid=d84249be000000000000ecf4bbea1588&sufn=Unlocker1.9.2.exe&iev=11&ffv=1&crv=117&dwb=cr&dlb=cr&wbr=4&ibprs=NA&ibprv=0&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&avr=V2luZG93cyBEZWZlbmRlcg==&tbtp=def&tbinst=1&w64=1&cntry=CH&cat=delta&uac=1&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:0;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&lang=en&zpb=1&geo=1 HTTP/1.1
                              User-Agent: Babylon
                              Host: stp.babylon.com
                              Connection: Keep-Alive
                              Cookie: affilID=122471
                              Jul 16, 2024 14:44:36.804668903 CEST587INHTTP/1.1 200 OK
                              Date: Tue, 16 Jul 2024 16:36:24 GMT
                              Server: Apache
                              Set-Cookie: affilID=deleted; expires=Mon, 17-Jul-2023 16:36:23 GMT; path=/; domain=.babylon.com
                              Vary: Accept-Encoding
                              Keep-Alive: timeout=1, max=100
                              Connection: Keep-Alive
                              Transfer-Encoding: chunked
                              Content-Type: text/html
                              Data Raw: 31 31 32 0d 0a 21 2d 74 72 6b 49 6e 66 6f 3d 5b 54 54 79 70 65 3a 35 30 31 32 5f 37 5d 3b 23 44 51 30 42 57 51 46 64 34 6e 47 4e 69 59 47 5a 69 59 47 45 46 59 6a 59 67 4e 67 46 69 46 69 59 47 5a 6b 59 48 5a 26 33 69 6b 68 51 33 74 77 6a 50 76 4f 4b 53 48 41 58 39 6e 4c 78 30 32 32 67 66 52 7a 26 33 57 41 58 39 78 4c 53 63 45 74 75 6b 78 4b 54 69 34 68 49 46 26 64 4b 38 54 4b 43 4b 78 4a 77 63 78 35 77 63 42 67 45 77 69 4a 32 72 75 78 4d 41 30 50 63 56 4c 51 3b 23 44 51 79 45 67 65 4a 78 6a 59 6d 42 6d 59 6d 42 68 42 57 49 32 49 44 59 43 59 69 35 47 56 73 59 47 41 52 42 34 31 76 5a 38 49 67 41 57 35 51 51 67 3b 24 68 74 74 70 3a 2f 2f 64 6c 2e 62 61 62 79 6c 6f 6e 2e 63 6f 6d 2f 73 69 74 65 2f 66 69 6c 65 73 2f 53 65 74 75 70 39 2f 64 77 72 2f 6c 61 74 65 73 74 2f 6c 61 74 65 73 74 5f 62 6c 2f 53 65 74 75 70 32 2e 7a 70 62 3b 0d 0a 30 0d 0a 0d 0a
                              Data Ascii: 112!-trkInfo=[TType:5012_7];#DQ0BWQFd4nGNiYGZiYGEFYjYgNgFiFiYGZkYHZ&3ikhQ3twjPvOKSHAX9nLx022gfRz&3WAX9xLScEtukxKTi4hIF&dK8TKCKxJwcx5wcBgEwiJ2ruxMA0PcVLQ;#DQyEgeJxjYmBmYmBhBWI2IDYCYi5GVsYGARB41vZ8IgAW5QQg;$http://dl.babylon.com/site/files/Setup9/dwr/latest/latest_bl/Setup2.zpb;0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              2192.168.2.449734198.143.128.244807396C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              TimestampBytes transferredDirectionData
                              Jul 16, 2024 14:44:36.875169039 CEST134OUTGET /site/files/Setup9/dwr/latest/latest_bl/Setup2.zpb HTTP/1.1
                              User-Agent: Babylon
                              Host: dl.babylon.com
                              Connection: Keep-Alive
                              Jul 16, 2024 14:44:37.431907892 CEST1236INHTTP/1.1 200 OK
                              Server: nginx/1.13.12
                              Date: Tue, 16 Jul 2024 12:44:35 GMT
                              Content-Type: application/octet-stream
                              Content-Length: 3844
                              Last-Modified: Wed, 01 Oct 2014 12:08:35 GMT
                              Connection: keep-alive
                              Keep-Alive: timeout=30
                              ETag: "542beec3-f04"
                              Accept-Ranges: bytes
                              Data Raw: 91 78 12 11 03 00 00 00 01 5d 00 00 00 04 4c 22 00 00 00 00 00 00 00 00 80 3d bb 9b c1 4f c3 f3 d8 6b eb 99 b2 83 23 80 b4 0c 2d 58 69 3b 17 29 aa 73 5f b3 21 11 45 70 37 dc 51 50 92 10 3a 2c 44 82 14 5a e9 7a 4b 19 8d 5e c0 32 d8 f5 40 0b 9f 77 e7 42 46 99 52 41 2d e5 45 85 28 75 dc 6f b4 7d d7 ff 5a 1b 88 4b 56 83 e1 55 f1 da 9b 72 8d fa 25 5a 9b 93 dc 90 97 79 ef 32 47 67 e8 d3 be 56 5e b0 ca f6 a3 5e 95 b8 48 9d c1 65 d4 f6 0e 41 be ca 89 8a bf c0 70 af db ba ef 3b 48 39 8d fe 51 27 61 55 33 ba 90 6d 2f 84 83 27 11 80 27 b7 42 79 94 e3 49 c2 f7 cf dc 99 a2 41 cb b1 7c 11 ca f9 3d de 68 c1 00 42 27 2d f7 f5 90 3e a4 9f a7 93 11 1e 0a a1 f7 28 05 c6 63 b5 e8 b3 9e 8a 35 b1 13 3f d8 85 04 db 7d 12 e6 a7 db 71 9f e5 53 f1 56 4e 8c 1d 4a 75 bb a9 cb 76 b0 8b 5a b0 88 86 07 f1 5d 8d da 66 fd a7 a8 5c 4f 5d 91 58 e7 15 06 c9 50 3b 2b 5e 0c 96 55 ce 33 ca 1f d2 74 38 46 8e 22 a3 0a 64 0c 5f dd f5 98 e3 fc 05 a5 e7 41 d9 d1 b3 5b 9a 54 59 0e cd 2c 87 4f a6 dd a4 08 00 ed 34 41 8a 96 7a bc 8b 8e 41 e4 5a [TRUNCATED]
                              Data Ascii: x]L"=Ok#-Xi;)s_!Ep7QP:,DZzK^2@wBFRA-E(uo}ZKVUr%Zy2GgV^^HeAp;H9Q'aU3m/''ByIA|=hB'->(c5?}qSVNJuvZ]f\O]XP;+^U3t8F"d_A[TY,O4AzAZb1XrR!z\Dv)YJDGu^%N<ZG(\DJ&L[ /az }ars)l-^^{lv&5)F?RySt=~IF!"[`4V5kIZEqM#1qW~;Kw^{s%U|ns/9%x>CYVk9y%xKA]TT5;{"BM232qWU}2}hyo5<34Aa[H`}oZu['j\B{7H\*u3(`beRU,K=nMdxho$TVk1f3?tqTGqapW?"u]@LDPkY^<`Xaq~RNA*{w=6<Xo'.hcOk*!}5ye_)aMcj&M<"ML.xOmE=WxxJS
                              Jul 16, 2024 14:44:37.431931973 CEST1236INData Raw: 2a 5b 4f 52 cc f6 56 b7 a1 82 9f a6 d9 13 7f 5c d8 ae e3 d4 33 ff 41 a0 43 4b a3 e1 a4 41 59 01 01 58 5a 13 63 9a 1e a4 6d ad d1 2b b5 62 d4 5e 0b af 5b 50 60 3b aa 41 8d 42 e3 51 fd 8a 3c 26 e3 8f 64 f9 fc c9 cb e1 26 f0 ad 66 d1 73 28 2b 46 f2
                              Data Ascii: *[ORV\3ACKAYXZcm+b^[P`;ABQ<&d&fs(+FW<bk $%Yz)^aI_Nyq=5S.-zt?0n}>%0@Qq[Z~Sf4ik2FB1rDLjyU(+AMU8mIM
                              Jul 16, 2024 14:44:37.431947947 CEST1236INData Raw: 69 b1 41 9e a0 f8 2a d3 c4 ef 27 b1 27 1f fe 74 d9 85 8c c1 41 57 4c ff 04 d7 9c 9c 20 07 9c 9c d8 12 d0 b3 ce 4e 56 1e 74 50 af d7 20 c6 ad 78 f6 fb 69 48 97 24 f9 b3 eb 33 2d d1 d6 af 7c ae 06 57 db 25 d9 dc 6c 72 b2 06 0c 9e ce 32 58 d2 fa 06
                              Data Ascii: iA*''tAWL NVtP xiH$3-|W%lr2X"52tmMwcXE1hBDd~.7f?0hweCMID{p(_HF@$Z#?("vuMU-A8l2JvfN~\:g
                              Jul 16, 2024 14:44:37.431963921 CEST415INData Raw: 6f 5a e8 52 0e 6c 67 fd b4 45 71 cf 38 4a 29 c2 de 6c d7 b6 5a 86 d4 20 ab ac 5c fc 76 fa 0e 74 3f ee 7c 03 46 33 88 d2 b9 af 96 11 2d ef f5 a3 34 03 1c be fa be 6e 05 a9 67 f5 a9 0d c9 12 9a a6 60 33 b0 63 44 e7 09 32 98 03 36 7a 2a 8c 55 98 f5
                              Data Ascii: oZRlgEq8J)lZ \vt?|F3-4ng`3cD26z*U/P)xBPT~V-[XgmdQrEM?A|k+.>vv{~7%gfiZZ8$c5pqZ;ynvjuxX78Q"''/(wTu$


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              3192.168.2.449736184.154.27.232807396C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              TimestampBytes transferredDirectionData
                              Jul 16, 2024 14:44:37.797085047 CEST745OUTGET /report.php?no_policy=1&lang=0&source=setup-end&stage=91&ver=9.1.1.10&affilID=122471&guid={58179BB7-E7F9-4C19-A3E7-DD439943CF6D}&mntrId=D842ECF4BBEA1588&moldid=d84249be000000000000ecf4bbea1588&sufn=Unlocker1.9.2.exe&iev=11&ffv=1&crv=117&dwb=cr&dlb=cr&wbr=4&ibprs=NA&ibprv=0&sutp=50&sufl=66&tbp=0&prver=0&minreq=0&dtct=-10000000&wvr=602&avr=V2luZG93cyBEZWZlbmRlcg==&tbtp=def&tbinst=1&w64=1&cntry=CH&cat=delta&uac=1&osp=hp0:-1938492880;hp1:0;hp2:0;dsp0:0;dsp1:0;dsp2:0;&dnt=2.0,3.0,3.5,4.0&hp=4&dsp=4&tb=4&hpx=0&dspx=0&rvrt=0&excd=0&stm=1&nvs=0&dnld=100&dcnt=1&dtot=1&dlerr=200&dltm=0&dlsz=3844&dsflr=0&errurl=Setup2.zpb&hpc=1998245871&spc=1998245871&tbx=0 HTTP/1.1
                              User-Agent: Babylon
                              Host: stat.info-stream.net
                              Cache-Control: no-cache
                              Jul 16, 2024 14:44:38.291377068 CEST179INHTTP/1.1 200 OK
                              Date: Tue, 16 Jul 2024 12:44:38 GMT
                              Server: Apache
                              Transfer-Encoding: chunked
                              Content-Type: image/gif
                              Data Raw: 32 62 0d 0a 47 49 46 38 39 61 01 00 01 00 80 00 00 ff ff ff 00 00 00 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 02 44 01 00 3b 0d 0a 30 0d 0a 0d 0a
                              Data Ascii: 2bGIF89a!,D;0


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:08:44:17
                              Start date:16/07/2024
                              Path:C:\Users\user\Desktop\Unlocker1.9.2.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\Unlocker1.9.2.exe"
                              Imagebase:0x400000
                              File size:1'078'591 bytes
                              MD5 hash:1E02D6AA4A199448719113AE3926AFB2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:08:44:31
                              Start date:16/07/2024
                              Path:C:\Users\user\AppData\Local\Temp\DeltaTB.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\DeltaTB.exe" /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt
                              Imagebase:0xfe0000
                              File size:785'904 bytes
                              MD5 hash:EB2764885565B6C01CB32E5F51F213B3
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 46%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:2
                              Start time:08:44:31
                              Start date:16/07/2024
                              Path:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt
                              Imagebase:0x400000
                              File size:1'898'992 bytes
                              MD5 hash:26F6D1B6756A83DE9755A05F7C030D75
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 26%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:4
                              Start time:08:44:32
                              Start date:16/07/2024
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Local\Temp\BD7BB1~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com
                              Imagebase:0xfb0000
                              File size:61'440 bytes
                              MD5 hash:889B99C52A60DD49227C5E485A016679
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:08:44:32
                              Start date:16/07/2024
                              Path:C:\Program Files (x86)\Internet Explorer\ielowutil.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -PID:123
                              Imagebase:0xbe0000
                              File size:221'696 bytes
                              MD5 hash:650FE7460630188008BF8C8153526CEB
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:7
                              Start time:08:44:36
                              Start date:16/07/2024
                              Path:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\setup.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Local\Temp\BD7BB134-BAB0-7891-AC15-738E5042A7D7\Latest\Setup.exe -latest -trkInfo=[TType:5012_7] -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt
                              Imagebase:0xbc0000
                              File size:8'704 bytes
                              MD5 hash:5790A04F78C61C3CAEA7DDD6F01829D2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 0%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:8
                              Start time:08:44:38
                              Start date:16/07/2024
                              Path:C:\Windows\SysWOW64\regsvr32.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Unlocker\UnlockerCOM.dll"
                              Imagebase:0x810000
                              File size:20'992 bytes
                              MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:9
                              Start time:08:44:38
                              Start date:16/07/2024
                              Path:C:\Windows\System32\regsvr32.exe
                              Wow64 process (32bit):false
                              Commandline: /s "C:\Program Files\Unlocker\UnlockerCOM.dll"
                              Imagebase:0x7ff6c8de0000
                              File size:25'088 bytes
                              MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:34.4%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:23.6%
                                Total number of Nodes:1242
                                Total number of Limit Nodes:60
                                execution_graph 3954 401cc1 GetDlgItem GetClientRect 3955 4029f6 18 API calls 3954->3955 3956 401cf1 LoadImageA SendMessageA 3955->3956 3957 40288b 3956->3957 3958 401d0f DeleteObject 3956->3958 3958->3957 3959 401dc1 3960 4029f6 18 API calls 3959->3960 3961 401dc7 3960->3961 3962 4029f6 18 API calls 3961->3962 3963 401dd0 3962->3963 3964 4029f6 18 API calls 3963->3964 3965 401dd9 3964->3965 3966 4029f6 18 API calls 3965->3966 3967 401de2 3966->3967 3968 401423 25 API calls 3967->3968 3969 401de9 ShellExecuteA 3968->3969 3970 401e16 3969->3970 3971 401645 3972 4029f6 18 API calls 3971->3972 3973 40164c 3972->3973 3974 4029f6 18 API calls 3973->3974 3975 401655 3974->3975 3976 4029f6 18 API calls 3975->3976 3977 40165e MoveFileA 3976->3977 3978 401671 3977->3978 3979 40166a 3977->3979 3980 405cd8 2 API calls 3978->3980 3983 402169 3978->3983 3981 401423 25 API calls 3979->3981 3982 401680 3980->3982 3981->3983 3982->3983 3984 40572b 38 API calls 3982->3984 3984->3979 3985 401ec5 3986 4029f6 18 API calls 3985->3986 3987 401ecc GetFileVersionInfoSizeA 3986->3987 3988 401f45 3987->3988 3989 401eef GlobalAlloc 3987->3989 3989->3988 3990 401f03 GetFileVersionInfoA 3989->3990 3990->3988 3991 401f14 VerQueryValueA 3990->3991 3991->3988 3992 401f2d 3991->3992 3996 40593b wsprintfA 3992->3996 3994 401f39 3997 40593b wsprintfA 3994->3997 3996->3994 3997->3988 3022 4046ca GetDlgItem GetDlgItem 3023 40471e 7 API calls 3022->3023 3036 40493b 3022->3036 3024 4047c4 DeleteObject 3023->3024 3025 4047b7 SendMessageA 3023->3025 3026 4047cf 3024->3026 3025->3024 3027 404806 3026->3027 3029 4059ff 18 API calls 3026->3029 3076 403d8f 3027->3076 3028 404a25 3032 404ad4 3028->3032 3039 404cb6 3028->3039 3043 404a7e SendMessageA 3028->3043 3033 4047e8 SendMessageA SendMessageA 3029->3033 3030 404a06 3030->3028 3040 404a17 SendMessageA 3030->3040 3034 404ae9 3032->3034 3035 404add SendMessageA 3032->3035 3033->3026 3045 404b02 3034->3045 3046 404afb ImageList_Destroy 3034->3046 3054 404b12 3034->3054 3035->3034 3036->3028 3036->3030 3037 40499e 3036->3037 3089 40464a SendMessageA 3037->3089 3038 40481a 3042 403d8f 19 API calls 3038->3042 3097 403df6 3039->3097 3040->3028 3059 404828 3042->3059 3043->3039 3048 404a93 SendMessageA 3043->3048 3050 404b0b GlobalFree 3045->3050 3045->3054 3046->3045 3047 404c78 3047->3039 3055 404c8a ShowWindow GetDlgItem ShowWindow 3047->3055 3052 404aa6 3048->3052 3050->3054 3051 4048fc GetWindowLongA SetWindowLongA 3053 404915 3051->3053 3066 404ab7 SendMessageA 3052->3066 3056 404933 3053->3056 3057 40491b ShowWindow 3053->3057 3054->3047 3070 404b44 3054->3070 3094 40140b 3054->3094 3055->3039 3088 403dc4 SendMessageA 3056->3088 3087 403dc4 SendMessageA 3057->3087 3058 4049af 3058->3030 3059->3051 3060 4048f6 3059->3060 3063 404877 SendMessageA 3059->3063 3068 4048b3 SendMessageA 3059->3068 3069 4048c4 SendMessageA 3059->3069 3060->3051 3060->3053 3063->3059 3065 404b88 3071 404c4e InvalidateRect 3065->3071 3075 404bfc SendMessageA SendMessageA 3065->3075 3066->3032 3067 40492e 3067->3039 3068->3059 3069->3059 3070->3065 3072 404b72 SendMessageA 3070->3072 3071->3047 3073 404c64 3071->3073 3072->3065 3079 404568 3073->3079 3075->3065 3077 4059ff 18 API calls 3076->3077 3078 403d9a SetDlgItemTextA 3077->3078 3078->3038 3080 404582 3079->3080 3081 4059ff 18 API calls 3080->3081 3082 4045b7 3081->3082 3083 4059ff 18 API calls 3082->3083 3084 4045c2 3083->3084 3085 4059ff 18 API calls 3084->3085 3086 4045f3 lstrlenA wsprintfA SetDlgItemTextA 3085->3086 3086->3047 3087->3067 3088->3036 3090 4046a9 SendMessageA 3089->3090 3091 40466d GetMessagePos ScreenToClient SendMessageA 3089->3091 3092 4046a1 3090->3092 3091->3092 3093 4046a6 3091->3093 3092->3058 3093->3090 3111 401389 3094->3111 3098 403e97 3097->3098 3099 403e0e GetWindowLongA 3097->3099 3099->3098 3100 403e1f 3099->3100 3101 403e31 3100->3101 3102 403e2e GetSysColor 3100->3102 3103 403e41 SetBkMode 3101->3103 3104 403e37 SetTextColor 3101->3104 3102->3101 3105 403e59 GetSysColor 3103->3105 3106 403e5f 3103->3106 3104->3103 3105->3106 3107 403e70 3106->3107 3108 403e66 SetBkColor 3106->3108 3107->3098 3109 403e83 DeleteObject 3107->3109 3110 403e8a CreateBrushIndirect 3107->3110 3108->3107 3109->3110 3110->3098 3113 401390 3111->3113 3112 4013fe 3112->3070 3113->3112 3114 4013cb MulDiv SendMessageA 3113->3114 3114->3113 3115 4030cb #17 SetErrorMode OleInitialize 3185 405cff GetModuleHandleA 3115->3185 3119 403139 GetCommandLineA 3190 4059dd lstrcpynA 3119->3190 3121 40314b GetModuleHandleA 3122 403162 3121->3122 3123 4054fb CharNextA 3122->3123 3124 403176 CharNextA 3123->3124 3129 403183 3124->3129 3125 4031ec 3126 4031ff GetTempPathA 3125->3126 3191 403097 3126->3191 3128 403215 3130 403239 DeleteFileA 3128->3130 3131 403219 GetWindowsDirectoryA lstrcatA 3128->3131 3129->3125 3132 4054fb CharNextA 3129->3132 3136 4031ee 3129->3136 3199 402c22 GetTickCount GetModuleFileNameA 3130->3199 3133 403097 11 API calls 3131->3133 3132->3129 3135 403235 3133->3135 3135->3130 3139 4032b7 ExitProcess OleUninitialize 3135->3139 3281 4059dd lstrcpynA 3136->3281 3137 40324a 3137->3139 3140 4032a3 3137->3140 3146 4054fb CharNextA 3137->3146 3141 4033b1 3139->3141 3142 4032cc 3139->3142 3227 403526 3140->3227 3144 403434 ExitProcess 3141->3144 3148 405cff 3 API calls 3141->3148 3143 40529e MessageBoxIndirectA 3142->3143 3147 4032da ExitProcess 3143->3147 3151 403261 3146->3151 3152 4033c0 3148->3152 3149 4032b3 3149->3139 3154 4032e2 lstrcatA lstrcmpiA 3151->3154 3155 40327e 3151->3155 3153 405cff 3 API calls 3152->3153 3156 4033c9 3153->3156 3154->3139 3157 4032fe CreateDirectoryA SetCurrentDirectoryA 3154->3157 3282 4055b1 3155->3282 3159 405cff 3 API calls 3156->3159 3161 403320 3157->3161 3162 403315 3157->3162 3160 4033d2 3159->3160 3164 403420 ExitWindowsEx 3160->3164 3169 4033e0 GetCurrentProcess 3160->3169 3299 4059dd lstrcpynA 3161->3299 3298 4059dd lstrcpynA 3162->3298 3164->3144 3168 40342d 3164->3168 3171 40140b 2 API calls 3168->3171 3174 4033f0 3169->3174 3170 403298 3297 4059dd lstrcpynA 3170->3297 3171->3144 3173 4059ff 18 API calls 3175 403350 DeleteFileA 3173->3175 3174->3164 3176 40335d CopyFileA 3175->3176 3182 40332e 3175->3182 3176->3182 3177 4033a5 3178 40572b 38 API calls 3177->3178 3180 4033ac 3178->3180 3180->3139 3181 4059ff 18 API calls 3181->3182 3182->3173 3182->3177 3182->3181 3184 403391 CloseHandle 3182->3184 3300 40572b 3182->3300 3326 40523d CreateProcessA 3182->3326 3184->3182 3186 405d26 GetProcAddress 3185->3186 3187 405d1b LoadLibraryA 3185->3187 3188 40310e SHGetFileInfoA 3186->3188 3187->3186 3187->3188 3189 4059dd lstrcpynA 3188->3189 3189->3119 3190->3121 3192 405c3f 5 API calls 3191->3192 3194 4030a3 3192->3194 3193 4030ad 3193->3128 3194->3193 3329 4054d0 lstrlenA CharPrevA 3194->3329 3336 4056b4 GetFileAttributesA CreateFileA 3199->3336 3201 402c62 3219 402c72 3201->3219 3337 4059dd lstrcpynA 3201->3337 3203 402c88 3338 405517 lstrlenA 3203->3338 3207 402c99 GetFileSize 3208 402d95 3207->3208 3221 402cb0 3207->3221 3343 402bbe 3208->3343 3210 402d9e 3212 402dce GlobalAlloc 3210->3212 3210->3219 3354 403080 SetFilePointer 3210->3354 3211 40304e ReadFile 3211->3221 3355 403080 SetFilePointer 3212->3355 3214 402e01 3216 402bbe 6 API calls 3214->3216 3216->3219 3217 402db7 3220 40304e ReadFile 3217->3220 3218 402de9 3222 402e5b 37 API calls 3218->3222 3219->3137 3223 402dc2 3220->3223 3221->3208 3221->3211 3221->3214 3221->3219 3224 402bbe 6 API calls 3221->3224 3225 402df5 3222->3225 3223->3212 3223->3219 3224->3221 3225->3219 3225->3225 3226 402e32 SetFilePointer 3225->3226 3226->3219 3228 405cff 3 API calls 3227->3228 3229 40353a 3228->3229 3230 403540 3229->3230 3231 403552 3229->3231 3376 40593b wsprintfA 3230->3376 3232 4058c4 3 API calls 3231->3232 3233 403573 3232->3233 3235 403591 lstrcatA 3233->3235 3236 4058c4 3 API calls 3233->3236 3237 403550 3235->3237 3236->3235 3360 4037ef 3237->3360 3240 4055b1 18 API calls 3241 4035c3 3240->3241 3242 40364c 3241->3242 3244 4058c4 3 API calls 3241->3244 3243 4055b1 18 API calls 3242->3243 3245 403652 3243->3245 3246 4035ef 3244->3246 3247 403662 LoadImageA 3245->3247 3248 4059ff 18 API calls 3245->3248 3246->3242 3254 40360b lstrlenA 3246->3254 3258 4054fb CharNextA 3246->3258 3249 403716 3247->3249 3250 40368d RegisterClassA 3247->3250 3248->3247 3253 40140b 2 API calls 3249->3253 3251 403720 3250->3251 3252 4036c9 SystemParametersInfoA CreateWindowExA 3250->3252 3251->3149 3252->3249 3257 40371c 3253->3257 3255 403619 lstrcmpiA 3254->3255 3256 40363f 3254->3256 3255->3256 3259 403629 GetFileAttributesA 3255->3259 3260 4054d0 3 API calls 3256->3260 3257->3251 3263 4037ef 19 API calls 3257->3263 3261 403609 3258->3261 3262 403635 3259->3262 3264 403645 3260->3264 3261->3254 3262->3256 3265 405517 2 API calls 3262->3265 3266 40372d 3263->3266 3377 4059dd lstrcpynA 3264->3377 3265->3256 3268 403739 ShowWindow LoadLibraryA 3266->3268 3269 4037bc 3266->3269 3271 403758 LoadLibraryA 3268->3271 3272 40375f GetClassInfoA 3268->3272 3369 404e4d OleInitialize 3269->3369 3271->3272 3274 403773 GetClassInfoA RegisterClassA 3272->3274 3275 403789 DialogBoxParamA 3272->3275 3273 4037c2 3276 4037de 3273->3276 3278 4037c6 3273->3278 3274->3275 3277 40140b 2 API calls 3275->3277 3279 40140b 2 API calls 3276->3279 3277->3251 3278->3251 3280 40140b 2 API calls 3278->3280 3279->3251 3280->3251 3281->3126 3382 4059dd lstrcpynA 3282->3382 3284 4055c2 3383 405564 CharNextA CharNextA 3284->3383 3287 403289 3287->3139 3296 4059dd lstrcpynA 3287->3296 3288 405c3f 5 API calls 3294 4055d8 3288->3294 3289 405603 lstrlenA 3290 40560e 3289->3290 3289->3294 3291 4054d0 3 API calls 3290->3291 3293 405613 GetFileAttributesA 3291->3293 3293->3287 3294->3287 3294->3289 3295 405517 2 API calls 3294->3295 3389 405cd8 FindFirstFileA 3294->3389 3295->3289 3296->3170 3297->3140 3298->3161 3299->3182 3301 405cff 3 API calls 3300->3301 3302 405736 3301->3302 3303 405793 GetShortPathNameA 3302->3303 3306 405888 3302->3306 3392 4056b4 GetFileAttributesA CreateFileA 3302->3392 3305 4057a8 3303->3305 3303->3306 3305->3306 3308 4057b0 wsprintfA 3305->3308 3306->3182 3307 405777 CloseHandle GetShortPathNameA 3307->3306 3309 40578b 3307->3309 3310 4059ff 18 API calls 3308->3310 3309->3303 3309->3306 3311 4057d8 3310->3311 3393 4056b4 GetFileAttributesA CreateFileA 3311->3393 3313 4057e5 3313->3306 3314 4057f4 GetFileSize GlobalAlloc 3313->3314 3315 405881 CloseHandle 3314->3315 3316 405812 ReadFile 3314->3316 3315->3306 3316->3315 3317 405826 3316->3317 3317->3315 3394 405629 lstrlenA 3317->3394 3320 405895 3323 405629 4 API calls 3320->3323 3321 40583b 3399 4059dd lstrcpynA 3321->3399 3324 405849 3323->3324 3325 40585c SetFilePointer WriteFile GlobalFree 3324->3325 3325->3315 3327 405278 3326->3327 3328 40526c CloseHandle 3326->3328 3327->3182 3328->3327 3330 4030b5 CreateDirectoryA 3329->3330 3331 4054ea lstrcatA 3329->3331 3332 4056e3 3330->3332 3331->3330 3333 4056ee GetTickCount GetTempFileNameA 3332->3333 3334 40571a 3333->3334 3335 4030c9 3333->3335 3334->3333 3334->3335 3335->3128 3336->3201 3337->3203 3339 405524 3338->3339 3340 402c8e 3339->3340 3341 405529 CharPrevA 3339->3341 3342 4059dd lstrcpynA 3340->3342 3341->3339 3341->3340 3342->3207 3344 402bc7 3343->3344 3345 402bdf 3343->3345 3346 402bd0 DestroyWindow 3344->3346 3347 402bd7 3344->3347 3348 402be7 3345->3348 3349 402bef GetTickCount 3345->3349 3346->3347 3347->3210 3356 405d38 3348->3356 3350 402c20 3349->3350 3351 402bfd CreateDialogParamA ShowWindow 3349->3351 3350->3210 3351->3350 3354->3217 3355->3218 3357 405d55 PeekMessageA 3356->3357 3358 402bed 3357->3358 3359 405d4b DispatchMessageA 3357->3359 3358->3210 3359->3357 3361 403803 3360->3361 3378 40593b wsprintfA 3361->3378 3363 403874 3364 4059ff 18 API calls 3363->3364 3365 403880 SetWindowTextA 3364->3365 3366 4035a1 3365->3366 3367 40389c 3365->3367 3366->3240 3367->3366 3368 4059ff 18 API calls 3367->3368 3368->3367 3379 403ddb 3369->3379 3371 404e97 3372 403ddb SendMessageA 3371->3372 3374 404ea9 OleUninitialize 3372->3374 3373 404e70 3373->3371 3375 401389 2 API calls 3373->3375 3374->3273 3375->3373 3376->3237 3377->3242 3378->3363 3380 403df3 3379->3380 3381 403de4 SendMessageA 3379->3381 3380->3373 3381->3380 3382->3284 3384 40557e 3383->3384 3388 40558a 3383->3388 3385 405585 CharNextA 3384->3385 3384->3388 3386 4055a7 3385->3386 3386->3287 3386->3288 3387 4054fb CharNextA 3387->3388 3388->3386 3388->3387 3390 405cf9 3389->3390 3391 405cee FindClose 3389->3391 3390->3294 3391->3390 3392->3307 3393->3313 3395 40565f lstrlenA 3394->3395 3396 405669 3395->3396 3397 40563d lstrcmpiA 3395->3397 3396->3320 3396->3321 3397->3396 3398 405656 CharNextA 3397->3398 3398->3395 3399->3324 3400 404ccb 3401 404cf0 3400->3401 3402 404cd9 3400->3402 3404 404cfe IsWindowVisible 3401->3404 3411 404d1c 3401->3411 3403 404cdf 3402->3403 3419 404d59 3402->3419 3405 403ddb SendMessageA 3403->3405 3407 404d0b 3404->3407 3404->3419 3408 404ce9 3405->3408 3406 404d5f CallWindowProcA 3406->3408 3409 40464a 5 API calls 3407->3409 3410 404d15 3409->3410 3410->3411 3411->3406 3420 4059dd lstrcpynA 3411->3420 3413 404d44 3421 40593b wsprintfA 3413->3421 3415 404d4b 3416 40140b 2 API calls 3415->3416 3417 404d52 3416->3417 3422 4059dd lstrcpynA 3417->3422 3419->3406 3420->3413 3421->3415 3422->3419 3423 40344c 3424 403464 3423->3424 3425 403456 CloseHandle 3423->3425 3430 403491 3424->3430 3425->3424 3431 40349f 3430->3431 3432 4034a4 FreeLibrary GlobalFree 3431->3432 3433 403469 3431->3433 3432->3432 3432->3433 3434 405302 3433->3434 3435 4055b1 18 API calls 3434->3435 3436 405316 3435->3436 3437 405336 3436->3437 3438 40531f DeleteFileA 3436->3438 3440 40546b 3437->3440 3475 4059dd lstrcpynA 3437->3475 3439 403475 3438->3439 3440->3439 3445 405cd8 2 API calls 3440->3445 3442 405360 3443 405371 3442->3443 3444 405364 lstrcatA 3442->3444 3447 405517 2 API calls 3443->3447 3446 405377 3444->3446 3448 405490 3445->3448 3449 405385 lstrcatA 3446->3449 3450 405390 lstrlenA FindFirstFileA 3446->3450 3447->3446 3448->3439 3451 4054d0 3 API calls 3448->3451 3449->3450 3450->3440 3465 4053b4 3450->3465 3453 40549a 3451->3453 3452 4054fb CharNextA 3452->3465 3454 405695 2 API calls 3453->3454 3455 4054a0 RemoveDirectoryA 3454->3455 3456 4054c2 3455->3456 3457 4054ab 3455->3457 3458 404d7b 25 API calls 3456->3458 3457->3439 3461 4054b1 3457->3461 3458->3439 3459 40544a FindNextFileA 3462 405462 FindClose 3459->3462 3459->3465 3463 404d7b 25 API calls 3461->3463 3462->3440 3464 4054b9 3463->3464 3466 40572b 38 API calls 3464->3466 3465->3452 3465->3459 3468 405302 59 API calls 3465->3468 3471 404d7b 25 API calls 3465->3471 3474 405428 3465->3474 3476 4059dd lstrcpynA 3465->3476 3477 405695 GetFileAttributesA 3465->3477 3469 4054c0 3466->3469 3468->3465 3469->3439 3471->3459 3472 404d7b 25 API calls 3472->3474 3473 40572b 38 API calls 3473->3474 3474->3459 3474->3472 3474->3473 3475->3442 3476->3465 3478 405417 DeleteFileA 3477->3478 3479 4056a4 SetFileAttributesA 3477->3479 3478->3465 3479->3478 4008 4025cc 4009 4025d3 4008->4009 4011 402838 4008->4011 4010 4029d9 18 API calls 4009->4010 4012 4025de 4010->4012 4013 4025e5 SetFilePointer 4012->4013 4013->4011 4014 4025f5 4013->4014 4016 40593b wsprintfA 4014->4016 4016->4011 3480 4041cd 3481 40420b 3480->3481 3482 4041fe 3480->3482 3484 404214 GetDlgItem 3481->3484 3490 404286 3481->3490 3550 405282 GetDlgItemTextA 3482->3550 3486 404228 3484->3486 3485 404205 3488 405c3f 5 API calls 3485->3488 3489 40423c SetWindowTextA 3486->3489 3496 405564 4 API calls 3486->3496 3487 40435b 3543 4044e7 3487->3543 3548 405282 GetDlgItemTextA 3487->3548 3488->3481 3494 403d8f 19 API calls 3489->3494 3490->3487 3492 4059ff 18 API calls 3490->3492 3490->3543 3497 4042ed SHBrowseForFolderA 3492->3497 3493 404387 3498 4055b1 18 API calls 3493->3498 3499 40425a 3494->3499 3495 403df6 8 API calls 3500 4044fb 3495->3500 3501 404232 3496->3501 3497->3487 3502 404305 CoTaskMemFree 3497->3502 3503 40438d 3498->3503 3504 403d8f 19 API calls 3499->3504 3501->3489 3507 4054d0 3 API calls 3501->3507 3505 4054d0 3 API calls 3502->3505 3549 4059dd lstrcpynA 3503->3549 3506 404268 3504->3506 3508 404312 3505->3508 3547 403dc4 SendMessageA 3506->3547 3507->3489 3511 404349 SetDlgItemTextA 3508->3511 3516 4059ff 18 API calls 3508->3516 3511->3487 3512 4043a4 3514 405cff 3 API calls 3512->3514 3513 404270 3515 405cff 3 API calls 3513->3515 3525 4043ac 3514->3525 3517 404277 3515->3517 3518 404331 lstrcmpiA 3516->3518 3520 40427f SHAutoComplete 3517->3520 3517->3543 3518->3511 3522 404342 lstrcatA 3518->3522 3519 4043e6 3551 4059dd lstrcpynA 3519->3551 3520->3490 3522->3511 3523 4043b9 GetDiskFreeSpaceExA 3523->3525 3533 404439 3523->3533 3524 4043ef 3526 405564 4 API calls 3524->3526 3525->3519 3525->3523 3528 405517 2 API calls 3525->3528 3527 4043f5 3526->3527 3529 4043f9 3527->3529 3530 4043fc GetDiskFreeSpaceA 3527->3530 3528->3525 3529->3530 3531 404451 3530->3531 3532 404417 MulDiv 3530->3532 3531->3533 3532->3533 3534 404568 21 API calls 3533->3534 3544 404496 3533->3544 3535 404488 3534->3535 3538 404498 SetDlgItemTextA 3535->3538 3539 40448d 3535->3539 3536 40140b 2 API calls 3540 4044b9 3536->3540 3538->3544 3542 404568 21 API calls 3539->3542 3552 403db1 KiUserCallbackDispatcher 3540->3552 3541 4044d5 3541->3543 3545 4044e2 3541->3545 3542->3544 3543->3495 3544->3536 3544->3540 3553 404162 3545->3553 3547->3513 3548->3493 3549->3512 3550->3485 3551->3524 3552->3541 3554 404170 3553->3554 3555 404175 SendMessageA 3553->3555 3554->3555 3555->3543 3562 401f51 3563 401f63 3562->3563 3564 402012 3562->3564 3565 4029f6 18 API calls 3563->3565 3567 401423 25 API calls 3564->3567 3566 401f6a 3565->3566 3568 4029f6 18 API calls 3566->3568 3572 402169 3567->3572 3569 401f73 3568->3569 3570 401f88 LoadLibraryExA 3569->3570 3571 401f7b GetModuleHandleA 3569->3571 3570->3564 3573 401f98 GetProcAddress 3570->3573 3571->3570 3571->3573 3574 401fe5 3573->3574 3575 401fa8 3573->3575 3576 404d7b 25 API calls 3574->3576 3578 401fb8 3575->3578 3580 401423 3575->3580 3576->3578 3578->3572 3579 402006 FreeLibrary 3578->3579 3579->3572 3581 404d7b 25 API calls 3580->3581 3582 401431 3581->3582 3582->3578 4017 4014d6 4018 4029d9 18 API calls 4017->4018 4019 4014dc Sleep 4018->4019 4021 40288b 4019->4021 3591 403ed7 3592 403ffa 3591->3592 3593 403eed 3591->3593 3594 404069 3592->3594 3597 40413d 3592->3597 3601 40403e GetDlgItem SendMessageA 3592->3601 3595 403d8f 19 API calls 3593->3595 3596 404073 GetDlgItem 3594->3596 3594->3597 3598 403f43 3595->3598 3599 404089 3596->3599 3600 4040fb 3596->3600 3602 403df6 8 API calls 3597->3602 3603 403d8f 19 API calls 3598->3603 3599->3600 3607 4040af 6 API calls 3599->3607 3600->3597 3608 40410d 3600->3608 3622 403db1 KiUserCallbackDispatcher 3601->3622 3605 404138 3602->3605 3606 403f50 CheckDlgButton 3603->3606 3620 403db1 KiUserCallbackDispatcher 3606->3620 3607->3600 3611 404113 SendMessageA 3608->3611 3612 404124 3608->3612 3609 404064 3614 404162 SendMessageA 3609->3614 3611->3612 3612->3605 3613 40412a SendMessageA 3612->3613 3613->3605 3614->3594 3615 403f6e GetDlgItem 3621 403dc4 SendMessageA 3615->3621 3617 403f84 SendMessageA 3618 403fa2 GetSysColor 3617->3618 3619 403fab SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3617->3619 3618->3619 3619->3605 3620->3615 3621->3617 3622->3609 4027 4018d8 4028 40190f 4027->4028 4029 4029f6 18 API calls 4028->4029 4030 401914 4029->4030 4031 405302 68 API calls 4030->4031 4032 40191d 4031->4032 4033 4018db 4034 4029f6 18 API calls 4033->4034 4035 4018e2 4034->4035 4036 40529e MessageBoxIndirectA 4035->4036 4037 4018eb 4036->4037 4052 4034e4 4053 4034ef 4052->4053 4054 4034f3 4053->4054 4055 4034f6 GlobalAlloc 4053->4055 4055->4054 4063 401ae5 4064 4029f6 18 API calls 4063->4064 4065 401aec 4064->4065 4066 4029d9 18 API calls 4065->4066 4067 401af5 wsprintfA 4066->4067 4068 40288b 4067->4068 3674 402866 SendMessageA 3675 402880 InvalidateRect 3674->3675 3676 40288b 3674->3676 3675->3676 4069 4019e6 4070 4029f6 18 API calls 4069->4070 4071 4019ef ExpandEnvironmentStringsA 4070->4071 4072 401a03 4071->4072 4074 401a16 4071->4074 4073 401a08 lstrcmpA 4072->4073 4072->4074 4073->4074 3677 402267 3678 4029f6 18 API calls 3677->3678 3679 402275 3678->3679 3680 4029f6 18 API calls 3679->3680 3681 40227e 3680->3681 3682 4029f6 18 API calls 3681->3682 3683 402288 GetPrivateProfileStringA 3682->3683 4075 401c6d 4076 4029d9 18 API calls 4075->4076 4077 401c73 IsWindow 4076->4077 4078 4019d6 4077->4078 4079 4014f0 SetForegroundWindow 4080 40288b 4079->4080 4081 402172 4082 4029f6 18 API calls 4081->4082 4083 402178 4082->4083 4084 4029f6 18 API calls 4083->4084 4085 402181 4084->4085 4086 4029f6 18 API calls 4085->4086 4087 40218a 4086->4087 4088 405cd8 2 API calls 4087->4088 4089 402193 4088->4089 4090 4021a4 lstrlenA lstrlenA 4089->4090 4091 402197 4089->4091 4092 404d7b 25 API calls 4090->4092 4093 404d7b 25 API calls 4091->4093 4095 40219f 4091->4095 4094 4021e0 SHFileOperationA 4092->4094 4093->4095 4094->4091 4094->4095 4096 4021f4 4097 4021fb 4096->4097 4098 40220e 4096->4098 4099 4059ff 18 API calls 4097->4099 4100 402208 4099->4100 4101 40529e MessageBoxIndirectA 4100->4101 4101->4098 4102 4062f4 4106 405e2c 4102->4106 4103 406797 4104 405eb6 GlobalAlloc 4104->4103 4104->4106 4105 405ead GlobalFree 4105->4104 4106->4103 4106->4104 4106->4105 4106->4106 4107 405f24 GlobalFree 4106->4107 4108 405f2d GlobalAlloc 4106->4108 4107->4108 4108->4103 4108->4106 4109 4016fa 4110 4029f6 18 API calls 4109->4110 4111 401701 SearchPathA 4110->4111 4112 40171c 4111->4112 4113 4025fb 4114 402602 4113->4114 4115 40288b 4113->4115 4116 402608 FindClose 4114->4116 4116->4115 3855 40267c 3856 4029f6 18 API calls 3855->3856 3858 40268a 3856->3858 3857 4026a0 3860 405695 2 API calls 3857->3860 3858->3857 3859 4029f6 18 API calls 3858->3859 3859->3857 3861 4026a6 3860->3861 3881 4056b4 GetFileAttributesA CreateFileA 3861->3881 3863 4026b3 3864 40275c 3863->3864 3865 4026bf GlobalAlloc 3863->3865 3866 402764 DeleteFileA 3864->3866 3867 402777 3864->3867 3868 402753 CloseHandle 3865->3868 3869 4026d8 3865->3869 3866->3867 3868->3864 3882 403080 SetFilePointer 3869->3882 3871 4026de 3872 40304e ReadFile 3871->3872 3873 4026e7 GlobalAlloc 3872->3873 3874 4026f7 3873->3874 3875 40272b WriteFile GlobalFree 3873->3875 3876 402e5b 37 API calls 3874->3876 3877 402e5b 37 API calls 3875->3877 3880 402704 3876->3880 3878 402750 3877->3878 3878->3868 3879 402722 GlobalFree 3879->3875 3880->3879 3881->3863 3882->3871 4117 4014fe 4118 401506 4117->4118 4120 401519 4117->4120 4119 4029d9 18 API calls 4118->4119 4119->4120 4121 401000 4122 401037 BeginPaint GetClientRect 4121->4122 4124 40100c DefWindowProcA 4121->4124 4125 4010f3 4122->4125 4126 401179 4124->4126 4127 401073 CreateBrushIndirect FillRect DeleteObject 4125->4127 4128 4010fc 4125->4128 4127->4125 4129 401102 CreateFontIndirectA 4128->4129 4130 401167 EndPaint 4128->4130 4129->4130 4131 401112 6 API calls 4129->4131 4130->4126 4131->4130 4132 404502 4133 404512 4132->4133 4134 40452e 4132->4134 4143 405282 GetDlgItemTextA 4133->4143 4136 404561 4134->4136 4137 404534 SHGetPathFromIDListA 4134->4137 4139 40454b SendMessageA 4137->4139 4140 404544 4137->4140 4138 40451f SendMessageA 4138->4134 4139->4136 4142 40140b 2 API calls 4140->4142 4142->4139 4143->4138 2888 402303 2889 402309 2888->2889 2905 4029f6 2889->2905 2892 4029f6 18 API calls 2893 402325 RegCreateKeyExA 2892->2893 2894 40288b 2893->2894 2895 40234f 2893->2895 2896 402367 2895->2896 2897 4029f6 18 API calls 2895->2897 2898 402373 2896->2898 2911 4029d9 2896->2911 2901 402360 lstrlenA 2897->2901 2900 40238e RegSetValueExA 2898->2900 2914 402e5b 2898->2914 2903 4023a4 RegCloseKey 2900->2903 2901->2896 2903->2894 2906 402a02 2905->2906 2935 4059ff 2906->2935 2909 40231b 2909->2892 2912 4059ff 18 API calls 2911->2912 2913 4029ed 2912->2913 2913->2898 2916 402e71 2914->2916 2915 402e9c 2974 40304e ReadFile 2915->2974 2916->2915 2994 403080 SetFilePointer 2916->2994 2920 402fe2 2922 402fe6 2920->2922 2927 402ffe 2920->2927 2921 402eb9 GetTickCount 2931 402ecc 2921->2931 2924 40304e ReadFile 2922->2924 2923 402fcd 2923->2900 2924->2923 2925 40304e ReadFile 2925->2927 2926 40304e ReadFile 2926->2931 2927->2923 2927->2925 2928 403019 WriteFile 2927->2928 2928->2923 2928->2927 2930 402f32 GetTickCount 2930->2931 2931->2923 2931->2926 2931->2930 2932 402f5b MulDiv wsprintfA 2931->2932 2933 402f99 WriteFile 2931->2933 2976 405df9 2931->2976 2983 404d7b 2932->2983 2933->2923 2933->2931 2944 405a0c 2935->2944 2936 405c26 2937 402a23 2936->2937 2969 4059dd lstrcpynA 2936->2969 2937->2909 2953 405c3f 2937->2953 2939 405aa4 GetVersion 2939->2944 2940 405bfd lstrlenA 2940->2944 2941 4059ff 10 API calls 2941->2940 2944->2936 2944->2939 2944->2940 2944->2941 2945 405b1c GetSystemDirectoryA 2944->2945 2947 405b2f GetWindowsDirectoryA 2944->2947 2948 405c3f 5 API calls 2944->2948 2949 4059ff 10 API calls 2944->2949 2950 405ba6 lstrcatA 2944->2950 2951 405b63 SHGetSpecialFolderLocation 2944->2951 2962 4058c4 RegOpenKeyExA 2944->2962 2967 40593b wsprintfA 2944->2967 2968 4059dd lstrcpynA 2944->2968 2945->2944 2947->2944 2948->2944 2949->2944 2950->2944 2951->2944 2952 405b7b SHGetPathFromIDListA CoTaskMemFree 2951->2952 2952->2944 2954 405c4b 2953->2954 2956 405ca8 CharNextA 2954->2956 2958 405cb3 2954->2958 2960 405c96 CharNextA 2954->2960 2961 405ca3 CharNextA 2954->2961 2970 4054fb 2954->2970 2955 405cb7 CharPrevA 2955->2958 2956->2954 2956->2958 2958->2955 2959 405cd2 2958->2959 2959->2909 2960->2954 2961->2956 2963 405935 2962->2963 2964 4058f7 RegQueryValueExA 2962->2964 2963->2944 2965 405918 RegCloseKey 2964->2965 2965->2963 2967->2944 2968->2944 2969->2937 2971 405501 2970->2971 2972 405514 2971->2972 2973 405507 CharNextA 2971->2973 2972->2954 2973->2971 2975 402ea7 2974->2975 2975->2920 2975->2921 2975->2923 2977 405e1e 2976->2977 2978 405e26 2976->2978 2977->2931 2978->2977 2979 405eb6 GlobalAlloc 2978->2979 2980 405ead GlobalFree 2978->2980 2981 405f24 GlobalFree 2978->2981 2982 405f2d GlobalAlloc 2978->2982 2979->2977 2979->2978 2980->2979 2981->2982 2982->2977 2982->2978 2985 404d96 2983->2985 2993 404e39 2983->2993 2984 404db3 lstrlenA 2987 404dc1 lstrlenA 2984->2987 2988 404ddc 2984->2988 2985->2984 2986 4059ff 18 API calls 2985->2986 2986->2984 2989 404dd3 lstrcatA 2987->2989 2987->2993 2990 404de2 SetWindowTextA 2988->2990 2991 404def 2988->2991 2989->2988 2990->2991 2992 404df5 SendMessageA SendMessageA SendMessageA 2991->2992 2991->2993 2992->2993 2993->2931 2994->2915 4144 402803 4145 4029d9 18 API calls 4144->4145 4146 402809 4145->4146 4147 40283a 4146->4147 4148 402817 4146->4148 4150 40265c 4146->4150 4149 4059ff 18 API calls 4147->4149 4147->4150 4148->4150 4152 40593b wsprintfA 4148->4152 4149->4150 4152->4150 2995 401b06 2996 401b13 2995->2996 2997 401b57 2995->2997 3000 4021fb 2996->3000 3004 401b2a 2996->3004 2998 401b80 GlobalAlloc 2997->2998 2999 401b5b 2997->2999 3001 4059ff 18 API calls 2998->3001 3013 401b9b 2999->3013 3016 4059dd lstrcpynA 2999->3016 3002 4059ff 18 API calls 3000->3002 3001->3013 3003 402208 3002->3003 3017 40529e 3003->3017 3014 4059dd lstrcpynA 3004->3014 3007 401b6d GlobalFree 3007->3013 3009 401b39 3015 4059dd lstrcpynA 3009->3015 3011 401b48 3021 4059dd lstrcpynA 3011->3021 3014->3009 3015->3011 3016->3007 3019 4052b3 3017->3019 3018 4052ff 3018->3013 3019->3018 3020 4052c7 MessageBoxIndirectA 3019->3020 3020->3018 3021->3013 4153 402506 4154 4029d9 18 API calls 4153->4154 4155 402510 4154->4155 4156 402544 ReadFile 4155->4156 4157 402588 4155->4157 4159 402598 4155->4159 4161 402586 4155->4161 4156->4155 4156->4161 4162 40593b wsprintfA 4157->4162 4160 4025ae SetFilePointer 4159->4160 4159->4161 4160->4161 4162->4161 4163 404186 4164 404196 4163->4164 4165 4041bc 4163->4165 4166 403d8f 19 API calls 4164->4166 4167 403df6 8 API calls 4165->4167 4168 4041a3 SetDlgItemTextA 4166->4168 4169 4041c8 4167->4169 4168->4165 4170 401c8a 4171 4029d9 18 API calls 4170->4171 4172 401c91 4171->4172 4173 4029d9 18 API calls 4172->4173 4174 401c99 GetDlgItem 4173->4174 4175 4024b8 4174->4175 4183 401490 4184 404d7b 25 API calls 4183->4184 4185 401497 4184->4185 3583 401d95 3584 4029d9 18 API calls 3583->3584 3585 401d9b 3584->3585 3586 4029d9 18 API calls 3585->3586 3587 401da4 3586->3587 3588 401db6 EnableWindow 3587->3588 3589 401dab ShowWindow 3587->3589 3590 40288b 3588->3590 3589->3590 4186 402615 4187 402618 4186->4187 4188 402630 4186->4188 4189 402625 FindNextFileA 4187->4189 4189->4188 4190 40266f 4189->4190 4192 4059dd lstrcpynA 4190->4192 4192->4188 4193 401595 4194 4029f6 18 API calls 4193->4194 4195 40159c SetFileAttributesA 4194->4195 4196 4015ae 4195->4196 4197 401e95 4198 4029f6 18 API calls 4197->4198 4199 401e9c 4198->4199 4200 405cd8 2 API calls 4199->4200 4201 401ea2 4200->4201 4203 401eb4 4201->4203 4204 40593b wsprintfA 4201->4204 4204->4203 4205 401696 4206 4029f6 18 API calls 4205->4206 4207 40169c GetFullPathNameA 4206->4207 4208 4016b3 4207->4208 4214 4016d4 4207->4214 4211 405cd8 2 API calls 4208->4211 4208->4214 4209 4016e8 GetShortPathNameA 4210 40288b 4209->4210 4212 4016c4 4211->4212 4212->4214 4215 4059dd lstrcpynA 4212->4215 4214->4209 4214->4210 4215->4214 3623 401e1b 3624 4029f6 18 API calls 3623->3624 3625 401e21 3624->3625 3626 404d7b 25 API calls 3625->3626 3627 401e2b 3626->3627 3628 40523d 2 API calls 3627->3628 3632 401e31 3628->3632 3629 401e87 CloseHandle 3631 40265c 3629->3631 3630 401e50 WaitForSingleObject 3630->3632 3633 401e5e GetExitCodeProcess 3630->3633 3632->3629 3632->3630 3632->3631 3634 405d38 2 API calls 3632->3634 3635 401e70 3633->3635 3636 401e7b 3633->3636 3634->3630 3639 40593b wsprintfA 3635->3639 3636->3629 3638 401e79 3636->3638 3638->3629 3639->3638 4216 401d1b GetDC GetDeviceCaps 4217 4029d9 18 API calls 4216->4217 4218 401d37 MulDiv 4217->4218 4219 4029d9 18 API calls 4218->4219 4220 401d4c 4219->4220 4221 4059ff 18 API calls 4220->4221 4222 401d85 CreateFontIndirectA 4221->4222 4223 4024b8 4222->4223 4231 40249c 4232 4029f6 18 API calls 4231->4232 4233 4024a3 4232->4233 4236 4056b4 GetFileAttributesA CreateFileA 4233->4236 4235 4024af 4236->4235 3640 402020 3641 4029f6 18 API calls 3640->3641 3642 402027 3641->3642 3643 4029f6 18 API calls 3642->3643 3644 402031 3643->3644 3645 4029f6 18 API calls 3644->3645 3646 40203a 3645->3646 3647 4029f6 18 API calls 3646->3647 3648 402044 3647->3648 3649 4029f6 18 API calls 3648->3649 3650 40204e 3649->3650 3651 402062 CoCreateInstance 3650->3651 3652 4029f6 18 API calls 3650->3652 3655 402081 3651->3655 3656 402137 3651->3656 3652->3651 3653 401423 25 API calls 3654 402169 3653->3654 3655->3656 3657 402116 MultiByteToWideChar 3655->3657 3656->3653 3656->3654 3657->3656 3658 401721 3659 4029f6 18 API calls 3658->3659 3660 401728 3659->3660 3661 4056e3 2 API calls 3660->3661 3662 40172f 3661->3662 3663 4056e3 2 API calls 3662->3663 3663->3662 4237 401922 4238 4029f6 18 API calls 4237->4238 4239 401929 lstrlenA 4238->4239 4240 4024b8 4239->4240 3664 402223 3665 40222b 3664->3665 3668 402231 3664->3668 3666 4029f6 18 API calls 3665->3666 3666->3668 3667 402241 3670 40224f 3667->3670 3671 4029f6 18 API calls 3667->3671 3668->3667 3669 4029f6 18 API calls 3668->3669 3669->3667 3672 4029f6 18 API calls 3670->3672 3671->3670 3673 402258 WritePrivateProfileStringA 3672->3673 4241 403ea3 lstrcpynA lstrlenA 4242 401ca5 4243 4029d9 18 API calls 4242->4243 4244 401cb5 SetWindowLongA 4243->4244 4245 40288b 4244->4245 4246 401a26 4247 4029d9 18 API calls 4246->4247 4248 401a2c 4247->4248 4249 4029d9 18 API calls 4248->4249 4250 4019d6 4249->4250 3684 402427 3694 402b00 3684->3694 3686 402431 3687 4029d9 18 API calls 3686->3687 3688 40243a 3687->3688 3689 402451 RegEnumKeyA 3688->3689 3690 40245d RegEnumValueA 3688->3690 3691 40265c 3688->3691 3692 402476 RegCloseKey 3689->3692 3690->3691 3690->3692 3692->3691 3695 4029f6 18 API calls 3694->3695 3696 402b19 3695->3696 3697 402b27 RegOpenKeyExA 3696->3697 3697->3686 3698 4022a7 3699 4022d7 3698->3699 3700 4022ac 3698->3700 3702 4029f6 18 API calls 3699->3702 3701 402b00 19 API calls 3700->3701 3703 4022b3 3701->3703 3704 4022de 3702->3704 3705 4029f6 18 API calls 3703->3705 3709 4022f6 3703->3709 3710 402a36 RegOpenKeyExA 3704->3710 3707 4022c4 RegDeleteValueA RegCloseKey 3705->3707 3707->3709 3713 402a61 3710->3713 3718 4022f4 3710->3718 3711 402a87 RegEnumKeyA 3712 402a99 RegCloseKey 3711->3712 3711->3713 3715 405cff 3 API calls 3712->3715 3713->3711 3713->3712 3714 402abe RegCloseKey 3713->3714 3716 402a36 3 API calls 3713->3716 3714->3718 3717 402aa9 3715->3717 3716->3713 3717->3718 3719 402ad9 RegDeleteKeyA 3717->3719 3718->3709 3719->3718 4251 405fa8 4255 405e2c 4251->4255 4252 406797 4253 405eb6 GlobalAlloc 4253->4252 4253->4255 4254 405ead GlobalFree 4254->4253 4255->4252 4255->4253 4255->4254 4256 405f24 GlobalFree 4255->4256 4257 405f2d GlobalAlloc 4255->4257 4256->4257 4257->4252 4257->4255 3720 401bad 3721 4029d9 18 API calls 3720->3721 3722 401bb4 3721->3722 3723 4029d9 18 API calls 3722->3723 3724 401bbe 3723->3724 3725 401bce 3724->3725 3726 4029f6 18 API calls 3724->3726 3729 4029f6 18 API calls 3725->3729 3732 401bde 3725->3732 3726->3725 3727 401be9 3730 4029d9 18 API calls 3727->3730 3728 401c2d 3731 4029f6 18 API calls 3728->3731 3729->3732 3733 401bee 3730->3733 3734 401c32 3731->3734 3732->3727 3732->3728 3735 4029d9 18 API calls 3733->3735 3736 4029f6 18 API calls 3734->3736 3737 401bf7 3735->3737 3738 401c3b FindWindowExA 3736->3738 3739 401c1d SendMessageA 3737->3739 3740 401bff SendMessageTimeoutA 3737->3740 3741 401c59 3738->3741 3739->3741 3740->3741 4258 4023af 4259 402b00 19 API calls 4258->4259 4260 4023b9 4259->4260 4261 4029f6 18 API calls 4260->4261 4262 4023c2 4261->4262 4263 40265c 4262->4263 4264 4023cc RegQueryValueExA 4262->4264 4265 4023ec 4264->4265 4268 4023f2 RegCloseKey 4264->4268 4265->4268 4269 40593b wsprintfA 4265->4269 4268->4263 4269->4268 3742 4015b3 3743 4029f6 18 API calls 3742->3743 3744 4015ba 3743->3744 3745 405564 4 API calls 3744->3745 3756 4015c2 3745->3756 3746 40160a 3747 40162d 3746->3747 3748 40160f 3746->3748 3754 401423 25 API calls 3747->3754 3751 401423 25 API calls 3748->3751 3749 4054fb CharNextA 3750 4015d0 CreateDirectoryA 3749->3750 3752 4015e5 GetLastError 3750->3752 3750->3756 3753 401616 3751->3753 3755 4015f2 GetFileAttributesA 3752->3755 3752->3756 3760 4059dd lstrcpynA 3753->3760 3759 402169 3754->3759 3755->3756 3756->3746 3756->3749 3758 401621 SetCurrentDirectoryA 3758->3759 3760->3758 3761 401734 3762 4029f6 18 API calls 3761->3762 3763 40173b 3762->3763 3764 401761 3763->3764 3765 401759 3763->3765 3801 4059dd lstrcpynA 3764->3801 3800 4059dd lstrcpynA 3765->3800 3768 40175f 3771 405c3f 5 API calls 3768->3771 3769 40176c 3770 4054d0 3 API calls 3769->3770 3772 401772 lstrcatA 3770->3772 3778 40177e 3771->3778 3772->3768 3773 405cd8 2 API calls 3773->3778 3774 405695 2 API calls 3774->3778 3776 401795 CompareFileTime 3776->3778 3777 401859 3779 404d7b 25 API calls 3777->3779 3778->3773 3778->3774 3778->3776 3778->3777 3780 4059dd lstrcpynA 3778->3780 3787 4059ff 18 API calls 3778->3787 3795 40529e MessageBoxIndirectA 3778->3795 3798 401830 3778->3798 3799 4056b4 GetFileAttributesA CreateFileA 3778->3799 3781 401863 3779->3781 3780->3778 3784 402e5b 37 API calls 3781->3784 3782 404d7b 25 API calls 3783 401845 3782->3783 3785 401876 3784->3785 3786 40188a SetFileTime 3785->3786 3788 40189c FindCloseChangeNotification 3785->3788 3786->3788 3787->3778 3788->3783 3789 4018ad 3788->3789 3790 4018b2 3789->3790 3791 4018c5 3789->3791 3793 4059ff 18 API calls 3790->3793 3792 4059ff 18 API calls 3791->3792 3794 4018cd 3792->3794 3796 4018ba lstrcatA 3793->3796 3797 40529e MessageBoxIndirectA 3794->3797 3795->3778 3796->3794 3797->3783 3798->3782 3798->3783 3799->3778 3800->3768 3801->3769 4277 401634 4278 4029f6 18 API calls 4277->4278 4279 40163a 4278->4279 4280 405cd8 2 API calls 4279->4280 4281 401640 4280->4281 4282 401934 4283 4029d9 18 API calls 4282->4283 4284 40193b 4283->4284 4285 4029d9 18 API calls 4284->4285 4286 401945 4285->4286 4287 4029f6 18 API calls 4286->4287 4288 40194e 4287->4288 4289 401961 lstrlenA 4288->4289 4290 40199c 4288->4290 4291 40196b 4289->4291 4291->4290 4295 4059dd lstrcpynA 4291->4295 4293 401985 4293->4290 4294 401992 lstrlenA 4293->4294 4294->4290 4295->4293 4296 4019b5 4297 4029f6 18 API calls 4296->4297 4298 4019bc 4297->4298 4299 4029f6 18 API calls 4298->4299 4300 4019c5 4299->4300 4301 4019cc lstrcmpiA 4300->4301 4302 4019de lstrcmpA 4300->4302 4303 4019d2 4301->4303 4302->4303 4304 4014b7 4305 4014bd 4304->4305 4306 401389 2 API calls 4305->4306 4307 4014c5 4306->4307 3802 404eb9 3803 405065 3802->3803 3804 404eda GetDlgItem GetDlgItem GetDlgItem 3802->3804 3806 405096 3803->3806 3807 40506e GetDlgItem CreateThread CloseHandle 3803->3807 3848 403dc4 SendMessageA 3804->3848 3808 4050c1 3806->3808 3810 4050e3 3806->3810 3811 4050ad ShowWindow ShowWindow 3806->3811 3807->3806 3854 404e4d 5 API calls 3807->3854 3813 40511f 3808->3813 3815 4050d2 3808->3815 3816 4050f8 ShowWindow 3808->3816 3809 404f4b 3812 404f52 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3809->3812 3817 403df6 8 API calls 3810->3817 3850 403dc4 SendMessageA 3811->3850 3818 404fc1 3812->3818 3819 404fa5 SendMessageA SendMessageA 3812->3819 3813->3810 3820 40512a SendMessageA 3813->3820 3851 403d68 3815->3851 3823 405118 3816->3823 3824 40510a 3816->3824 3822 4050f1 3817->3822 3825 404fd4 3818->3825 3826 404fc6 SendMessageA 3818->3826 3819->3818 3820->3822 3827 405143 CreatePopupMenu 3820->3827 3829 403d68 SendMessageA 3823->3829 3828 404d7b 25 API calls 3824->3828 3831 403d8f 19 API calls 3825->3831 3826->3825 3830 4059ff 18 API calls 3827->3830 3828->3823 3829->3813 3832 405153 AppendMenuA 3830->3832 3833 404fe4 3831->3833 3834 405166 GetWindowRect 3832->3834 3835 405179 3832->3835 3836 405021 GetDlgItem SendMessageA 3833->3836 3837 404fed ShowWindow 3833->3837 3838 405182 TrackPopupMenu 3834->3838 3835->3838 3836->3822 3840 405048 SendMessageA SendMessageA 3836->3840 3839 405003 ShowWindow 3837->3839 3842 405010 3837->3842 3838->3822 3841 4051a0 3838->3841 3839->3842 3840->3822 3843 4051bc SendMessageA 3841->3843 3849 403dc4 SendMessageA 3842->3849 3843->3843 3845 4051d9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3843->3845 3846 4051fb SendMessageA 3845->3846 3846->3846 3847 40521c GlobalUnlock SetClipboardData CloseClipboard 3846->3847 3847->3822 3848->3809 3849->3836 3850->3808 3852 403d75 SendMessageA 3851->3852 3853 403d6f 3851->3853 3852->3810 3853->3852 4308 402b3b 4309 402b63 4308->4309 4310 402b4a SetTimer 4308->4310 4311 402bb8 4309->4311 4312 402b7d MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 4309->4312 4310->4309 4312->4311 3883 4038bc 3884 4038d4 3883->3884 3885 403a0f 3883->3885 3884->3885 3886 4038e0 3884->3886 3887 403a20 GetDlgItem GetDlgItem 3885->3887 3888 403a60 3885->3888 3889 4038eb SetWindowPos 3886->3889 3890 4038fe 3886->3890 3891 403d8f 19 API calls 3887->3891 3892 403aba 3888->3892 3900 401389 2 API calls 3888->3900 3889->3890 3894 403903 ShowWindow 3890->3894 3895 40391b 3890->3895 3896 403a4a SetClassLongA 3891->3896 3893 403ddb SendMessageA 3892->3893 3913 403a0a 3892->3913 3910 403acc 3893->3910 3894->3895 3897 403923 DestroyWindow 3895->3897 3898 40393d 3895->3898 3899 40140b 2 API calls 3896->3899 3950 403d18 3897->3950 3901 403942 SetWindowLongA 3898->3901 3902 403953 3898->3902 3899->3888 3903 403a92 3900->3903 3901->3913 3906 40395f GetDlgItem 3902->3906 3921 4039ca 3902->3921 3903->3892 3907 403a96 SendMessageA 3903->3907 3904 40140b 2 API calls 3904->3910 3905 403d1a DestroyWindow KiUserCallbackDispatcher 3905->3950 3911 403972 SendMessageA IsWindowEnabled 3906->3911 3912 40398f 3906->3912 3907->3913 3908 403df6 8 API calls 3908->3913 3909 403d49 ShowWindow 3909->3913 3910->3904 3910->3905 3910->3913 3914 4059ff 18 API calls 3910->3914 3924 403d8f 19 API calls 3910->3924 3926 403d8f 19 API calls 3910->3926 3941 403c5a DestroyWindow 3910->3941 3911->3912 3911->3913 3915 40399c 3912->3915 3916 4039e3 SendMessageA 3912->3916 3917 4039af 3912->3917 3925 403994 3912->3925 3914->3910 3915->3916 3915->3925 3916->3921 3919 4039b7 3917->3919 3920 4039cc 3917->3920 3918 403d68 SendMessageA 3918->3921 3922 40140b 2 API calls 3919->3922 3923 40140b 2 API calls 3920->3923 3921->3908 3922->3925 3923->3925 3924->3910 3925->3918 3925->3921 3927 403b47 GetDlgItem 3926->3927 3928 403b64 ShowWindow KiUserCallbackDispatcher 3927->3928 3929 403b5c 3927->3929 3951 403db1 KiUserCallbackDispatcher 3928->3951 3929->3928 3931 403b8e KiUserCallbackDispatcher 3934 403ba2 3931->3934 3932 403ba7 GetSystemMenu EnableMenuItem SendMessageA 3933 403bd7 SendMessageA 3932->3933 3932->3934 3933->3934 3934->3932 3952 403dc4 SendMessageA 3934->3952 3953 4059dd lstrcpynA 3934->3953 3937 403c05 lstrlenA 3938 4059ff 18 API calls 3937->3938 3939 403c16 SetWindowTextA 3938->3939 3940 401389 2 API calls 3939->3940 3940->3910 3942 403c74 CreateDialogParamA 3941->3942 3941->3950 3943 403ca7 3942->3943 3942->3950 3944 403d8f 19 API calls 3943->3944 3945 403cb2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3944->3945 3946 401389 2 API calls 3945->3946 3947 403cf8 3946->3947 3947->3913 3948 403d00 ShowWindow 3947->3948 3949 403ddb SendMessageA 3948->3949 3949->3950 3950->3909 3950->3913 3951->3931 3952->3934 3953->3937 4313 40263e 4314 4029f6 18 API calls 4313->4314 4315 402645 FindFirstFileA 4314->4315 4316 402668 4315->4316 4317 402658 4315->4317 4318 40266f 4316->4318 4321 40593b wsprintfA 4316->4321 4322 4059dd lstrcpynA 4318->4322 4321->4318 4322->4317 4323 4024be 4324 4024c3 4323->4324 4325 4024d4 4323->4325 4326 4029d9 18 API calls 4324->4326 4327 4029f6 18 API calls 4325->4327 4329 4024ca 4326->4329 4328 4024db lstrlenA 4327->4328 4328->4329 4330 4024fa WriteFile 4329->4330 4331 40265c 4329->4331 4330->4331

                                Executed Functions

                                Function 004030CB Relevance: 73.8, APIs: 24, Strings: 18, Instructions: 270filestringcomCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 4030cb-403160 #17 SetErrorMode OleInitialize call 405cff SHGetFileInfoA call 4059dd GetCommandLineA call 4059dd GetModuleHandleA 7 403162-403167 0->7 8 40316c-403181 call 4054fb CharNextA 0->8 7->8 11 4031e6-4031ea 8->11 12 403183-403186 11->12 13 4031ec 11->13 15 403188-40318c 12->15 16 40318e-403196 12->16 14 4031ff-403217 GetTempPathA call 403097 13->14 25 403239-403250 DeleteFileA call 402c22 14->25 26 403219-403237 GetWindowsDirectoryA lstrcatA call 403097 14->26 15->15 15->16 17 403198-403199 16->17 18 40319e-4031a1 16->18 17->18 20 4031a3-4031a7 18->20 21 4031d6-4031e3 call 4054fb 18->21 23 4031b7-4031bd 20->23 24 4031a9-4031b2 20->24 21->11 38 4031e5 21->38 30 4031cd-4031d4 23->30 31 4031bf-4031c8 23->31 24->23 28 4031b4 24->28 40 4032b7-4032c6 ExitProcess OleUninitialize 25->40 41 403252-403258 25->41 26->25 26->40 28->23 30->21 36 4031ee-4031fa call 4059dd 30->36 31->30 35 4031ca 31->35 35->30 36->14 38->11 44 4033b1-4033b7 40->44 45 4032cc-4032dc call 40529e ExitProcess 40->45 42 4032a7-4032ae call 403526 41->42 43 40325a-403263 call 4054fb 41->43 53 4032b3 42->53 58 40326e-403270 43->58 47 403434-40343c 44->47 48 4033b9-4033d6 call 405cff * 3 44->48 54 403442-403446 ExitProcess 47->54 55 40343e 47->55 73 403420-40342b ExitWindowsEx 48->73 74 4033d8-4033da 48->74 53->40 55->54 59 403272-40327c 58->59 60 403265-40326b 58->60 63 4032e2-4032fc lstrcatA lstrcmpiA 59->63 64 40327e-40328b call 4055b1 59->64 60->59 62 40326d 60->62 62->58 63->40 66 4032fe-403313 CreateDirectoryA SetCurrentDirectoryA 63->66 64->40 76 40328d-4032a3 call 4059dd * 2 64->76 70 403320-40333a call 4059dd 66->70 71 403315-40331b call 4059dd 66->71 84 40333f-40335b call 4059ff DeleteFileA 70->84 71->70 73->47 81 40342d-40342f call 40140b 73->81 74->73 78 4033dc-4033de 74->78 76->42 78->73 82 4033e0-4033f2 GetCurrentProcess 78->82 81->47 82->73 91 4033f4-403416 82->91 92 40339c-4033a3 84->92 93 40335d-40336d CopyFileA 84->93 91->73 92->84 94 4033a5-4033ac call 40572b 92->94 93->92 95 40336f-40338f call 40572b call 4059ff call 40523d 93->95 94->40 95->92 105 403391-403398 CloseHandle 95->105 105->92
                                APIs
                                • #17.COMCTL32 ref: 004030EA
                                • SetErrorMode.KERNELBASE(00008001), ref: 004030F5
                                • OleInitialize.OLE32(00000000), ref: 004030FC
                                  • Part of subcall function 00405CFF: GetModuleHandleA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D11
                                  • Part of subcall function 00405CFF: LoadLibraryA.KERNELBASE(?,?,00000000,0040310E,00000008), ref: 00405D1C
                                  • Part of subcall function 00405CFF: GetProcAddress.KERNEL32(00000000,?), ref: 00405D2D
                                • SHGetFileInfoA.SHELL32(0041F430,00000000,?,00000160,00000000,00000008), ref: 00403124
                                  • Part of subcall function 004059DD: lstrcpynA.KERNEL32(?,?,00000400,00403139,Unlocker 1.9.2 Setup,NSIS Error), ref: 004059EA
                                • GetCommandLineA.KERNEL32(Unlocker 1.9.2 Setup,NSIS Error), ref: 00403139
                                • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Unlocker1.9.2.exe",00000000), ref: 0040314C
                                • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Unlocker1.9.2.exe",00000020), ref: 00403177
                                • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040320A
                                • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040321F
                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040322B
                                • DeleteFileA.KERNELBASE(1033), ref: 0040323E
                                • ExitProcess.KERNEL32(00000000), ref: 004032B7
                                • OleUninitialize.OLE32(00000000), ref: 004032BC
                                • ExitProcess.KERNEL32 ref: 004032DC
                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Unlocker1.9.2.exe",00000000,00000000), ref: 004032E8
                                • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 004032F4
                                • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403300
                                • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403307
                                • DeleteFileA.KERNEL32(0041F030,0041F030,?,00424000,?), ref: 00403351
                                • CopyFileA.KERNEL32(C:\Users\user\Desktop\Unlocker1.9.2.exe,0041F030,00000001), ref: 00403365
                                • CloseHandle.KERNEL32(00000000,0041F030,0041F030,?,0041F030,00000000), ref: 00403392
                                • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004033E7
                                • ExitWindowsEx.USER32(00000002,00000000), ref: 00403423
                                • ExitProcess.KERNEL32 ref: 00403446
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: ExitFileProcess$DirectoryHandle$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                • String ID: /D=$ _?=$"$"C:\Users\user\AppData\Local\Temp\DeltaTB.exe" /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt$"C:\Users\user\Desktop\Unlocker1.9.2.exe"$1033$C:\Program Files\Unlocker$C:\Program Files\Unlocker$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Unlocker1.9.2.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$Unlocker 1.9.2 Setup$\Temp$~nsu.tmp
                                • API String ID: 553446912-2407670037
                                • Opcode ID: a19d3eb581d25ceee7db0395522459586b67666d40a4dd21a24ca1e1399dfb9b
                                • Instruction ID: cc286ec977d2638fbe9c092aa5ad16f4889e12429ffafd7da1ab197300c5bae6
                                • Opcode Fuzzy Hash: a19d3eb581d25ceee7db0395522459586b67666d40a4dd21a24ca1e1399dfb9b
                                • Instruction Fuzzy Hash: 9691B170A08340AED7216F619D49B6B7EACEB0530AF44047FF581B62D2C77C9E458B6E
                                Function 00404EB9 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 106 404eb9-404ed4 107 405065-40506c 106->107 108 404eda-404fa3 GetDlgItem * 3 call 403dc4 call 40461d GetClientRect GetSystemMetrics SendMessageA * 2 106->108 110 405096-4050a3 107->110 111 40506e-405090 GetDlgItem CreateThread CloseHandle 107->111 126 404fc1-404fc4 108->126 127 404fa5-404fbf SendMessageA * 2 108->127 112 4050c1-4050c8 110->112 113 4050a5-4050ab 110->113 111->110 117 4050ca-4050d0 112->117 118 40511f-405123 112->118 115 4050e3-4050ec call 403df6 113->115 116 4050ad-4050bc ShowWindow * 2 call 403dc4 113->116 130 4050f1-4050f5 115->130 116->112 123 4050d2-4050de call 403d68 117->123 124 4050f8-405108 ShowWindow 117->124 118->115 121 405125-405128 118->121 121->115 128 40512a-40513d SendMessageA 121->128 123->115 131 405118-40511a call 403d68 124->131 132 40510a-405113 call 404d7b 124->132 133 404fd4-404feb call 403d8f 126->133 134 404fc6-404fd2 SendMessageA 126->134 127->126 135 405143-405164 CreatePopupMenu call 4059ff AppendMenuA 128->135 136 405236-405238 128->136 131->118 132->131 145 405021-405042 GetDlgItem SendMessageA 133->145 146 404fed-405001 ShowWindow 133->146 134->133 143 405166-405177 GetWindowRect 135->143 144 405179-40517f 135->144 136->130 147 405182-40519a TrackPopupMenu 143->147 144->147 145->136 150 405048-405060 SendMessageA * 2 145->150 148 405010 146->148 149 405003-40500e ShowWindow 146->149 147->136 151 4051a0-4051b7 147->151 152 405016-40501c call 403dc4 148->152 149->152 150->136 153 4051bc-4051d7 SendMessageA 151->153 152->145 153->153 155 4051d9-4051f9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 153->155 156 4051fb-40521a SendMessageA 155->156 156->156 157 40521c-405230 GlobalUnlock SetClipboardData CloseClipboard 156->157 157->136
                                APIs
                                • GetDlgItem.USER32(?,00000403), ref: 00404F18
                                • GetDlgItem.USER32(?,000003EE), ref: 00404F27
                                • GetClientRect.USER32(?,?), ref: 00404F64
                                • GetSystemMetrics.USER32(00000015), ref: 00404F6C
                                • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404F8D
                                • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404F9E
                                • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404FB1
                                • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FBF
                                • SendMessageA.USER32(?,00001024,00000000,?), ref: 00404FD2
                                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00404FF4
                                • ShowWindow.USER32(?,00000008), ref: 00405008
                                • GetDlgItem.USER32(?,000003EC), ref: 00405029
                                • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405039
                                • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405052
                                • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040505E
                                • GetDlgItem.USER32(?,000003F8), ref: 00404F36
                                  • Part of subcall function 00403DC4: SendMessageA.USER32(00000028,?,00000001,00403BF5), ref: 00403DD2
                                • GetDlgItem.USER32(?,000003EC), ref: 0040507B
                                • CreateThread.KERNELBASE(00000000,00000000,Function_00004E4D,00000000), ref: 00405089
                                • CloseHandle.KERNEL32(00000000), ref: 00405090
                                • ShowWindow.USER32(00000000), ref: 004050B4
                                • ShowWindow.USER32(0004048A,00000008), ref: 004050B9
                                • ShowWindow.USER32(00000008), ref: 00405100
                                • SendMessageA.USER32(0004048A,00001004,00000000,00000000), ref: 00405132
                                • CreatePopupMenu.USER32 ref: 00405143
                                • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405158
                                • GetWindowRect.USER32(0004048A,?), ref: 0040516B
                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040518F
                                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051CA
                                • OpenClipboard.USER32(00000000), ref: 004051DA
                                • EmptyClipboard.USER32 ref: 004051E0
                                • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004051E9
                                • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004051F3
                                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405207
                                • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040521F
                                • SetClipboardData.USER32(00000001,00000000), ref: 0040522A
                                • CloseClipboard.USER32 ref: 00405230
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                • String ID: {
                                • API String ID: 590372296-366298937
                                • Opcode ID: b13129ba0f669a28ca00f61caf8228dce9fca78b393cc99d7b0e47fba99552ae
                                • Instruction ID: d8c2bf4a41f8d47596d7e212a196e63f96e24a60825c263716f9721a4c55cacb
                                • Opcode Fuzzy Hash: b13129ba0f669a28ca00f61caf8228dce9fca78b393cc99d7b0e47fba99552ae
                                • Instruction Fuzzy Hash: 99A13A71900208BFDB219F60DD89EAE7F79FB04355F00817AFA04BA2A0C7799A51DF59
                                Function 004046CA Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 158 4046ca-404718 GetDlgItem * 2 159 404940-404947 158->159 160 40471e-4047b5 GlobalAlloc LoadBitmapA SetWindowLongA ImageList_Create ImageList_AddMasked SendMessageA * 2 158->160 161 404949-404959 159->161 162 40495b 159->162 163 4047c4-4047cd DeleteObject 160->163 164 4047b7-4047c2 SendMessageA 160->164 165 40495e-404967 161->165 162->165 166 4047cf-4047d7 163->166 164->163 167 404972-404978 165->167 168 404969-40496c 165->168 169 404800-404804 166->169 170 4047d9-4047dc 166->170 175 404987-40498e 167->175 176 40497a-404981 167->176 168->167 172 404a59-404a60 168->172 169->166 171 404806-404832 call 403d8f * 2 169->171 173 4047e1-4047fe call 4059ff SendMessageA * 2 170->173 174 4047de 170->174 214 404838-40483e 171->214 215 4048fc-40490f GetWindowLongA SetWindowLongA 171->215 181 404a62-404a68 172->181 182 404ad4-404adb 172->182 173->169 174->173 178 404990-404993 175->178 179 404a06-404a09 175->179 176->172 176->175 187 404995-40499c 178->187 188 40499e-4049b1 call 40464a 178->188 179->172 183 404a0b-404a15 179->183 190 404cb6-404cc8 call 403df6 181->190 191 404a6e-404a78 181->191 185 404ae9-404af0 182->185 186 404add-404ae7 SendMessageA 182->186 192 404a25-404a2f 183->192 193 404a17-404a23 SendMessageA 183->193 194 404af2-404af9 185->194 195 404b24-404b2b 185->195 186->185 187->179 187->188 188->179 213 4049b3-4049c4 188->213 191->190 198 404a7e-404a8d SendMessageA 191->198 192->172 200 404a31-404a35 192->200 193->192 201 404b02-404b09 194->201 202 404afb-404afc ImageList_Destroy 194->202 205 404b31-404b3b call 4011ef 195->205 206 404c78-404c7f 195->206 198->190 207 404a93-404aa4 SendMessageA 198->207 209 404a37-404a47 200->209 210 404a49-404a56 200->210 211 404b12-404b1e 201->211 212 404b0b-404b0c GlobalFree 201->212 202->201 232 404b44-404b47 205->232 233 404b3d-404b3f call 40140b 205->233 206->190 217 404c81-404c88 206->217 218 404aa6-404aac 207->218 219 404aae-404ab0 207->219 209->172 210->172 211->195 212->211 213->179 221 4049c6-4049c9 213->221 222 404841-404847 214->222 220 404915-404919 215->220 217->190 224 404c8a-404cb4 ShowWindow GetDlgItem ShowWindow 217->224 218->219 225 404ab1-404acd call 401299 SendMessageA 218->225 219->225 226 404933-40493e call 403dc4 220->226 227 40491b-40492e ShowWindow call 403dc4 220->227 228 4049cb-4049d3 221->228 229 4049df 221->229 230 4048dd-4048f0 222->230 231 40484d-404875 222->231 224->190 225->182 226->159 227->190 238 4049d5-4049d8 228->238 239 4049da-4049dd 228->239 242 4049e2-404a03 call 40117d 229->242 230->222 235 4048f6-4048fa 230->235 240 404877-4048ad SendMessageA 231->240 241 4048af-4048b1 231->241 244 404b88-404bac call 4011ef 232->244 245 404b49-404b62 call 4012e2 call 401299 232->245 233->232 235->215 235->220 238->242 239->242 240->230 251 4048b3-4048c2 SendMessageA 241->251 252 4048c4-4048da SendMessageA 241->252 242->179 258 404bb2 244->258 259 404c4e-404c62 InvalidateRect 244->259 263 404b72-404b81 SendMessageA 245->263 264 404b64-404b6a 245->264 251->230 252->230 262 404bb5-404bc0 258->262 259->206 261 404c64-404c73 call 40461d call 404568 259->261 261->206 266 404bc2-404bd1 262->266 267 404c36-404c48 262->267 263->244 268 404b6c 264->268 269 404b6d-404b70 264->269 271 404bd3-404be0 266->271 272 404be4-404be7 266->272 267->259 267->262 268->269 269->263 269->264 271->272 273 404be9-404bec 272->273 274 404bee-404bf7 272->274 276 404bfc-404c34 SendMessageA * 2 273->276 274->276 277 404bf9 274->277 276->267 277->276
                                APIs
                                • GetDlgItem.USER32(?,000003F9), ref: 004046E1
                                • GetDlgItem.USER32(?,00000408), ref: 004046EE
                                • GlobalAlloc.KERNEL32(00000040,00000007), ref: 0040473A
                                • LoadBitmapA.USER32(0000006E), ref: 0040474D
                                • SetWindowLongA.USER32(?,000000FC,00404CCB), ref: 00404767
                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040477B
                                • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 0040478F
                                • SendMessageA.USER32(?,00001109,00000002), ref: 004047A4
                                • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004047B0
                                • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004047C2
                                • DeleteObject.GDI32(?), ref: 004047C7
                                • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004047F2
                                • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004047FE
                                • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404893
                                • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004048BE
                                • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048D2
                                • GetWindowLongA.USER32(?,000000F0), ref: 00404901
                                • SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040490F
                                • ShowWindow.USER32(?,00000005), ref: 00404920
                                • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404A23
                                • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404A88
                                • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404A9D
                                • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404AC1
                                • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404AE7
                                • ImageList_Destroy.COMCTL32(?), ref: 00404AFC
                                • GlobalFree.KERNEL32(?), ref: 00404B0C
                                • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404B7C
                                • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404C25
                                • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C34
                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00404C54
                                • ShowWindow.USER32(?,00000000), ref: 00404CA2
                                • GetDlgItem.USER32(?,000003FE), ref: 00404CAD
                                • ShowWindow.USER32(00000000), ref: 00404CB4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                • String ID: $M$N
                                • API String ID: 1638840714-813528018
                                • Opcode ID: 6f88420c93d77387f0f24d9c6c19e635542aef09cd36cac9f532a381c639e13e
                                • Instruction ID: 1ebc4e1f5dd1db854d7f91ec63dfd1d34711f9484ded547680f267f962745bc2
                                • Opcode Fuzzy Hash: 6f88420c93d77387f0f24d9c6c19e635542aef09cd36cac9f532a381c639e13e
                                • Instruction Fuzzy Hash: 0802ADB0A00208EFDB20DF65DC45AAE7BB5FB84315F10817AF610BA2E1D7799A41CF58
                                Function 004041CD Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 266stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 492 4041cd-4041fc 493 40420b-404212 492->493 494 4041fe-404206 call 405282 call 405c3f 492->494 496 404214-40422a GetDlgItem call 40553d 493->496 497 404286-40428d 493->497 494->493 508 40423c-404279 SetWindowTextA call 403d8f * 2 call 403dc4 call 405cff 496->508 509 40422c-404234 call 405564 496->509 500 404362-404369 497->500 501 404293-404299 497->501 506 404378-40438f call 405282 call 4055b1 500->506 507 40436b-404372 500->507 504 4042b3-4042b8 501->504 505 40429b-4042a6 501->505 504->500 512 4042be-404303 call 4059ff SHBrowseForFolderA 504->512 510 4042ac 505->510 511 4044ed-4044ff call 403df6 505->511 530 404391 506->530 531 404398-4043b1 call 4059dd call 405cff 506->531 507->506 507->511 508->511 550 40427f-404284 SHAutoComplete 508->550 509->508 528 404236-404237 call 4054d0 509->528 510->504 524 404305-40431f CoTaskMemFree call 4054d0 512->524 525 40435b 512->525 537 404321-404327 524->537 538 404349-404359 SetDlgItemTextA 524->538 525->500 528->508 530->531 548 4043b3-4043b7 531->548 549 4043e8-4043f7 call 4059dd call 405564 531->549 537->538 541 404329-404340 call 4059ff lstrcmpiA 537->541 538->500 541->538 552 404342-404344 lstrcatA 541->552 553 4043e6 548->553 554 4043b9-4043cb GetDiskFreeSpaceExA 548->554 565 4043f9 549->565 566 4043fc-404415 GetDiskFreeSpaceA 549->566 550->497 552->538 553->549 556 404439-40444f 554->556 557 4043cd-4043cf 554->557 559 404454 556->559 560 4043d1 557->560 561 4043d4-4043e4 call 405517 557->561 563 404459-404463 call 40461d 559->563 560->561 561->553 561->554 572 404470-404479 563->572 573 404465-404467 563->573 565->566 569 404451 566->569 570 404417-404437 MulDiv 566->570 569->559 570->563 575 4044a6-4044b0 572->575 576 40447b-40448b call 404568 572->576 573->572 574 404469 573->574 574->572 578 4044b2-4044b9 call 40140b 575->578 579 4044bc-4044c2 575->579 585 404498-4044a1 SetDlgItemTextA 576->585 586 40448d-404491 call 404568 576->586 578->579 582 4044c4 579->582 583 4044c7-4044d8 call 403db1 579->583 582->583 590 4044e7 583->590 591 4044da-4044e0 583->591 585->575 592 404496 586->592 590->511 591->590 593 4044e2 call 404162 591->593 592->575 593->590
                                APIs
                                • GetDlgItem.USER32(?,000003FB), ref: 00404219
                                • SetWindowTextA.USER32(?,?), ref: 00404246
                                • SHAutoComplete.SHLWAPI(?,00000001,00000007,?,?,00000014,?,?,00000001,?), ref: 00404284
                                • SHBrowseForFolderA.SHELL32(?,0041F848,?), ref: 004042FB
                                • CoTaskMemFree.OLE32(00000000), ref: 00404306
                                • lstrcmpiA.KERNEL32(Remove folder: ,00420478), ref: 00404338
                                • lstrcatA.KERNEL32(?,Remove folder: ), ref: 00404344
                                • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404354
                                  • Part of subcall function 00405282: GetDlgItemTextA.USER32(?,?,00000400,00404387), ref: 00405295
                                  • Part of subcall function 00405C3F: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Unlocker1.9.2.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405C97
                                  • Part of subcall function 00405C3F: CharNextA.USER32(?,?,?,00000000), ref: 00405CA4
                                  • Part of subcall function 00405C3F: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Unlocker1.9.2.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CA9
                                  • Part of subcall function 00405C3F: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Unlocker1.9.2.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CB9
                                • GetDiskFreeSpaceExA.KERNELBASE(C:\Program Files\,?,?,?,00000000,C:\Program Files\,?,?,000003FB,?), ref: 004043C6
                                • GetDiskFreeSpaceA.KERNEL32(C:\Program Files\,?,?,0000040F,?,C:\Program Files\,C:\Program Files\,?,00000000,C:\Program Files\,?,?,000003FB,?), ref: 0040440D
                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404428
                                • SetDlgItemTextA.USER32(00000000,00000400,0041F430), ref: 004044A1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: CharItemText$FreeNext$DiskSpace$AutoBrowseCompleteFolderPrevTaskWindowlstrcatlstrcmpi
                                • String ID: A$C:\Program Files\$C:\Program Files\Unlocker$Remove folder:
                                • API String ID: 936030579-772531688
                                • Opcode ID: f620154ea62ad6bd0c942c410229765c9d88c2cad30687c3b8eb4897cd28c5b9
                                • Instruction ID: b374e158efdd7287bf49babe660ec8015a33fdd664c905072b33ae798ddb7db4
                                • Opcode Fuzzy Hash: f620154ea62ad6bd0c942c410229765c9d88c2cad30687c3b8eb4897cd28c5b9
                                • Instruction Fuzzy Hash: 4C9175B1A00219ABDF11AFA1CC84AAF7AB8EF44354F10407BFA04B62D1D77C9A41DB59
                                Function 00405302 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 156filestringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 662 405302-40531d call 4055b1 665 405336-405340 662->665 666 40531f-405331 DeleteFileA 662->666 668 405342-405344 665->668 669 405354-405362 call 4059dd 665->669 667 4054ca-4054cd 666->667 670 405475-40547b 668->670 671 40534a-40534e 668->671 677 405371-405372 call 405517 669->677 678 405364-40536f lstrcatA 669->678 670->667 673 40547d-405480 670->673 671->669 671->670 675 405482-405488 673->675 676 40548a-405492 call 405cd8 673->676 675->667 676->667 686 405494-4054a9 call 4054d0 call 405695 RemoveDirectoryA 676->686 680 405377-40537a 677->680 678->680 683 405385-40538b lstrcatA 680->683 684 40537c-405383 680->684 685 405390-4053ae lstrlenA FindFirstFileA 683->685 684->683 684->685 687 4053b4-4053cb call 4054fb 685->687 688 40546b-40546f 685->688 701 4054c2-4054c5 call 404d7b 686->701 702 4054ab-4054af 686->702 695 4053d6-4053d9 687->695 696 4053cd-4053d1 687->696 688->670 690 405471 688->690 690->670 699 4053db-4053e0 695->699 700 4053ec-4053fa call 4059dd 695->700 696->695 698 4053d3 696->698 698->695 704 4053e2-4053e4 699->704 705 40544a-40545c FindNextFileA 699->705 713 405411-405420 call 405695 DeleteFileA 700->713 714 4053fc-405404 700->714 701->667 702->675 707 4054b1-4054c0 call 404d7b call 40572b 702->707 704->700 708 4053e6-4053ea 704->708 705->687 710 405462-405465 FindClose 705->710 707->667 708->700 708->705 710->688 722 405442-405445 call 404d7b 713->722 723 405422-405426 713->723 714->705 717 405406-40540f call 405302 714->717 717->705 722->705 724 405428-405438 call 404d7b call 40572b 723->724 725 40543a-405440 723->725 724->705 725->705
                                APIs
                                • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\Unlocker1.9.2.exe",00000000), ref: 00405320
                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\*.*,?,00000000,?,"C:\Users\user\Desktop\Unlocker1.9.2.exe",00000000), ref: 0040536A
                                • lstrcatA.KERNEL32(?,00409010,?,C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\*.*,?,00000000,?,"C:\Users\user\Desktop\Unlocker1.9.2.exe",00000000), ref: 0040538B
                                • lstrlenA.KERNEL32(?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\*.*,?,00000000,?,"C:\Users\user\Desktop\Unlocker1.9.2.exe",00000000), ref: 00405391
                                • FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\*.*,?,?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\*.*,?,00000000,?,"C:\Users\user\Desktop\Unlocker1.9.2.exe",00000000), ref: 004053A2
                                • FindNextFileA.KERNELBASE(?,00000010,000000F2,?), ref: 00405454
                                • FindClose.KERNEL32(?), ref: 00405465
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                • String ID: "C:\Users\user\Desktop\Unlocker1.9.2.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\*.*$\*.*
                                • API String ID: 2035342205-2177359180
                                • Opcode ID: ab34e0f4a398502fe4f841fd0ab2e19b6a8460b2f5b0e4388ce4a397f92dccb8
                                • Instruction ID: 4b200e60d3e8d58e0ab6cbb93b3ca9934a2dcfa31e3b076817fab6d13423d761
                                • Opcode Fuzzy Hash: ab34e0f4a398502fe4f841fd0ab2e19b6a8460b2f5b0e4388ce4a397f92dccb8
                                • Instruction Fuzzy Hash: 45511230844A48B6DB226B228C45BFF3A78DF4275AF14813BF845751D1C77C4981DE6E
                                Function 004059FF Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 197stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 731 4059ff-405a0a 732 405a0c-405a1b 731->732 733 405a1d-405a3a 731->733 732->733 734 405a40-405a47 733->734 735 405c1c-405c20 733->735 734->735 736 405c26-405c30 735->736 737 405a4c-405a56 735->737 739 405c32-405c36 call 4059dd 736->739 740 405c3b-405c3c 736->740 737->736 738 405a5c-405a63 737->738 741 405a69-405a9e 738->741 742 405c0f 738->742 739->740 744 405aa4-405aaf GetVersion 741->744 745 405bb9-405bbc 741->745 746 405c11-405c17 742->746 747 405c19-405c1b 742->747 748 405ab1-405ab5 744->748 749 405ac9 744->749 750 405bec-405bef 745->750 751 405bbe-405bc1 745->751 746->735 747->735 748->749 752 405ab7-405abb 748->752 755 405ad0-405ad7 749->755 756 405bf1-405bf8 call 4059ff 750->756 757 405bfd-405c0d lstrlenA 750->757 753 405bd1-405bdd call 4059dd 751->753 754 405bc3-405bcf call 40593b 751->754 752->749 759 405abd-405ac1 752->759 768 405be2-405be8 753->768 754->768 761 405ad9-405adb 755->761 762 405adc-405ade 755->762 756->757 757->735 759->749 764 405ac3-405ac7 759->764 761->762 766 405ae0-405afb call 4058c4 762->766 767 405b17-405b1a 762->767 764->755 776 405b00-405b03 766->776 769 405b2a-405b2d 767->769 770 405b1c-405b28 GetSystemDirectoryA 767->770 768->757 772 405bea 768->772 774 405b97-405b99 769->774 775 405b2f-405b3d GetWindowsDirectoryA 769->775 773 405b9b-405b9e 770->773 777 405bb1-405bb7 call 405c3f 772->777 773->777 778 405ba0-405ba4 773->778 774->773 780 405b3f-405b49 774->780 775->774 776->778 781 405b09-405b12 call 4059ff 776->781 777->757 778->777 783 405ba6-405bac lstrcatA 778->783 785 405b63-405b79 SHGetSpecialFolderLocation 780->785 786 405b4b-405b4e 780->786 781->773 783->777 789 405b94 785->789 790 405b7b-405b92 SHGetPathFromIDListA CoTaskMemFree 785->790 786->785 788 405b50-405b57 786->788 791 405b5f-405b61 788->791 789->774 790->773 790->789 791->773 791->785
                                APIs
                                • GetVersion.KERNEL32(00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00000000,00404DB3,Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00000000), ref: 00405AA7
                                • GetSystemDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405B22
                                • GetWindowsDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405B35
                                • SHGetSpecialFolderLocation.SHELL32(?,005ED446), ref: 00405B71
                                • SHGetPathFromIDListA.SHELL32(005ED446,Remove folder: ), ref: 00405B7F
                                • CoTaskMemFree.OLE32(005ED446), ref: 00405B8A
                                • lstrcatA.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 00405BAC
                                • lstrlenA.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00000000,00404DB3,Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00000000), ref: 00405BFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                • String ID: Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                • API String ID: 900638850-483617536
                                • Opcode ID: 2d5ebac93c140e73d4be386df5cf957c2dfe9d46f2c0b54d72834ecc596bd5b5
                                • Instruction ID: d3edd175ae4d098aa1e1d30cbcff8d3f456ad99068bf2b680a9da6a8a672f2a4
                                • Opcode Fuzzy Hash: 2d5ebac93c140e73d4be386df5cf957c2dfe9d46f2c0b54d72834ecc596bd5b5
                                • Instruction Fuzzy Hash: 30511471A04A04ABEB215F68DC84B7F3BB4EB55324F14423BE911B62D1D27C6981DF4E
                                Function 00402020 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
                                • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker\Uninstall.lnk,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D
                                Strings
                                • C:\Program Files\Unlocker, xrefs: 004020AB
                                • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker\Uninstall.lnk, xrefs: 00402116, 00402120, 0040213C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWide
                                • String ID: C:\Program Files\Unlocker$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker\Uninstall.lnk
                                • API String ID: 123533781-2677551611
                                • Opcode ID: 71453fb45c89770e4f5e9780d50359adef83bdbe6145f3bfd3e7a5e9e412efc0
                                • Instruction ID: ce0b4858a9f81ea3ddc308d80d774a06bef6b406c5dcff46aa6a4b0d76e862c7
                                • Opcode Fuzzy Hash: 71453fb45c89770e4f5e9780d50359adef83bdbe6145f3bfd3e7a5e9e412efc0
                                • Instruction Fuzzy Hash: AE418E75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54
                                Function 00405FA8 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9b666163c1661dbd9b8a2e81cbf380ba9933516b4cb578f4d51b52d9bda143bb
                                • Instruction ID: ffbedf2a53f09e030cb941e21afd419a8c3069ec791793070072d3341ca218b9
                                • Opcode Fuzzy Hash: 9b666163c1661dbd9b8a2e81cbf380ba9933516b4cb578f4d51b52d9bda143bb
                                • Instruction Fuzzy Hash: 17F16571D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A86CF44
                                Function 00405CD8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNELBASE(?,004224C8,C:\,004055F4,C:\,C:\,00000000,C:\,C:\,?,?,00000000,00405316,?,"C:\Users\user\Desktop\Unlocker1.9.2.exe",00000000), ref: 00405CE3
                                • FindClose.KERNEL32(00000000), ref: 00405CEF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Find$CloseFileFirst
                                • String ID: C:\
                                • API String ID: 2295610775-3404278061
                                • Opcode ID: eaa6d706d35b9193dbeff2470bba944fadabcf5bc74d52a04f68ed274a91c94e
                                • Instruction ID: 9a18407f5d3c0b203e51d924b64f4f6f4a008a27543408caa796c3d3b713bef8
                                • Opcode Fuzzy Hash: eaa6d706d35b9193dbeff2470bba944fadabcf5bc74d52a04f68ed274a91c94e
                                • Instruction Fuzzy Hash: 91D0C93594D620ABD6012728AD0884B6A589B153317508B32F46AE22E0C7748C529AA9
                                Function 00405CFF Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D11
                                • LoadLibraryA.KERNELBASE(?,?,00000000,0040310E,00000008), ref: 00405D1C
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00405D2D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: AddressHandleLibraryLoadModuleProc
                                • String ID:
                                • API String ID: 310444273-0
                                • Opcode ID: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
                                • Instruction ID: d69b72dbe4010a9b48e4a262f362438d38f190b8a9031efe6831075815a54aa0
                                • Opcode Fuzzy Hash: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
                                • Instruction Fuzzy Hash: 5DE08C32A04610BBD3215B20AE0896B73A8EED9B403004C7EF615F6251D734AC11DBBA
                                Function 004038BC Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 278 4038bc-4038ce 279 4038d4-4038da 278->279 280 403a0f-403a1e 278->280 279->280 281 4038e0-4038e9 279->281 282 403a20-403a68 GetDlgItem * 2 call 403d8f SetClassLongA call 40140b 280->282 283 403a6d-403a82 280->283 284 4038eb-4038f8 SetWindowPos 281->284 285 4038fe-403901 281->285 282->283 287 403ac2-403ac7 call 403ddb 283->287 288 403a84-403a87 283->288 284->285 290 403903-403915 ShowWindow 285->290 291 40391b-403921 285->291 295 403acc-403ae7 287->295 293 403a89-403a94 call 401389 288->293 294 403aba-403abc 288->294 290->291 296 403923-403938 DestroyWindow 291->296 297 40393d-403940 291->297 293->294 315 403a96-403ab5 SendMessageA 293->315 294->287 300 403d5c 294->300 301 403af0-403af6 295->301 302 403ae9-403aeb call 40140b 295->302 304 403d39-403d3f 296->304 306 403942-40394e SetWindowLongA 297->306 307 403953-403959 297->307 303 403d5e-403d65 300->303 311 403d1a-403d33 DestroyWindow KiUserCallbackDispatcher 301->311 312 403afc-403b07 301->312 302->301 304->300 309 403d41-403d47 304->309 306->303 313 4039fc-403a0a call 403df6 307->313 314 40395f-403970 GetDlgItem 307->314 309->300 317 403d49-403d52 ShowWindow 309->317 311->304 312->311 318 403b0d-403b5a call 4059ff call 403d8f * 3 GetDlgItem 312->318 313->303 319 403972-403989 SendMessageA IsWindowEnabled 314->319 320 40398f-403992 314->320 315->303 317->300 348 403b64-403ba0 ShowWindow KiUserCallbackDispatcher call 403db1 KiUserCallbackDispatcher 318->348 349 403b5c-403b61 318->349 319->300 319->320 323 403994-403995 320->323 324 403997-40399a 320->324 326 4039c5-4039ca call 403d68 323->326 327 4039a8-4039ad 324->327 328 40399c-4039a2 324->328 326->313 329 4039e3-4039f6 SendMessageA 327->329 331 4039af-4039b5 327->331 328->329 330 4039a4-4039a6 328->330 329->313 330->326 334 4039b7-4039bd call 40140b 331->334 335 4039cc-4039d5 call 40140b 331->335 344 4039c3 334->344 335->313 345 4039d7-4039e1 335->345 344->326 345->344 352 403ba2-403ba3 348->352 353 403ba5 348->353 349->348 354 403ba7-403bd5 GetSystemMenu EnableMenuItem SendMessageA 352->354 353->354 355 403bd7-403be8 SendMessageA 354->355 356 403bea 354->356 357 403bf0-403c29 call 403dc4 call 4059dd lstrlenA call 4059ff SetWindowTextA call 401389 355->357 356->357 357->295 366 403c2f-403c31 357->366 366->295 367 403c37-403c3b 366->367 368 403c5a-403c6e DestroyWindow 367->368 369 403c3d-403c43 367->369 368->304 371 403c74-403ca1 CreateDialogParamA 368->371 369->300 370 403c49-403c4f 369->370 370->295 372 403c55 370->372 371->304 373 403ca7-403cfe call 403d8f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 371->373 372->300 373->300 378 403d00-403d13 ShowWindow call 403ddb 373->378 380 403d18 378->380 380->304
                                APIs
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004038F8
                                • ShowWindow.USER32(?), ref: 00403915
                                • DestroyWindow.USER32 ref: 00403929
                                • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403945
                                • GetDlgItem.USER32(?,?), ref: 00403966
                                • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 0040397A
                                • IsWindowEnabled.USER32(00000000), ref: 00403981
                                • GetDlgItem.USER32(?,00000001), ref: 00403A2F
                                • GetDlgItem.USER32(?,00000002), ref: 00403A39
                                • SetClassLongA.USER32(?,000000F2,?), ref: 00403A53
                                • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403AA4
                                • GetDlgItem.USER32(?,00000003), ref: 00403B4A
                                • ShowWindow.USER32(00000000,?), ref: 00403B6B
                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403B7D
                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403B98
                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403BAE
                                • EnableMenuItem.USER32(00000000), ref: 00403BB5
                                • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403BCD
                                • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403BE0
                                • lstrlenA.KERNEL32(00420478,?,00420478,Unlocker 1.9.2 Setup), ref: 00403C09
                                • SetWindowTextA.USER32(?,00420478), ref: 00403C18
                                • ShowWindow.USER32(?,0000000A), ref: 00403D4C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Window$Item$MessageSend$Show$CallbackDispatcherLongMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
                                • String ID: Unlocker 1.9.2 Setup
                                • API String ID: 1252290697-3402739367
                                • Opcode ID: 17db576ff1e04bb401156bec3937a30c5754e03700d25ec8c7f88e75de32935b
                                • Instruction ID: 874aaf0cc80a4ada72e8b6aceb9d73cb056a569e4b675a7f159d56e4bf17f1bf
                                • Opcode Fuzzy Hash: 17db576ff1e04bb401156bec3937a30c5754e03700d25ec8c7f88e75de32935b
                                • Instruction Fuzzy Hash: F9C18E71A04204BBDB206F21ED85E2B3E7CEB05746F40453EF641B52F1C779AA429B2E
                                Function 00403526 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216stringregistrylibraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 381 403526-40353e call 405cff 384 403540-403550 call 40593b 381->384 385 403552-403579 call 4058c4 381->385 393 40359c-4035c5 call 4037ef call 4055b1 384->393 390 403591-403597 lstrcatA 385->390 391 40357b-40358c call 4058c4 385->391 390->393 391->390 399 4035cb-4035d0 393->399 400 40364c-403654 call 4055b1 393->400 399->400 401 4035d2-4035ea call 4058c4 399->401 406 403662-403687 LoadImageA 400->406 407 403656-40365d call 4059ff 400->407 405 4035ef-4035f6 401->405 405->400 408 4035f8-4035fa 405->408 410 403716-40371e call 40140b 406->410 411 40368d-4036c3 RegisterClassA 406->411 407->406 415 40360b-403617 lstrlenA 408->415 416 4035fc-403609 call 4054fb 408->416 423 403720-403723 410->423 424 403728-403733 call 4037ef 410->424 412 4037e5 411->412 413 4036c9-403711 SystemParametersInfoA CreateWindowExA 411->413 420 4037e7-4037ee 412->420 413->410 417 403619-403627 lstrcmpiA 415->417 418 40363f-403647 call 4054d0 call 4059dd 415->418 416->415 417->418 422 403629-403633 GetFileAttributesA 417->422 418->400 427 403635-403637 422->427 428 403639-40363a call 405517 422->428 423->420 434 403739-403756 ShowWindow LoadLibraryA 424->434 435 4037bc-4037bd call 404e4d 424->435 427->418 427->428 428->418 437 403758-40375d LoadLibraryA 434->437 438 40375f-403771 GetClassInfoA 434->438 439 4037c2-4037c4 435->439 437->438 440 403773-403783 GetClassInfoA RegisterClassA 438->440 441 403789-4037ac DialogBoxParamA call 40140b 438->441 442 4037c6-4037cc 439->442 443 4037de-4037e0 call 40140b 439->443 440->441 447 4037b1-4037ba call 403476 441->447 442->423 445 4037d2-4037d9 call 40140b 442->445 443->412 445->423 447->420
                                APIs
                                  • Part of subcall function 00405CFF: GetModuleHandleA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D11
                                  • Part of subcall function 00405CFF: LoadLibraryA.KERNELBASE(?,?,00000000,0040310E,00000008), ref: 00405D1C
                                  • Part of subcall function 00405CFF: GetProcAddress.KERNEL32(00000000,?), ref: 00405D2D
                                • lstrcatA.KERNEL32(1033,00420478,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420478,00000000,00000006,"C:\Users\user\Desktop\Unlocker1.9.2.exe",00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403597
                                • lstrlenA.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files\Unlocker,1033,00420478,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420478,00000000,00000006,"C:\Users\user\Desktop\Unlocker1.9.2.exe"), ref: 0040360C
                                • lstrcmpiA.KERNEL32(?,.exe), ref: 0040361F
                                • GetFileAttributesA.KERNEL32(Remove folder: ), ref: 0040362A
                                • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files\Unlocker), ref: 00403673
                                  • Part of subcall function 0040593B: wsprintfA.USER32 ref: 00405948
                                • RegisterClassA.USER32 ref: 004036BA
                                • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036D2
                                • CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040370B
                                • ShowWindow.USER32(00000005,00000000), ref: 00403741
                                • LoadLibraryA.KERNELBASE(RichEd20), ref: 00403752
                                • LoadLibraryA.KERNEL32(RichEd32), ref: 0040375D
                                • GetClassInfoA.USER32(00000000,RichEdit20A,00423620), ref: 0040376D
                                • GetClassInfoA.USER32(00000000,RichEdit,00423620), ref: 0040377A
                                • RegisterClassA.USER32(00423620), ref: 00403783
                                • DialogBoxParamA.USER32(?,00000000,004038BC,00000000), ref: 004037A2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                • String ID: "C:\Users\user\Desktop\Unlocker1.9.2.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Program Files\Unlocker$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                • API String ID: 914957316-405316695
                                • Opcode ID: f93f1545b230c8163d09655257c65a13db3ac628cd3f161671649cd9b752f71f
                                • Instruction ID: 0f3f48bff709b167bb3a38cee6451da723a784a17f6d38f49bc0c0f1e25ee8dd
                                • Opcode Fuzzy Hash: f93f1545b230c8163d09655257c65a13db3ac628cd3f161671649cd9b752f71f
                                • Instruction Fuzzy Hash: 9261C5B1A04200BAD6206F659C45E3B3A6DE74474AF40453FF941B62E1D67D9E028B3E
                                Function 00403ED7 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204windowstringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 452 403ed7-403ee7 453 403ffa-40400d 452->453 454 403eed-403ef5 452->454 455 404069-40406d 453->455 456 40400f-404018 453->456 457 403ef7-403f06 454->457 458 403f08-403fa0 call 403d8f * 2 CheckDlgButton call 403db1 GetDlgItem call 403dc4 SendMessageA 454->458 462 404073-404087 GetDlgItem 455->462 463 40413d-404144 455->463 459 40414c 456->459 460 40401e-404026 456->460 457->458 490 403fa2-403fa5 GetSysColor 458->490 491 403fab-403ff5 SendMessageA * 2 lstrlenA SendMessageA * 2 458->491 466 40414f-404156 call 403df6 459->466 460->459 464 40402c-404038 460->464 468 404089-404090 462->468 469 4040fb-404102 462->469 463->459 465 404146 463->465 464->459 470 40403e-404064 GetDlgItem SendMessageA call 403db1 call 404162 464->470 465->459 476 40415b-40415f 466->476 468->469 473 404092-4040ad 468->473 469->466 474 404104-40410b 469->474 470->455 473->469 478 4040af-4040f8 SendMessageA LoadCursorA SetCursor ShellExecuteA LoadCursorA SetCursor 473->478 474->466 479 40410d-404111 474->479 478->469 482 404113-404122 SendMessageA 479->482 483 404124-404128 479->483 482->483 484 404138-40413b 483->484 485 40412a-404136 SendMessageA 483->485 484->476 485->484 490->491 491->476
                                APIs
                                • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F62
                                • GetDlgItem.USER32(00000000,000003E8), ref: 00403F76
                                • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403F94
                                • GetSysColor.USER32(?), ref: 00403FA5
                                • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FB4
                                • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FC3
                                • lstrlenA.KERNEL32(?), ref: 00403FCD
                                • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403FDB
                                • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00403FEA
                                • GetDlgItem.USER32(?,0000040A), ref: 0040404D
                                • SendMessageA.USER32(00000000), ref: 00404050
                                • GetDlgItem.USER32(?,000003E8), ref: 0040407B
                                • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040BB
                                • LoadCursorA.USER32(00000000,00007F02), ref: 004040CA
                                • SetCursor.USER32(00000000), ref: 004040D3
                                • ShellExecuteA.SHELL32(0000070B,open, .B,00000000,00000000,00000001), ref: 004040E6
                                • LoadCursorA.USER32(00000000,00007F00), ref: 004040F3
                                • SetCursor.USER32(00000000), ref: 004040F6
                                • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404122
                                • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404136
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                • String ID: .B$N$Remove folder: $open
                                • API String ID: 3615053054-1104553104
                                • Opcode ID: da112c14776137c7bd89e7c73a234b8b17dddee6ca60b81d448b510bce2e22e9
                                • Instruction ID: 4310844e4bc5412d85e0e67e924f78a0a7df87fdbfd2fc52009ff806257c2229
                                • Opcode Fuzzy Hash: da112c14776137c7bd89e7c73a234b8b17dddee6ca60b81d448b510bce2e22e9
                                • Instruction Fuzzy Hash: 3161A1B1A40209BFEB109F60DC45F6A7B69EB54715F108036FB05BA2D1C7B8E951CF98
                                Function 00402C22 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 595 402c22-402c70 GetTickCount GetModuleFileNameA call 4056b4 598 402c72-402c77 595->598 599 402c7c-402caa call 4059dd call 405517 call 4059dd GetFileSize 595->599 600 402e54-402e58 598->600 607 402cb0 599->607 608 402d97-402da5 call 402bbe 599->608 610 402cb5-402ccc 607->610 614 402da7-402daa 608->614 615 402dfa-402dff 608->615 612 402cd0-402cd2 call 40304e 610->612 613 402cce 610->613 619 402cd7-402cd9 612->619 613->612 617 402dac-402dbd call 403080 call 40304e 614->617 618 402dce-402df8 GlobalAlloc call 403080 call 402e5b 614->618 615->600 635 402dc2-402dc4 617->635 618->615 642 402e0b-402e1c 618->642 621 402e01-402e09 call 402bbe 619->621 622 402cdf-402ce6 619->622 621->615 626 402d62-402d66 622->626 627 402ce8-402cfc call 405675 622->627 631 402d70-402d76 626->631 632 402d68-402d6f call 402bbe 626->632 627->631 646 402cfe-402d05 627->646 637 402d85-402d8f 631->637 638 402d78-402d82 call 405d6b 631->638 632->631 635->615 643 402dc6-402dcc 635->643 637->610 641 402d95 637->641 638->637 641->608 647 402e24-402e29 642->647 648 402e1e 642->648 643->615 643->618 646->631 650 402d07-402d0e 646->650 652 402e2a-402e30 647->652 648->647 650->631 651 402d10-402d17 650->651 651->631 653 402d19-402d20 651->653 652->652 654 402e32-402e4d SetFilePointer call 405675 652->654 653->631 655 402d22-402d42 653->655 658 402e52 654->658 655->615 657 402d48-402d4c 655->657 659 402d54-402d5c 657->659 660 402d4e-402d52 657->660 658->600 659->631 661 402d5e-402d60 659->661 660->641 660->659 661->631
                                APIs
                                • GetTickCount.KERNEL32 ref: 00402C33
                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Unlocker1.9.2.exe,00000400), ref: 00402C4F
                                  • Part of subcall function 004056B4: GetFileAttributesA.KERNELBASE(00000003,00402C62,C:\Users\user\Desktop\Unlocker1.9.2.exe,80000000,00000003), ref: 004056B8
                                  • Part of subcall function 004056B4: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004056DA
                                • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Unlocker1.9.2.exe,C:\Users\user\Desktop\Unlocker1.9.2.exe,80000000,00000003), ref: 00402C9B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: File$AttributesCountCreateModuleNameSizeTick
                                • String ID: "C:\Users\user\Desktop\Unlocker1.9.2.exe"$(pA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Unlocker1.9.2.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                • API String ID: 4283519449-270693539
                                • Opcode ID: 8dd25270827e0f4bb7ccacab167cf8c400ed2e02d2919ad4f76227d9ce4bc1d1
                                • Instruction ID: bb8333a86194dcf573844375b596ab0c7c07cd824b72df89bd2f0bbec4532e5a
                                • Opcode Fuzzy Hash: 8dd25270827e0f4bb7ccacab167cf8c400ed2e02d2919ad4f76227d9ce4bc1d1
                                • Instruction Fuzzy Hash: 21511971A00214ABDB209F65DE89B9E7BB4EF04319F10403BF904B62D1D7BC9E458BAD
                                Function 00401734 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 792 401734-401757 call 4029f6 call 40553d 797 401761-401773 call 4059dd call 4054d0 lstrcatA 792->797 798 401759-40175f call 4059dd 792->798 803 401778-40177e call 405c3f 797->803 798->803 808 401783-401787 803->808 809 401789-401793 call 405cd8 808->809 810 4017ba-4017bd 808->810 817 4017a5-4017b7 809->817 818 401795-4017a3 CompareFileTime 809->818 812 4017c5-4017e1 call 4056b4 810->812 813 4017bf-4017c0 call 405695 810->813 820 4017e3-4017e6 812->820 821 401859-401882 call 404d7b call 402e5b 812->821 813->812 817->810 818->817 822 4017e8-40182a call 4059dd * 2 call 4059ff call 4059dd call 40529e 820->822 823 40183b-401845 call 404d7b 820->823 835 401884-401888 821->835 836 40188a-401896 SetFileTime 821->836 822->808 856 401830-401831 822->856 833 40184e-401854 823->833 837 402894 833->837 835->836 839 40189c-4018a7 FindCloseChangeNotification 835->839 836->839 840 402896-40289a 837->840 842 40288b-40288e 839->842 843 4018ad-4018b0 839->843 842->837 845 4018b2-4018c3 call 4059ff lstrcatA 843->845 846 4018c5-4018c8 call 4059ff 843->846 850 4018cd-402213 call 40529e 845->850 846->850 850->840 859 40265c-402663 850->859 856->833 858 401833-401834 856->858 858->823 859->842
                                APIs
                                • lstrcatA.KERNEL32(00000000,00000000,show,C:\Program Files\Unlocker,00000000,00000000,00000031), ref: 00401773
                                • CompareFileTime.KERNEL32(-00000014,?,show,show,00000000,00000000,show,C:\Program Files\Unlocker,00000000,00000000,00000031), ref: 0040179D
                                  • Part of subcall function 004059DD: lstrcpynA.KERNEL32(?,?,00000400,00403139,Unlocker 1.9.2 Setup,NSIS Error), ref: 004059EA
                                  • Part of subcall function 00404D7B: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00000000,005ED446,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000,?), ref: 00404DB4
                                  • Part of subcall function 00404D7B: lstrlenA.KERNEL32(00402F8B,Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00000000,005ED446,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000), ref: 00404DC4
                                  • Part of subcall function 00404D7B: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00402F8B,00402F8B,Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00000000,005ED446,00000000), ref: 00404DD7
                                  • Part of subcall function 00404D7B: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\), ref: 00404DE9
                                  • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E0F
                                  • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E29
                                  • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E37
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                • String ID: C:\Program Files\Unlocker$C:\Users\user\AppData\Local\Temp\nsw59E9.tmp$C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\InstallOptions.dll$show
                                • API String ID: 1941528284-2490883254
                                • Opcode ID: 89dec647013ee6528c2b69545b8c488e5fa697e94d303dfd7bd1404993c1dcdb
                                • Instruction ID: 7896ef4f757b45501086316f909c91b804aeab5b8a53035332c5850d51b772f7
                                • Opcode Fuzzy Hash: 89dec647013ee6528c2b69545b8c488e5fa697e94d303dfd7bd1404993c1dcdb
                                • Instruction Fuzzy Hash: FA41C272900615BACF10BBA5DD46EAF3A79EF01329B20433BF515F11E1D63C4A419AAD
                                Function 00404D7B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 860 404d7b-404d90 861 404e46-404e4a 860->861 862 404d96-404da8 860->862 863 404db3-404dbf lstrlenA 862->863 864 404daa-404dae call 4059ff 862->864 866 404dc1-404dd1 lstrlenA 863->866 867 404ddc-404de0 863->867 864->863 866->861 868 404dd3-404dd7 lstrcatA 866->868 869 404de2-404de9 SetWindowTextA 867->869 870 404def-404df3 867->870 868->867 869->870 871 404df5-404e37 SendMessageA * 3 870->871 872 404e39-404e3b 870->872 871->872 872->861 873 404e3d-404e40 872->873 873->861
                                APIs
                                • lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00000000,005ED446,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000,?), ref: 00404DB4
                                • lstrlenA.KERNEL32(00402F8B,Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00000000,005ED446,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000), ref: 00404DC4
                                • lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00402F8B,00402F8B,Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00000000,005ED446,00000000), ref: 00404DD7
                                • SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\), ref: 00404DE9
                                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E0F
                                • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E29
                                • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E37
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\
                                • API String ID: 2531174081-2498566095
                                • Opcode ID: c117b3df20c288d55b5a21bdd6a2c22ff4c3416e9741a057e5fe706e23abbf15
                                • Instruction ID: 7f48be0438031ac4014e4461c76190d89e96d247d5b12388d0b77bfdc4e74ae1
                                • Opcode Fuzzy Hash: c117b3df20c288d55b5a21bdd6a2c22ff4c3416e9741a057e5fe706e23abbf15
                                • Instruction Fuzzy Hash: 09216DB1E00158BBDB119FA5CD84ADEBFB9FF45354F14807AFA04B6290C7398A419B98
                                Function 00402E5B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 874 402e5b-402e6f 875 402e71 874->875 876 402e78-402e80 874->876 875->876 877 402e82 876->877 878 402e87-402e8c 876->878 877->878 879 402e9c-402ea9 call 40304e 878->879 880 402e8e-402e97 call 403080 878->880 884 402ff9 879->884 885 402eaf-402eb3 879->885 880->879 886 402ffb-402ffc 884->886 887 402fe2-402fe4 885->887 888 402eb9-402ed9 GetTickCount call 405dd9 885->888 890 403047-40304b 886->890 891 402fe6-402fe9 887->891 892 403039-40303d 887->892 899 403044 888->899 900 402edf-402ee7 888->900 896 402feb 891->896 897 402fee-402ff7 call 40304e 891->897 894 402ffe-403004 892->894 895 40303f 892->895 901 403006 894->901 902 403009-403017 call 40304e 894->902 895->899 896->897 897->884 907 403041 897->907 899->890 904 402ee9 900->904 905 402eec-402efa call 40304e 900->905 901->902 902->884 911 403019-40302c WriteFile 902->911 904->905 905->884 912 402f00-402f09 905->912 907->899 913 402fde-402fe0 911->913 914 40302e-403031 911->914 915 402f0f-402f2c call 405df9 912->915 913->886 914->913 916 403033-403036 914->916 919 402f32-402f49 GetTickCount 915->919 920 402fda-402fdc 915->920 916->892 921 402f4b-402f53 919->921 922 402f8e-402f92 919->922 920->886 925 402f55-402f59 921->925 926 402f5b-402f86 MulDiv wsprintfA call 404d7b 921->926 923 402f94-402f97 922->923 924 402fcf-402fd2 922->924 927 402fb7-402fbd 923->927 928 402f99-402fab WriteFile 923->928 924->900 929 402fd8 924->929 925->922 925->926 931 402f8b 926->931 933 402fc3-402fc7 927->933 928->913 932 402fad-402fb0 928->932 929->899 931->922 932->913 934 402fb2-402fb5 932->934 933->915 935 402fcd 933->935 934->933 935->899
                                APIs
                                • GetTickCount.KERNEL32 ref: 00402EB9
                                • GetTickCount.KERNEL32 ref: 00402F3A
                                • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F67
                                • wsprintfA.USER32 ref: 00402F77
                                • WriteFile.KERNELBASE(00000000,00000000,005ED446,00000000,00000000), ref: 00402FA3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: CountTick$FileWritewsprintf
                                • String ID: ... %d%%
                                • API String ID: 4209647438-2449383134
                                • Opcode ID: 6f311f0161e6b5a2b9589c42eb5a4067f1e4fce311a25467e7f14920e616ef45
                                • Instruction ID: 77f196e3f4de2b0f7ff2a56d5fa3bb7e3b28ee40e2402e388f788a2720e93e15
                                • Opcode Fuzzy Hash: 6f311f0161e6b5a2b9589c42eb5a4067f1e4fce311a25467e7f14920e616ef45
                                • Instruction Fuzzy Hash: F151917190121A9BCF10CF55DA48AAF7B78AF04795F10413BF810B72C0D7B89E50DBAA
                                Function 0040267C Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GlobalAlloc.KERNELBASE(00000040,0000CE00,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
                                • GlobalFree.KERNELBASE(?), ref: 00402725
                                • WriteFile.KERNELBASE(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
                                • GlobalFree.KERNEL32(00000000), ref: 0040273E
                                • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
                                • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                • String ID:
                                • API String ID: 3294113728-0
                                • Opcode ID: 130aa79b9c983bd4e060f1967264d3b910e55c34024405a00a28679471b0e476
                                • Instruction ID: 12be5ee7c0a04460072f4a22dab7179149aa53ae67e7a866020ad89d1ba75591
                                • Opcode Fuzzy Hash: 130aa79b9c983bd4e060f1967264d3b910e55c34024405a00a28679471b0e476
                                • Instruction Fuzzy Hash: 5831C071C00128BBDF216FA5CD88EAE7E79EF04368F10423AF524762E0C7795D419BA8
                                Function 00402303 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 969 402303-402349 call 402aeb call 4029f6 * 2 RegCreateKeyExA 976 40288b-40289a 969->976 977 40234f-402357 969->977 979 402367-40236a 977->979 980 402359-402366 call 4029f6 lstrlenA 977->980 983 40237a-40237d 979->983 984 40236c-402379 call 4029d9 979->984 980->979 986 40238e-4023a2 RegSetValueExA 983->986 987 40237f-402389 call 402e5b 983->987 984->983 991 4023a4 986->991 992 4023a7-402483 RegCloseKey 986->992 987->986 991->992 992->976
                                APIs
                                • RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,00000100,?,?,?,00000011,00000002), ref: 00402341
                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsw59E9.tmp,00000023,?,?,?,00000100,?,?,?,00000011,00000002), ref: 00402361
                                • RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsw59E9.tmp,00000000,?,?,?,00000100,?,?,?,00000011,00000002), ref: 0040239A
                                • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsw59E9.tmp,00000000,?,?,?,00000100,?,?,?,00000011,00000002), ref: 0040247D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: CloseCreateValuelstrlen
                                • String ID: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp
                                • API String ID: 1356686001-3488015698
                                • Opcode ID: dbb0ac2dea1b540987cf841eb3ee0772f6bb7d6697134c80a962b157f725af8d
                                • Instruction ID: 0c84a363429982d99d3a5a271a87b4b8d308e401ccf86a25fc22d5166c0076e5
                                • Opcode Fuzzy Hash: dbb0ac2dea1b540987cf841eb3ee0772f6bb7d6697134c80a962b157f725af8d
                                • Instruction Fuzzy Hash: 781163B1E00209BFEB10AFA4DE49EAF767CFB40358F10413AF901B61D0D6B85D019669
                                Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00405564: CharNextA.USER32(00405316,?,C:\,00000000,004055C8,C:\,C:\,?,?,00000000,00405316,?,"C:\Users\user\Desktop\Unlocker1.9.2.exe",00000000), ref: 00405572
                                  • Part of subcall function 00405564: CharNextA.USER32(00000000), ref: 00405577
                                  • Part of subcall function 00405564: CharNextA.USER32(00000000), ref: 00405586
                                • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                                • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                                • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                                • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Program Files\Unlocker,00000000,00000000,000000F0), ref: 00401622
                                Strings
                                • C:\Program Files\Unlocker, xrefs: 00401617
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                • String ID: C:\Program Files\Unlocker
                                • API String ID: 3751793516-1747243819
                                • Opcode ID: eca45e4f265b5310bf3876cc38f450248989b20858a3f8b45370c7433c2b44d3
                                • Instruction ID: ffaaac8e814952d4dd163c137c14166a37b00a477d69e33f5cc6849720afcf5a
                                • Opcode Fuzzy Hash: eca45e4f265b5310bf3876cc38f450248989b20858a3f8b45370c7433c2b44d3
                                • Instruction Fuzzy Hash: 86010831908180ABDB116F795D44D6F27B0DA52365728473BF491B22E2C23C4942962E
                                Function 004056E3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                Download Yara Rule
                                APIs
                                • GetTickCount.KERNEL32 ref: 004056F6
                                • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405710
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: CountFileNameTempTick
                                • String ID: "C:\Users\user\Desktop\Unlocker1.9.2.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                • API String ID: 1716503409-1276116323
                                • Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                                • Instruction ID: 090c9869d25c952b380026dfe3028592f3e254e5657c021594612e0629f183dd
                                • Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                                • Instruction Fuzzy Hash: AFF0A736348204B7D7104F55EC04B9B7F5DDF91750F14C027F944DA1C0D6B1995597A5
                                Function 00404568 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(00420478,00420478,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404488,000000DF,0000040F,00000400,00000000), ref: 004045F6
                                • wsprintfA.USER32 ref: 004045FE
                                • SetDlgItemTextA.USER32(?,00420478), ref: 00404611
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: ItemTextlstrlenwsprintf
                                • String ID: %u.%u%s%s
                                • API String ID: 3540041739-3551169577
                                • Opcode ID: fbb595e432194c305246c6f0f4e29bd605609ecb9101d11c6153431d6f6663c0
                                • Instruction ID: de100ae33fd703a766e80fabf1c0ef7e237f6bef08e04a4196497c65211e5d03
                                • Opcode Fuzzy Hash: fbb595e432194c305246c6f0f4e29bd605609ecb9101d11c6153431d6f6663c0
                                • Instruction Fuzzy Hash: 331104B370012477DB10666D9C05EAF329DDBC6334F14023BFA2AF61D1E9388C1186E8
                                Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
                                • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: MessageSend$Timeout
                                • String ID: !
                                • API String ID: 1777923405-2657877971
                                • Opcode ID: a21e9fedaf10b3d0faf8ff8eb7872d1ba6ab3a41dfe2fcd52b90142743086bd6
                                • Instruction ID: 089b6e11c3ee5c2ceb15467343933f82bc3488a694e04e66c57418204d538f9a
                                • Opcode Fuzzy Hash: a21e9fedaf10b3d0faf8ff8eb7872d1ba6ab3a41dfe2fcd52b90142743086bd6
                                • Instruction Fuzzy Hash: B321C4B1A44209BFEF01AFB4CE4AAAE7B75EF40344F14053EF602B60D1D6B84980E718
                                Function 0040523D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422480,Error launching installer), ref: 00405262
                                • CloseHandle.KERNEL32(?), ref: 0040526F
                                Strings
                                • C:\Users\user\AppData\Local\Temp\, xrefs: 0040523D
                                • Error launching installer, xrefs: 00405250
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: CloseCreateHandleProcess
                                • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
                                • API String ID: 3712363035-1785902839
                                • Opcode ID: 1f2f9ff3088062fdf2c67fe66ccdb0f341c5896b9e6aafa6ba1adbb34377fffc
                                • Instruction ID: 0a3d69d2a3401d9d63374a1600280413a6fd3692a6ba6d2da32d4f839eaa01ec
                                • Opcode Fuzzy Hash: 1f2f9ff3088062fdf2c67fe66ccdb0f341c5896b9e6aafa6ba1adbb34377fffc
                                • Instruction Fuzzy Hash: BEE0E674A1010ABBDB00EF64DD09D6B7B7CFB00304B408621E911E2150D774E4108A79
                                Function 00401F51 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C
                                  • Part of subcall function 00404D7B: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00000000,005ED446,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000,?), ref: 00404DB4
                                  • Part of subcall function 00404D7B: lstrlenA.KERNEL32(00402F8B,Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00000000,005ED446,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000), ref: 00404DC4
                                  • Part of subcall function 00404D7B: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00402F8B,00402F8B,Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00000000,005ED446,00000000), ref: 00404DD7
                                  • Part of subcall function 00404D7B: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\), ref: 00404DE9
                                  • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E0F
                                  • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E29
                                  • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E37
                                • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
                                • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                • String ID:
                                • API String ID: 2987980305-0
                                • Opcode ID: 71306b1134231061c89694e0e173e72c12ff72d2ee8c3f8387a1942ab3f7262f
                                • Instruction ID: d4347cebb671b603d0a5d412fc90ce50d757f993dc699470b494ace3858b78d6
                                • Opcode Fuzzy Hash: 71306b1134231061c89694e0e173e72c12ff72d2ee8c3f8387a1942ab3f7262f
                                • Instruction Fuzzy Hash: 7221EE72D04216ABCF107FA4DE89A6E75B06B44359F204337F611B52E0D77C4941965E
                                Function 00404CCB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                Download Yara Rule
                                APIs
                                • IsWindowVisible.USER32(?), ref: 00404D01
                                • CallWindowProcA.USER32(?,00000200,?,?), ref: 00404D6F
                                  • Part of subcall function 00403DDB: SendMessageA.USER32(00060486,00000000,00000000,00000000), ref: 00403DED
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Window$CallMessageProcSendVisible
                                • String ID:
                                • API String ID: 3748168415-3916222277
                                • Opcode ID: 7ef91977e0255b1fc34b6530065b048aeb6426da5fc65d298478046c2303bded
                                • Instruction ID: 2250b5ae86c5db7695da18b81197a994f129f58ca555af08ca8730d1192fac1c
                                • Opcode Fuzzy Hash: 7ef91977e0255b1fc34b6530065b048aeb6426da5fc65d298478046c2303bded
                                • Instruction Fuzzy Hash: 5A118CB1600208BBDF217F629C4099B3B69EF84765F00813BFB14392A2C77C8951CFA9
                                Function 004055B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004059DD: lstrcpynA.KERNEL32(?,?,00000400,00403139,Unlocker 1.9.2 Setup,NSIS Error), ref: 004059EA
                                  • Part of subcall function 00405564: CharNextA.USER32(00405316,?,C:\,00000000,004055C8,C:\,C:\,?,?,00000000,00405316,?,"C:\Users\user\Desktop\Unlocker1.9.2.exe",00000000), ref: 00405572
                                  • Part of subcall function 00405564: CharNextA.USER32(00000000), ref: 00405577
                                  • Part of subcall function 00405564: CharNextA.USER32(00000000), ref: 00405586
                                • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,?,?,00000000,00405316,?,"C:\Users\user\Desktop\Unlocker1.9.2.exe",00000000), ref: 00405604
                                • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,00000000,00405316,?,"C:\Users\user\Desktop\Unlocker1.9.2.exe",00000000), ref: 00405614
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                • String ID: C:\
                                • API String ID: 3248276644-3404278061
                                • Opcode ID: 658a5dec63a6dfd38c94e6fe1a96680d2d49e1cb79ea5bcfe5db1de8d6a58f0a
                                • Instruction ID: 3cda5072feefcb47a16d69abed3bdaa5828b8ced6428ee97c76234aedc7658ab
                                • Opcode Fuzzy Hash: 658a5dec63a6dfd38c94e6fe1a96680d2d49e1cb79ea5bcfe5db1de8d6a58f0a
                                • Instruction Fuzzy Hash: C2F02831104E903AC723223A1C06A9F1A96CE86369B58053FF855B12D5DA3C8943DD7E
                                Function 00401389 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43windowCOMMON
                                Download Yara Rule
                                APIs
                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID: |gU
                                • API String ID: 3850602802-2467762237
                                • Opcode ID: 1c916d205157ad73d7dec8fa4d75793a4825b6d15c61c30e95467a340dd2df53
                                • Instruction ID: 9357c62ddf9e7b3c824d0b87f8e4bad160879ee2cb8093492041203a2cf1b2c1
                                • Opcode Fuzzy Hash: 1c916d205157ad73d7dec8fa4d75793a4825b6d15c61c30e95467a340dd2df53
                                • Instruction Fuzzy Hash: A301F431724210ABE7295B389D04B2A36ADF710355F10427BF855F66F1D67CDC028B4D
                                Function 00403097 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00405C3F: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Unlocker1.9.2.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405C97
                                  • Part of subcall function 00405C3F: CharNextA.USER32(?,?,?,00000000), ref: 00405CA4
                                  • Part of subcall function 00405C3F: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Unlocker1.9.2.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CA9
                                  • Part of subcall function 00405C3F: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Unlocker1.9.2.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CB9
                                • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 004030B8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Char$Next$CreateDirectoryPrev
                                • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                • API String ID: 4115351271-517883005
                                • Opcode ID: 6fc6148b77ece9d346d6d7cc43375dab10df03dac4f70bfb46dffa123947e942
                                • Instruction ID: 14cf73edb083f9294524d0cb591bdba299ebaa8e37fda96f2dae1f3ab35ccfa6
                                • Opcode Fuzzy Hash: 6fc6148b77ece9d346d6d7cc43375dab10df03dac4f70bfb46dffa123947e942
                                • Instruction Fuzzy Hash: 95D0C92160BD3032D66136263D0AFDF155C8F5236EFA1447BF809B61CA5B6C6A8219FF
                                Function 00403491 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNELBASE(?,"C:\Users\user\Desktop\Unlocker1.9.2.exe",00000000,00000000,00403469,004032BC,00000000), ref: 004034AB
                                • GlobalFree.KERNEL32(00000000), ref: 004034B2
                                Strings
                                • "C:\Users\user\Desktop\Unlocker1.9.2.exe", xrefs: 004034A3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Free$GlobalLibrary
                                • String ID: "C:\Users\user\Desktop\Unlocker1.9.2.exe"
                                • API String ID: 1100898210-3781551375
                                • Opcode ID: 3e2f1a94e1730b0e2f77525ddf4d06804517b8e77a23c02aa7cd98468957b701
                                • Instruction ID: 7bfc0464e02b508f879d35a29cae48101a6ab00b4f5f00e512934bdeb57274a8
                                • Opcode Fuzzy Hash: 3e2f1a94e1730b0e2f77525ddf4d06804517b8e77a23c02aa7cd98468957b701
                                • Instruction Fuzzy Hash: FBE08C3280653097C7221F05AE04B9AB66C6F94B22F068076E8407B3A1C3782C428AD8
                                Function 004063DD Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8ad8b3a7fce677aa33c13c02e3180aa90519ee056083dbfcd0f6a1ae91265e6c
                                • Instruction ID: 95af8839098f806f541805b71f16133a603fad5641f47eebb8f014e75b9041d1
                                • Opcode Fuzzy Hash: 8ad8b3a7fce677aa33c13c02e3180aa90519ee056083dbfcd0f6a1ae91265e6c
                                • Instruction Fuzzy Hash: 58A13371D00229CBDF28CFA8C8447ADBBB1FF44305F25856AD856BB281D7789A86DF44
                                Function 004065DE Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b486484d64dd4cde6c37fee08c13c94b86683911648eeb5affe32ba80e56590e
                                • Instruction ID: 736e54d1ea8bc2ffbcc58a3ee687e8f06aed80bce92bf0dad63538ea203c4f31
                                • Opcode Fuzzy Hash: b486484d64dd4cde6c37fee08c13c94b86683911648eeb5affe32ba80e56590e
                                • Instruction Fuzzy Hash: 77913271D00229CBDF28CF98C844BADBBB1FF44305F15816AD856BB281D7789A86DF54
                                Function 004062F4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a5c1a6d88fbf3736e083e35a306841f5f7567a3339756a66f66144e6d7487cc4
                                • Instruction ID: c975835c63a62796fcb7e955cfffcd5e326eaa1512836fcadbce1623bdfadb04
                                • Opcode Fuzzy Hash: a5c1a6d88fbf3736e083e35a306841f5f7567a3339756a66f66144e6d7487cc4
                                • Instruction Fuzzy Hash: AF816671D00229CFDF24CFA8C8447AEBBB1FB44305F25816AD856BB281C7789A86DF54
                                Function 00405DF9 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 797fef13bb3e8e171cff3cae9b41bd7abdeca14a353df9249488f574514014e3
                                • Instruction ID: 0ba87498709856dc17a0c5f751d6ecfe3ae25d7b1153355424f504aba8ac83cf
                                • Opcode Fuzzy Hash: 797fef13bb3e8e171cff3cae9b41bd7abdeca14a353df9249488f574514014e3
                                • Instruction Fuzzy Hash: B4817772D04229CBDF24CFA8C8447AEBBB0FB44305F25816AD856BB2C0D7785A86DF44
                                Function 00406247 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ab0e96aa9de7783a5fbfa8537471c17f47562fab6ccc56c1d015952012775d3a
                                • Instruction ID: 47c5cb8fc101d284839cddc633a7ca9263ac2e2456f843b1234a04abf02d33d1
                                • Opcode Fuzzy Hash: ab0e96aa9de7783a5fbfa8537471c17f47562fab6ccc56c1d015952012775d3a
                                • Instruction Fuzzy Hash: 0C713371D00229CBDF28CFA8C844BADBBF1FB44305F15806AD816BB281D7785A86DF54
                                Function 00406365 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 204a14aa4723f8bacec733d7555320540fe203445ac57d520a52ca53e11fdb0c
                                • Instruction ID: aa40489b15165fca9e2d73c9723ecf3d5b4a768092768a0400057c9dc9ec6b69
                                • Opcode Fuzzy Hash: 204a14aa4723f8bacec733d7555320540fe203445ac57d520a52ca53e11fdb0c
                                • Instruction Fuzzy Hash: F6714471D04229CFDF28CF98C844BAEBBB1FB44305F25816AD816BB281D7785A86DF54
                                Function 004062B1 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: be6e9d30e93fbb49eb3c361b8f1c94b7932ac8d56391751c3e2361f0828e0a06
                                • Instruction ID: f7c6f07f586ed293a1c67bf574783cb577a0acbc2814a7f5ecfd539a56c9ebac
                                • Opcode Fuzzy Hash: be6e9d30e93fbb49eb3c361b8f1c94b7932ac8d56391751c3e2361f0828e0a06
                                • Instruction Fuzzy Hash: AF715671D00229CBDF28CF98C844BADBBB1FF44305F15816AD816BB281C7785A46DF54
                                Function 00401B06 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GlobalFree.KERNEL32(00000000), ref: 00401B75
                                • GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401B87
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Global$AllocFree
                                • String ID: show
                                • API String ID: 3394109436-839833857
                                • Opcode ID: 0c325e54f346298ce71c2e49e0b07d342970ac7a60d073ea7525efb906efe417
                                • Instruction ID: dedcc356a049729cc32aa0533657a7b943fc31f5ec42b7739970f76d43a2a4df
                                • Opcode Fuzzy Hash: 0c325e54f346298ce71c2e49e0b07d342970ac7a60d073ea7525efb906efe417
                                • Instruction Fuzzy Hash: D221A8B2604202DBD710FBA4DE8595F73A4FB44328724453BF606F32D0EB78A8119B6E
                                Function 00401E1B Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00404D7B: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00000000,005ED446,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000,?), ref: 00404DB4
                                  • Part of subcall function 00404D7B: lstrlenA.KERNEL32(00402F8B,Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00000000,005ED446,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000), ref: 00404DC4
                                  • Part of subcall function 00404D7B: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00402F8B,00402F8B,Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,00000000,005ED446,00000000), ref: 00404DD7
                                  • Part of subcall function 00404D7B: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\), ref: 00404DE9
                                  • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E0F
                                  • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E29
                                  • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E37
                                  • Part of subcall function 0040523D: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422480,Error launching installer), ref: 00405262
                                  • Part of subcall function 0040523D: CloseHandle.KERNEL32(?), ref: 0040526F
                                • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E55
                                • GetExitCodeProcess.KERNELBASE(?,?), ref: 00401E65
                                • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401E8A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                • String ID:
                                • API String ID: 3521207402-0
                                • Opcode ID: 7b5ea6098163a721225316e6cb59af18a26e7111e3aadd83b40fd5b5fc9d02e7
                                • Instruction ID: e59f33a83564baa95368ed7ffa3d517a66a6b48d9bc55f4210568fb4246de59a
                                • Opcode Fuzzy Hash: 7b5ea6098163a721225316e6cb59af18a26e7111e3aadd83b40fd5b5fc9d02e7
                                • Instruction Fuzzy Hash: DB018071D04114EBCF11AFA1CD8599E7A75EF00348F20803BFA05B51E1C3794A81DB9A
                                Function 004058C4 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNELBASE(80000002,00405B00,00000000,00000002,?,00000002,0013782D,?,00405B00,80000002,Software\Microsoft\Windows\CurrentVersion,0013782D,Remove folder: ,0055B6E5), ref: 004058ED
                                • RegQueryValueExA.KERNELBASE(0013782D,?,00000000,00405B00,0013782D,00405B00), ref: 0040590E
                                • RegCloseKey.KERNELBASE(?), ref: 0040592F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
                                • Instruction ID: 4090c2ea748c6a1ef83dea1f090ecbfc83cda06d8c091eb14dd66de5cad0d057
                                • Opcode Fuzzy Hash: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
                                • Instruction Fuzzy Hash: DA0156B144020EEFDF228F64EC48AEB3FACEF143A4F004436F944A6220D235D964DBA5
                                Function 00402427 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00402B00: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B28
                                • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402455
                                • RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 00402468
                                • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsw59E9.tmp,00000000,?,?,?,00000100,?,?,?,00000011,00000002), ref: 0040247D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Enum$CloseOpenValue
                                • String ID:
                                • API String ID: 167947723-0
                                • Opcode ID: e2f80b80baa03604ef96cc0b5eb0a812df5ce76e2325c321a32b65c77b87080a
                                • Instruction ID: 323df63ddd6a9f09ec1088b6260a8986ee2a6ccff1f267de23e4284cd7b62ed6
                                • Opcode Fuzzy Hash: e2f80b80baa03604ef96cc0b5eb0a812df5ce76e2325c321a32b65c77b87080a
                                • Instruction Fuzzy Hash: 2BF0A271A04201EFE715AF659E88EBB7A6CDB40388F10843FF406A61C0D2B85D42967A
                                Function 00402267 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • GetPrivateProfileStringA.KERNEL32(00000000,?,!N~,?,000003FF,00000000), ref: 00402297
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: PrivateProfileString
                                • String ID: !N~
                                • API String ID: 1096422788-529124213
                                • Opcode ID: 83959307df37686c86d75e4de7286cd2fa4b3ebc5ce89ae33a3a58613c6f73fc
                                • Instruction ID: 21cd7503a9a85725414fd2f210def48a3ed87e9b9f52c0cacc02f36f79452d1c
                                • Opcode Fuzzy Hash: 83959307df37686c86d75e4de7286cd2fa4b3ebc5ce89ae33a3a58613c6f73fc
                                • Instruction Fuzzy Hash: E4E04F71900208BBDB50AFA1CD49DAE3AA8BF043C4F100129FA10AB1C1DBB89541AB55
                                Function 00403D68 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageA.USER32(00000408,?,00000000,004039CA), ref: 00403D86
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID: x
                                • API String ID: 3850602802-2363233923
                                • Opcode ID: 6926c423e0dcef9ab9601c7f0ae131e386b0104a6a9bceae863fc1186920576c
                                • Instruction ID: 94c74e5a5aacbaad69a3bdfcf154c9035d8ded6a0e65b23c0d63679f04543271
                                • Opcode Fuzzy Hash: 6926c423e0dcef9ab9601c7f0ae131e386b0104a6a9bceae863fc1186920576c
                                • Instruction Fuzzy Hash: FBC012B2A84200BBCA206F00EE00F0A7A36EB60B03F10803DF344202B482789622DB1E
                                Function 004023AF Relevance: 3.1, APIs: 2, Instructions: 57registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00402B00: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B28
                                • RegQueryValueExA.ADVAPI32(00000000,00000000,?,000003FF,?,?,?,?,00000033), ref: 004023DF
                                • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsw59E9.tmp,00000000,?,?,?,00000100,?,?,?,00000011,00000002), ref: 0040247D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 507b692e60eeee5e00a9f3c11261afc4d4aba39ebd03dc0eae597370735b97e4
                                • Instruction ID: 77d51f223b4f01b007ab8b3a7146475204ba0a4990bfb8161fa5a86846697e19
                                • Opcode Fuzzy Hash: 507b692e60eeee5e00a9f3c11261afc4d4aba39ebd03dc0eae597370735b97e4
                                • Instruction Fuzzy Hash: 8611E371901205EFDB15DF64CA889AF7BB4EF14348F20807FE442B72C1D2B88A45EB5A
                                Function 004022A7 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00402B00: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B28
                                • RegDeleteValueA.KERNELBASE(00000000,00000000,00000033), ref: 004022C6
                                • RegCloseKey.ADVAPI32(00000000), ref: 004022CF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: CloseDeleteOpenValue
                                • String ID:
                                • API String ID: 849931509-0
                                • Opcode ID: ee70e0c8ea5e76c5473df7986e6ddf19852834f1384ac6f07000c38f1b823d4b
                                • Instruction ID: c586e56b1d430ee1cb1ae4f59be608967060f6779667f9d5bdce91e390546033
                                • Opcode Fuzzy Hash: ee70e0c8ea5e76c5473df7986e6ddf19852834f1384ac6f07000c38f1b823d4b
                                • Instruction Fuzzy Hash: B9F04472A00211ABDB20BFA49F4DABF7268AB40354F10453BF601B61C1D9B94D42A66D
                                Function 00404E4D Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 00404E5D
                                  • Part of subcall function 00403DDB: SendMessageA.USER32(00060486,00000000,00000000,00000000), ref: 00403DED
                                • OleUninitialize.OLE32(00000404,00000000), ref: 00404EA9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: InitializeMessageSendUninitialize
                                • String ID:
                                • API String ID: 2896919175-0
                                • Opcode ID: a71bf3315524e495bb63ac7db680478635d871b9932b013c5ee158b9648a44a1
                                • Instruction ID: dd00d1d9fa511fdb2abfd92f861b37bc179417f7df103cd37a6f8771cbc5aef0
                                • Opcode Fuzzy Hash: a71bf3315524e495bb63ac7db680478635d871b9932b013c5ee158b9648a44a1
                                • Instruction Fuzzy Hash: D3F0F0B2A00200AAD7201F64ED00B167BB4ABC0316F06003BFF04B62E0D3795802869D
                                Function 00402866 Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageA.USER32(?,0000000B,00000001), ref: 00402875
                                • InvalidateRect.USER32(?), ref: 00402885
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: InvalidateMessageRectSend
                                • String ID:
                                • API String ID: 909852535-0
                                • Opcode ID: 46183b671d0a66796b8da51e49bc5f75bb78f43e79dd776066acc7c5e036528c
                                • Instruction ID: 649a040586aa62cc82974a2302a351b88b3488b792cf185d27debadfb860ecc8
                                • Opcode Fuzzy Hash: 46183b671d0a66796b8da51e49bc5f75bb78f43e79dd776066acc7c5e036528c
                                • Instruction Fuzzy Hash: 34E08C72B00104BFEB10DFA4FE859AE7BBAEB40349B1000BAF201F10A0D2351D00CA28
                                Function 00401D95 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                Download Yara Rule
                                APIs
                                • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DAB
                                • EnableWindow.USER32(00000000,00000000), ref: 00401DB6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Window$EnableShow
                                • String ID:
                                • API String ID: 1136574915-0
                                • Opcode ID: 180e04144bc7a0d59582f7e45b03d1942a0b442326c071ed28d9fde4447ebb30
                                • Instruction ID: 6b7a785092ec91fc8b74b141f8716fcdbeee11c7e0160613a2a2c5ad315415b5
                                • Opcode Fuzzy Hash: 180e04144bc7a0d59582f7e45b03d1942a0b442326c071ed28d9fde4447ebb30
                                • Instruction Fuzzy Hash: 96E0C272F08210DBD710FBB4AE899AE3674DB403A9B10453BF503F20C1D2B89C8196EE
                                Function 004056B4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesA.KERNELBASE(00000003,00402C62,C:\Users\user\Desktop\Unlocker1.9.2.exe,80000000,00000003), ref: 004056B8
                                • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004056DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: File$AttributesCreate
                                • String ID:
                                • API String ID: 415043291-0
                                • Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                                • Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
                                • Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                                • Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16
                                Function 0040344C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNEL32(FFFFFFFF,004032BC,00000000), ref: 00403457
                                Strings
                                • C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\, xrefs: 0040346B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: CloseHandle
                                • String ID: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\
                                • API String ID: 2962429428-896869487
                                • Opcode ID: cd01773061dc76ed6dc42017c9b80e515b0b69eef6637a25064d86b5b90a4b84
                                • Instruction ID: 2202cf36b8f848177cc2ffd66234e305818bf21466fa1b02f98de814e748bada
                                • Opcode Fuzzy Hash: cd01773061dc76ed6dc42017c9b80e515b0b69eef6637a25064d86b5b90a4b84
                                • Instruction Fuzzy Hash: E5C0123060470096D6206F799E4F5063A18574073AB904326F1B5B40F2C77C5901893F
                                Function 00405695 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesA.KERNELBASE(?,004054A0,?,?,?), ref: 00405699
                                • SetFileAttributesA.KERNELBASE(?,00000000), ref: 004056AB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                                • Instruction ID: 6114cdacef20a61ffb1e354697c2a54f95ff97830a0005cd613603337fba2c3c
                                • Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                                • Instruction Fuzzy Hash: 72C04CB1808501BBD6015B24DF0D81F7B66EB51321B508F35F56DE00F1C7355CA6DA1A
                                Function 00402223 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040225C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: PrivateProfileStringWrite
                                • String ID:
                                • API String ID: 390214022-0
                                • Opcode ID: b6116c209c80720ea8c5b66b32d343bdc214f8bf2523826a10554ae8e2aaa3ef
                                • Instruction ID: 7f0f3d0bfb11d3a69440f7e30d7772d63b8707f304f836d716d69bda9ce5b450
                                • Opcode Fuzzy Hash: b6116c209c80720ea8c5b66b32d343bdc214f8bf2523826a10554ae8e2aaa3ef
                                • Instruction Fuzzy Hash: 31E04871F002656BDBA07AF14F8D97F115C7B84344F14027EBA15762C6E9BC4D416169
                                Function 0040304E Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                Download Yara Rule
                                APIs
                                • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EA7,000000FF,00000004,00000000,00000000,00000000), ref: 00403065
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: FileRead
                                • String ID:
                                • API String ID: 2738559852-0
                                • Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
                                • Instruction ID: cf04fcf122da41e7499d2f74f705547a68887b1f6d4f421339b8fb166199a16f
                                • Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
                                • Instruction Fuzzy Hash: 2AE08C32901118BBCF205E619C00EAB3B5CEB053A2F00C032FA14E52A0D630EA11DBAA
                                Function 00402B00 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B28
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Open
                                • String ID:
                                • API String ID: 71445658-0
                                • Opcode ID: 75536f55a61c7ddeae545d3e58a4254d3b1e603d9243d6840a97648cae86c977
                                • Instruction ID: b114426f85d9896a426a267f97d2c69b4d85675bc1c8818fcc54ad92fcdded5e
                                • Opcode Fuzzy Hash: 75536f55a61c7ddeae545d3e58a4254d3b1e603d9243d6840a97648cae86c977
                                • Instruction Fuzzy Hash: D5E08CB6650108BFDB50EFA4ED4BFDA77ECBB04340F008821BA08E7091CA78E5409B68
                                Function 00403D8F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • SetDlgItemTextA.USER32(?,?,00000000), ref: 00403DA9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: ItemText
                                • String ID:
                                • API String ID: 3367045223-0
                                • Opcode ID: 1a099d3bd65285bc0f9a8825a9e07570eefe01f436bdd2ad6c1ebea1d3a073c8
                                • Instruction ID: 5f24766654b0959f9fafa4a482421e3f7ee2751b64636ea9b5eff0debf90db41
                                • Opcode Fuzzy Hash: 1a099d3bd65285bc0f9a8825a9e07570eefe01f436bdd2ad6c1ebea1d3a073c8
                                • Instruction Fuzzy Hash: 1CC04C76148600BFD641E755CC42F1FB799EFA4325F00C52EB15CA11D1CA3588209F26
                                Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageA.USER32(00060486,00000000,00000000,00000000), ref: 00403DED
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID:
                                • API String ID: 3850602802-0
                                • Opcode ID: 26eb61eee2f8dbf044ce35a143100ca30312b2da0147e559357940c095fae958
                                • Instruction ID: 0e8439f77210545f6c91de949863756b753435ab215934436bbdbfed1b8c9049
                                • Opcode Fuzzy Hash: 26eb61eee2f8dbf044ce35a143100ca30312b2da0147e559357940c095fae958
                                • Instruction Fuzzy Hash: A6C08C707402017BDA208F109D45F033768AB10701F0040347200A01D0C634E100D61C
                                Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageA.USER32(00000028,?,00000001,00403BF5), ref: 00403DD2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID:
                                • API String ID: 3850602802-0
                                • Opcode ID: 9b8c2a1a4dccebde683369f87605a88067a0545aeab7591961bdf6cdb6557e70
                                • Instruction ID: 852617af31e01c2ae6d6bbe4641feff1a9708b3e48e1883f9033c05fa9abbd48
                                • Opcode Fuzzy Hash: 9b8c2a1a4dccebde683369f87605a88067a0545aeab7591961bdf6cdb6557e70
                                • Instruction Fuzzy Hash: 38B01276BC4201BBDE216F00DE09F457E72E764702F018078B304240F0C6F240A5DB09
                                Function 00403080 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DE9,0000CDE4), ref: 0040308E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: FilePointer
                                • String ID:
                                • API String ID: 973152223-0
                                • Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
                                • Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
                                • Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
                                • Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E
                                Function 00405282 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItemTextA.USER32(?,?,00000400,00404387), ref: 00405295
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: ItemText
                                • String ID:
                                • API String ID: 3367045223-0
                                • Opcode ID: 660c1fc254df36beb57d81b90febdada7011a4db7affac3806782aa2ca0af1b7
                                • Instruction ID: 64f8da0eb6fa4cceecf9efc48ddd89885d4d712a4f1a1a74ac23683e4b195719
                                • Opcode Fuzzy Hash: 660c1fc254df36beb57d81b90febdada7011a4db7affac3806782aa2ca0af1b7
                                • Instruction Fuzzy Hash: 42B09276608240BFCA125F40DE04E0ABB72BBA4312F00C424BB98641B082325422EF0A
                                Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,00403B8E), ref: 00403DBB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: 3d2371042bc9023e882d1747a0204cba7e5e06de41843067423b9fd361121a1b
                                • Instruction ID: b3b70422baabf746d7f85ff150f7fad2421cb985b3c304c2f0a1b2ed4b2bd08a
                                • Opcode Fuzzy Hash: 3d2371042bc9023e882d1747a0204cba7e5e06de41843067423b9fd361121a1b
                                • Instruction Fuzzy Hash: A2A00275515100DBCA115B50DE048057A61B754705F41D475B2455017587315461EB5A

                                Non-executed Functions

                                Function 0040263E Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: FileFindFirst
                                • String ID:
                                • API String ID: 1974802433-0
                                • Opcode ID: 7ce125ca612887df162c36b751337e4c26a37c050d4ffda7300b23609ce4967c
                                • Instruction ID: 14dcf34609860af9969e045d3f077fc7a18bb2554c958aa599433bfc977b1d94
                                • Opcode Fuzzy Hash: 7ce125ca612887df162c36b751337e4c26a37c050d4ffda7300b23609ce4967c
                                • Instruction Fuzzy Hash: 86F0E572A04101DFD700EBB49E49AEEB778DF51328FA0067BF101F20C1D2B84A45DB2A
                                Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                • BeginPaint.USER32(?,?), ref: 00401047
                                • GetClientRect.USER32(?,?), ref: 0040105B
                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                • DeleteObject.GDI32(?), ref: 004010ED
                                • CreateFontIndirectA.GDI32(?), ref: 00401105
                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                • SetTextColor.GDI32(00000000,?), ref: 00401130
                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                • DrawTextA.USER32(00000000,Unlocker 1.9.2 Setup,000000FF,00000010,00000820), ref: 00401156
                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                • DeleteObject.GDI32(?), ref: 00401165
                                • EndPaint.USER32(?,?), ref: 0040116E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                • String ID: F$Unlocker 1.9.2 Setup
                                • API String ID: 941294808-1352916206
                                • Opcode ID: a16a50f16efb259b1f94ca86ef79a5d51e0f349a280e4e705ab109419a7a434d
                                • Instruction ID: 87972a138d556bacb88ba9c7fcdf6f47da3ec758f00315b8b39b68d2b09e4b9a
                                • Opcode Fuzzy Hash: a16a50f16efb259b1f94ca86ef79a5d51e0f349a280e4e705ab109419a7a434d
                                • Instruction Fuzzy Hash: 6441BC71804249AFCB058FA4CD459BFBFB9FF44314F00812AF951AA1A0C378EA54DFA5
                                Function 0040572B Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00405CFF: GetModuleHandleA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D11
                                  • Part of subcall function 00405CFF: LoadLibraryA.KERNELBASE(?,?,00000000,0040310E,00000008), ref: 00405D1C
                                  • Part of subcall function 00405CFF: GetProcAddress.KERNEL32(00000000,?), ref: 00405D2D
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004054C0,?,00000000,000000F1,?), ref: 00405778
                                • GetShortPathNameA.KERNEL32(?,00422608,00000400), ref: 00405781
                                • GetShortPathNameA.KERNEL32(00000000,00422080,00000400), ref: 0040579E
                                • wsprintfA.USER32 ref: 004057BC
                                • GetFileSize.KERNEL32(00000000,00000000,00422080,C0000000,00000004,00422080,?,?,?,00000000,000000F1,?), ref: 004057F7
                                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405806
                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040581C
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421C80,00000000,-0000000A,00409330,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405862
                                • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405874
                                • GlobalFree.KERNEL32(00000000), ref: 0040587B
                                • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405882
                                  • Part of subcall function 00405629: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405630
                                  • Part of subcall function 00405629: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405660
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
                                • String ID: %s=%s$[Rename]
                                • API String ID: 3772915668-1727408572
                                • Opcode ID: fde17059b73e5ed387f221ca3ca0721057c187c9f22db8a501a216d306c9fcdb
                                • Instruction ID: 243778ea09c2d6121d89995a0746b628a30f71b2b4e684d8516dd3187c24d480
                                • Opcode Fuzzy Hash: fde17059b73e5ed387f221ca3ca0721057c187c9f22db8a501a216d306c9fcdb
                                • Instruction Fuzzy Hash: 0E412032A05B067BE3207B619C48F6B3A5CEB40754F004436FD05F62D2EA38A8018ABE
                                Function 00405C3F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                • CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Unlocker1.9.2.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405C97
                                • CharNextA.USER32(?,?,?,00000000), ref: 00405CA4
                                • CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Unlocker1.9.2.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CA9
                                • CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Unlocker1.9.2.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Char$Next$Prev
                                • String ID: "C:\Users\user\Desktop\Unlocker1.9.2.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                • API String ID: 589700163-3390710162
                                • Opcode ID: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
                                • Instruction ID: 6e21827f4117d195ccc2fee92ee9dbca2865e9be55a4e6ca6148cbd3e4a13511
                                • Opcode Fuzzy Hash: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
                                • Instruction Fuzzy Hash: F011905580CB942AFB3206384C48B776F99CB67764F58407BE8C4723C2D67C5C429B6D
                                Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowLongA.USER32(?,000000EB), ref: 00403E13
                                • GetSysColor.USER32(00000000), ref: 00403E2F
                                • SetTextColor.GDI32(?,00000000), ref: 00403E3B
                                • SetBkMode.GDI32(?,?), ref: 00403E47
                                • GetSysColor.USER32(?), ref: 00403E5A
                                • SetBkColor.GDI32(?,?), ref: 00403E6A
                                • DeleteObject.GDI32(?), ref: 00403E84
                                • CreateBrushIndirect.GDI32(?), ref: 00403E8E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                • String ID:
                                • API String ID: 2320649405-0
                                • Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                                • Instruction ID: 6c7fdd900eb09a88ca35fb2207b5deae9db7ec429e3ae93f4f07cdddb38981b8
                                • Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                                • Instruction Fuzzy Hash: 1F219671904744ABCB219F78DD08B4B7FF8AF00715F048A2AF856E22E1C338EA04CB95
                                Function 0040464A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404665
                                • GetMessagePos.USER32 ref: 0040466D
                                • ScreenToClient.USER32(?,?), ref: 00404687
                                • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404699
                                • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004046BF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Message$Send$ClientScreen
                                • String ID: f
                                • API String ID: 41195575-1993550816
                                • Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                                • Instruction ID: 811e074b116e6ce6d11e192741490be2760717d42b69e64a674173994bb84636
                                • Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                                • Instruction Fuzzy Hash: 4E014C71D00219BADB00DBA4DC85FFEBBB8AB59711F10052ABA00B61D0D7B8A9058BA5
                                Function 00402B3B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                Download Yara Rule
                                APIs
                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
                                • MulDiv.KERNEL32(0010753B,00000064,0010753F), ref: 00402B81
                                • wsprintfA.USER32 ref: 00402B91
                                • SetWindowTextA.USER32(?,?), ref: 00402BA1
                                • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3
                                Strings
                                • verifying installer: %d%%, xrefs: 00402B8B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Text$ItemTimerWindowwsprintf
                                • String ID: verifying installer: %d%%
                                • API String ID: 1451636040-82062127
                                • Opcode ID: 942454595b55506ed27eeb1e7d8b1282508b27149c9d2e8fb24462be395a0e5b
                                • Instruction ID: e41715c37a5330c5740685503c003044c4943c79b663b03d39d41db920bc543d
                                • Opcode Fuzzy Hash: 942454595b55506ed27eeb1e7d8b1282508b27149c9d2e8fb24462be395a0e5b
                                • Instruction Fuzzy Hash: 34014470A00209ABDB249F60DD09EAE3779AB04345F008039FA16B92D1D7B49A559F99
                                Function 00401D1B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(?), ref: 00401D22
                                • GetDeviceCaps.GDI32(00000000), ref: 00401D29
                                • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
                                • CreateFontIndirectA.GDI32(0040AF54), ref: 00401D8A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: CapsCreateDeviceFontIndirect
                                • String ID: MS Shell Dlg
                                • API String ID: 3272661963-76309092
                                • Opcode ID: aaa704804153b4156d33932d66762c168f337da226587c5d1751100b1e088207
                                • Instruction ID: 822a585a95499be2ccb46a886614a983d19f7779af01092212c1c8a44adbdb5d
                                • Opcode Fuzzy Hash: aaa704804153b4156d33932d66762c168f337da226587c5d1751100b1e088207
                                • Instruction Fuzzy Hash: 80F04FF1A49742AEE70167B0AE0AB9A3B659719306F14043AF242BA1E2C5BC0454DB7F
                                Function 00402A36 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000100,?), ref: 00402A57
                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
                                • RegCloseKey.ADVAPI32(?), ref: 00402A9C
                                • RegCloseKey.ADVAPI32(?), ref: 00402AC1
                                • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Close$DeleteEnumOpen
                                • String ID:
                                • API String ID: 1912718029-0
                                • Opcode ID: 32cdae671697de7973d8bb2633bc31189b6b536a9ce7c2939538a07c10ae524a
                                • Instruction ID: 582bceb6e4b24316922a1ee6e85d565da044e62c79b522cd3b8563d0d5e38007
                                • Opcode Fuzzy Hash: 32cdae671697de7973d8bb2633bc31189b6b536a9ce7c2939538a07c10ae524a
                                • Instruction Fuzzy Hash: E7111771A10049BEEF31AF90DE49DAF7B7DEB44345B104036F906A10A0DBB49E51AF69
                                Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?), ref: 00401CC5
                                • GetClientRect.USER32(00000000,?), ref: 00401CD2
                                • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
                                • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
                                • DeleteObject.GDI32(00000000), ref: 00401D10
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                • String ID:
                                • API String ID: 1849352358-0
                                • Opcode ID: aab1ff915591a61a6dff0f8bf18086dee3b735981cb00012526b248d1bc18b45
                                • Instruction ID: c9eade559dcb8dabe12f7fb8fefc2ecb3bb817c4e851fb83d30c8e131ed4808d
                                • Opcode Fuzzy Hash: aab1ff915591a61a6dff0f8bf18086dee3b735981cb00012526b248d1bc18b45
                                • Instruction Fuzzy Hash: B5F01DB2E04105BFD700EFA4EE89DAFB7BDEB44345B104576F602F2190C6789D018B69
                                Function 004037EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowTextA.USER32(00000000,Unlocker 1.9.2 Setup), ref: 00403887
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: TextWindow
                                • String ID: 1033$C:\Users\user\AppData\Local\Temp\$Unlocker 1.9.2 Setup
                                • API String ID: 530164218-2643474798
                                • Opcode ID: 2885b835fa9f6124610e1a5c6837e8d1ea9164dd69e17ca9c0250379504c76d4
                                • Instruction ID: 1abde7c3b4d11e9a2e55591403c44a3397e590d434b7b54f33d2a439c9831bdd
                                • Opcode Fuzzy Hash: 2885b835fa9f6124610e1a5c6837e8d1ea9164dd69e17ca9c0250379504c76d4
                                • Instruction Fuzzy Hash: 0711C276B002119BC730AF55D8809377BADEF4471631981BFE80167390C73D9E028B98
                                Function 004054D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030B5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 004054D6
                                • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030B5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 004054DF
                                • lstrcatA.KERNEL32(?,00409010), ref: 004054F0
                                Strings
                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004054D0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: CharPrevlstrcatlstrlen
                                • String ID: C:\Users\user\AppData\Local\Temp\
                                • API String ID: 2659869361-3081826266
                                • Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
                                • Instruction ID: 18d73bba3a4f2c077241afd2b81ba446c35da1b9bd2d8ef2eba9fb39a34af30a
                                • Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
                                • Instruction Fuzzy Hash: 09D0A7B2505970AED20126195C05FCF2A08CF023117044423F640B21D2C63C5C819BFD
                                Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
                                • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
                                • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
                                • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24
                                  • Part of subcall function 0040593B: wsprintfA.USER32 ref: 00405948
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                • String ID:
                                • API String ID: 1404258612-0
                                • Opcode ID: f9744f7992f8663f166aa538b3da0bee02a0a5d08582e8cd95fa90b08a46e0f1
                                • Instruction ID: 4f4abe4324f754641e01f0e672b51484e064b7e428c6eed24e296c4d37409401
                                • Opcode Fuzzy Hash: f9744f7992f8663f166aa538b3da0bee02a0a5d08582e8cd95fa90b08a46e0f1
                                • Instruction Fuzzy Hash: 5F114CB2901109BFDB01EFA5D981DAEBBB9EF04354B20803AF501F61E1D7389A55DB28
                                Function 00405564 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                Download Yara Rule
                                APIs
                                • CharNextA.USER32(00405316,?,C:\,00000000,004055C8,C:\,C:\,?,?,00000000,00405316,?,"C:\Users\user\Desktop\Unlocker1.9.2.exe",00000000), ref: 00405572
                                • CharNextA.USER32(00000000), ref: 00405577
                                • CharNextA.USER32(00000000), ref: 00405586
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: CharNext
                                • String ID: C:\
                                • API String ID: 3213498283-3404278061
                                • Opcode ID: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
                                • Instruction ID: fce001944c357d5a5f397a5c884fddf1ab35f0ab5fed97c3c123c2792e791524
                                • Opcode Fuzzy Hash: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
                                • Instruction Fuzzy Hash: D7F0A751905A2179E72262A88C44B7B57ADDB55721F140437E500F61D582BC4C838FEA
                                Function 00402BBE Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • DestroyWindow.USER32(00000000,00000000,00402D9E,00000001), ref: 00402BD1
                                • GetTickCount.KERNEL32 ref: 00402BEF
                                • CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C0C
                                • ShowWindow.USER32(00000000,00000005), ref: 00402C1A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                • String ID:
                                • API String ID: 2102729457-0
                                • Opcode ID: bf07767b331bb76d3b5a2f8e5622a218379b171e4cdb58aec93dcc8b8375aee9
                                • Instruction ID: f2d052a30a3472248e345e5832336eca953f0b1533712f6c56216133e551431f
                                • Opcode Fuzzy Hash: bf07767b331bb76d3b5a2f8e5622a218379b171e4cdb58aec93dcc8b8375aee9
                                • Instruction Fuzzy Hash: 2AF0DA31D09320ABC661AF14FD4CADB7B75BB09B127014936F101B52E8D77868818BAD
                                Function 004024BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
                                • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\InstallOptions.dll,00000000,?,?,00000000,00000011), ref: 004024FB
                                Strings
                                • C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\InstallOptions.dll, xrefs: 004024CA, 004024EF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: FileWritelstrlen
                                • String ID: C:\Users\user\AppData\Local\Temp\nsw59E9.tmp\InstallOptions.dll
                                • API String ID: 427699356-1896263615
                                • Opcode ID: a0c3a0802b62bc71cd7a1c5371c6928424a701658096b665d01367d308066035
                                • Instruction ID: 28baf68bc3b2ef7cd727d17ca875bc327529d04ff6cae4c8aacaeccaaba980a4
                                • Opcode Fuzzy Hash: a0c3a0802b62bc71cd7a1c5371c6928424a701658096b665d01367d308066035
                                • Instruction Fuzzy Hash: 5AF0B4B2A04241FBDB40BBA09E49AAE37689B00348F10443BA206F51C2D6BC4982A76D
                                Function 00405517 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Unlocker1.9.2.exe,C:\Users\user\Desktop\Unlocker1.9.2.exe,80000000,00000003), ref: 0040551D
                                • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Unlocker1.9.2.exe,C:\Users\user\Desktop\Unlocker1.9.2.exe,80000000,00000003), ref: 0040552B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: CharPrevlstrlen
                                • String ID: C:\Users\user\Desktop
                                • API String ID: 2709904686-224404859
                                • Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                                • Instruction ID: 1341b21386aa9ee456471dc2eb10899dbff8c866770b3e7d35d8712ddbbc4649
                                • Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                                • Instruction Fuzzy Hash: D9D0C7B2509DB06EE7035614DC04B9F7B89DF17710F1944A2E540A61D5D27C5D418BFD
                                Function 00405629 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405630
                                • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405649
                                • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405657
                                • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405660
                                Memory Dump Source
                                • Source File: 00000000.00000002.1925908464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1925881576.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926039664.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926107706.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1926219168.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_Unlocker1.jbxd
                                Similarity
                                • API ID: lstrlen$CharNextlstrcmpi
                                • String ID:
                                • API String ID: 190613189-0
                                • Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                                • Instruction ID: 25fbcb832c33ec4964fd827efed06e6d871dcd69bbe6b28132c6debe6a032c6a
                                • Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                                • Instruction Fuzzy Hash: 02F0A736249D51DBC2025B355C04E6FAA94EF92354B54097AF444F2251D33A98129BBF

                                Execution Graph

                                Execution Coverage:29.5%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:6.6%
                                Total number of Nodes:136
                                Total number of Limit Nodes:1
                                execution_graph 800 fe23ab VirtualFree 801 fe15a7 821 fe1b83 LoadLibraryA 801->821 806 fe1709 ExitProcess 809 fe16c4 813 fe16fe 809->813 857 fe1889 809->857 872 fe17bc 813->872 814 fe16a8 _wcslen 816 fe16c8 814->816 817 fe16b5 814->817 875 fe121f 816->875 851 fe12e1 817->851 820 fe1619 820->809 847 fe14dc FindResourceW 820->847 822 fe1f51 821->822 823 fe1bb1 GetProcAddress 821->823 885 fe3bc5 822->885 825 fe1c34 LoadLibraryA 823->825 827 fe1c9e LoadLibraryA 825->827 826 fe15d6 829 fe1000 826->829 827->822 894 fe1372 829->894 832 fe101c FindResourceW 834 fe1045 832->834 835 fe1034 832->835 833 fe1015 833->806 843 fe154e 833->843 834->833 901 fe17f0 834->901 926 fe1b44 LoadResource 835->926 839 fe1075 841 fe17bc VirtualFree 839->841 840 fe1081 907 fe1985 840->907 841->833 844 fe1552 843->844 845 fe14dc 4 API calls 844->845 846 fe157c _wcscat _wcscpy 845->846 846->820 848 fe1502 847->848 850 fe1511 _wcsncpy 847->850 849 fe1b44 3 API calls 848->849 849->850 850->814 854 fe1313 _wcsncpy 851->854 852 fe135d 853 fe3bc5 5 API calls 852->853 855 fe136c 853->855 854->852 856 fe121f 12 API calls 854->856 855->809 856->854 858 fe18ac GetCurrentDirectoryW 857->858 859 fe18a9 857->859 860 fe18cd SetCurrentDirectoryW 858->860 861 fe18c2 GetLastError 858->861 859->858 860->861 865 fe18d8 _wcslen 860->865 870 fe1957 861->870 862 fe3bc5 5 API calls 863 fe16f4 RemoveDirectoryW 862->863 863->813 864 fe1959 SetCurrentDirectoryW 866 fe196a GetLastError 864->866 864->870 865->864 867 fe1941 DeleteFileW 865->867 868 fe1889 5 API calls 865->868 865->870 871 fe1938 RemoveDirectoryW 865->871 866->870 867->865 869 fe194c GetLastError 867->869 868->865 869->865 869->870 870->862 871->865 873 fe17c3 VirtualFree 872->873 874 fe17d1 872->874 873->874 874->806 876 fe1255 _wcscpy 875->876 877 fe221a 2 API calls 876->877 878 fe1296 _wcscat 877->878 879 fe12a6 FindFirstFileW 878->879 880 fe12b8 879->880 881 fe12c5 879->881 943 fe10d8 880->943 882 fe3bc5 5 API calls 881->882 883 fe12db 882->883 883->809 886 fe3bcf IsDebuggerPresent 885->886 887 fe3bcd 885->887 893 fe3dc2 886->893 887->826 890 fe3d89 SetUnhandledExceptionFilter UnhandledExceptionFilter 891 fe3dae GetCurrentProcess TerminateProcess 890->891 892 fe3da6 890->892 891->826 892->891 893->890 900 fe1396 894->900 895 fe14c7 896 fe3bc5 5 API calls 895->896 897 fe1011 896->897 897->832 897->833 900->895 929 fe221a lstrlenW 900->929 902 fe1803 901->902 906 fe1071 902->906 932 fe2236 902->932 904 fe1863 935 fe23bd 904->935 906->839 906->840 908 fe19a9 GetCurrentDirectoryW 907->908 909 fe19a6 907->909 910 fe19bf GetLastError 908->910 911 fe19ca SetCurrentDirectoryW 908->911 909->908 923 fe1a9f 910->923 911->910 915 fe19d5 _wcslen 911->915 912 fe3bc5 5 API calls 914 fe1b40 912->914 913 fe1b1c SetCurrentDirectoryW 913->910 913->923 914->833 915->913 916 fe1a6f CreateDirectoryW 915->916 917 fe1aa4 DeleteFileW 915->917 921 fe1985 5 API calls 915->921 915->923 916->915 918 fe1a7c GetLastError 916->918 919 fe1aaf GetLastError 917->919 920 fe1aba CreateFileW 917->920 918->915 918->923 919->920 919->923 922 fe1ad9 WriteFile 920->922 920->923 921->915 924 fe1b0b FindCloseChangeNotification 922->924 925 fe1afb SetFileTime 922->925 923->912 924->915 925->924 927 fe1b5a SizeofResource LockResource 926->927 928 fe1b7b 926->928 927->928 928->834 930 fe2229 lstrcatW 929->930 931 fe143e wsprintfW CreateDirectoryW 929->931 930->931 931->895 931->900 933 fe223d 932->933 934 fe2240 VirtualAlloc 932->934 933->904 934->904 936 fe23de 935->936 938 fe23d9 935->938 936->938 939 fe3a8f 936->939 938->906 942 fe3af2 939->942 940 fe3bc5 5 API calls 941 fe3bc3 940->941 941->938 942->940 944 fe110b _wcscpy 943->944 945 fe221a 2 API calls 944->945 946 fe1128 945->946 947 fe1139 946->947 950 fe118a 946->950 960 fe109d 947->960 951 fe11b5 wsprintfW 950->951 953 fe11bf CreateProcessW 951->953 952 fe221a 2 API calls 954 fe1168 wsprintfW 952->954 955 fe11e7 GetExitCodeProcess 953->955 959 fe11e2 953->959 954->953 955->959 957 fe3bc5 5 API calls 958 fe1215 957->958 958->881 959->957 961 fe10c2 960->961 962 fe3bc5 5 API calls 961->962 963 fe10d4 962->963 963->952 964 fe23a0 965 fe2236 VirtualAlloc 964->965 966 fe23a9 965->966

                                Callgraph

                                • Executed
                                • Not Executed
                                • Opacity -> Relevance
                                • Disassembly available
                                callgraph 0 Function_00FE243C 1 Function_00FE17BC 2 Function_00FE23BD 23 Function_00FE2254 2->23 28 Function_00FE3A8F 2->28 3 Function_00FE2236 4 Function_00FE1372 20 Function_00FE221A 4->20 34 Function_00FE3BC5 4->34 5 Function_00FE39F2 6 Function_00FE37B2 7 Function_00FE31F3 6->7 25 Function_00FE3110 6->25 31 Function_00FE3189 6->31 8 Function_00FE17F0 8->2 8->3 26 Function_00FE3DD0 8->26 9 Function_00FE23AB 10 Function_00FE3C6B 11 Function_00FE15A7 11->1 11->10 12 Function_00FE3CA2 11->12 14 Function_00FE12E1 11->14 16 Function_00FE121F 11->16 17 Function_00FE14DC 11->17 27 Function_00FE154E 11->27 30 Function_00FE1889 11->30 37 Function_00FE1B83 11->37 38 Function_00FE1000 11->38 13 Function_00FE23A0 13->3 15 Function_00FE3C21 14->15 14->16 14->34 16->20 21 Function_00FE10D8 16->21 22 Function_00FE1718 16->22 24 Function_00FE3BD4 16->24 16->34 36 Function_00FE3C02 16->36 17->15 32 Function_00FE1B44 17->32 18 Function_00FE17DD 19 Function_00FE109D 19->34 21->19 21->20 21->22 21->34 21->36 27->17 27->24 27->36 28->5 28->6 29 Function_00FE3A4A 28->29 28->34 30->12 30->18 30->30 30->34 31->0 31->25 33 Function_00FE1985 33->12 33->18 33->33 33->34 35 Function_00FE3DC2 34->35 37->34 38->1 38->4 38->8 38->32 38->33

                                Executed Functions

                                Function 00FE121F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 144 fe121f-fe126b call fe3c02 call fe1718 149 fe126d-fe126f 144->149 150 fe1277-fe12b6 call fe3c02 call fe221a call fe3bd4 FindFirstFileW 144->150 149->150 157 fe12b8-fe12c0 call fe10d8 150->157 158 fe12c7-fe12c9 150->158 164 fe12c5 157->164 159 fe12ca-fe12de call fe3bc5 158->159 164->159
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1892696389.0000000000FE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000001.00000002.1892662971.0000000000FE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892756318.0000000000FE6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_fe0000_DeltaTB.jbxd
                                Similarity
                                • API ID: _wcscpy$FileFindFirst_wcscat
                                • String ID: .dll,$setup.exe
                                • API String ID: 2931365424-1808119565
                                • Opcode ID: 0a487fbd6557c449f712f3eb37698292fe768af642f24eea81c5c6b0dfd6d7fb
                                • Instruction ID: 6582842d32c51b665aa36d78d790e692a5691f65a41bee106bdd6c2d7e44566b
                                • Opcode Fuzzy Hash: 0a487fbd6557c449f712f3eb37698292fe768af642f24eea81c5c6b0dfd6d7fb
                                • Instruction Fuzzy Hash: 4B11847210C2845AC724EA6A9C4D99BB7DDBF88330F104A2FF259C3490DF35A5549756
                                Function 00FE1985 Relevance: 19.6, APIs: 13, Instructions: 142filetimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 00FE19B5
                                • GetLastError.KERNEL32 ref: 00FE19BF
                                • SetCurrentDirectoryW.KERNELBASE(?), ref: 00FE19CB
                                • _wcslen.LIBCMT ref: 00FE1A55
                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 00FE1A72
                                • GetLastError.KERNEL32 ref: 00FE1A7C
                                • DeleteFileW.KERNELBASE(?), ref: 00FE1AA5
                                • GetLastError.KERNEL32 ref: 00FE1AAF
                                • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00FE1ACC
                                • WriteFile.KERNELBASE(00000000,?,?,?,00000000), ref: 00FE1AEF
                                • SetFileTime.KERNELBASE(00000000,?,?,?), ref: 00FE1B05
                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00FE1B0C
                                • SetCurrentDirectoryW.KERNELBASE(?), ref: 00FE1B23
                                Memory Dump Source
                                • Source File: 00000001.00000002.1892696389.0000000000FE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000001.00000002.1892662971.0000000000FE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892756318.0000000000FE6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_fe0000_DeltaTB.jbxd
                                Similarity
                                • API ID: DirectoryFile$CurrentErrorLast$Create$ChangeCloseDeleteFindNotificationTimeWrite_wcslen
                                • String ID:
                                • API String ID: 113073435-0
                                • Opcode ID: 1c35cddeea717b9207c61505b4d69680c694b83f2018a1bea7d8ca97266fe5d1
                                • Instruction ID: 1f332074154c409cb870595b64e0b8289c9db531e818da4fb381d2237b655f2f
                                • Opcode Fuzzy Hash: 1c35cddeea717b9207c61505b4d69680c694b83f2018a1bea7d8ca97266fe5d1
                                • Instruction Fuzzy Hash: B051AE31A00288AFD7309F67DC88B7A77B9FF95720F20446DE646D6291E734A941AF10
                                Function 00FE10D8 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 111processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • _wcscpy.LIBCMT ref: 00FE1116
                                  • Part of subcall function 00FE221A: lstrlenW.KERNEL32(?,00FE143E), ref: 00FE221B
                                  • Part of subcall function 00FE221A: lstrcatW.KERNEL32(?,00FE4238), ref: 00FE222F
                                • wsprintfW.USER32 ref: 00FE117F
                                • wsprintfW.USER32 ref: 00FE11B6
                                • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 00FE11D7
                                • GetExitCodeProcess.KERNELBASE(?,?), ref: 00FE11F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1892696389.0000000000FE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000001.00000002.1892662971.0000000000FE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892756318.0000000000FE6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_fe0000_DeltaTB.jbxd
                                Similarity
                                • API ID: Processwsprintf$CodeCreateExit_wcscpylstrcatlstrlen
                                • String ID: "%s%s" %s$"%srundll32.exe" "%s%s" %s$.dll,$.msi$msiexec /i "%s%s" %s$setup.exe
                                • API String ID: 1002973698-2298058916
                                • Opcode ID: db970309b4f266ca404b54b81a43f3f8264116373e29862b01ffa9ca20645a76
                                • Instruction ID: 83dc2f7d2c60ee122e647552523b6260978192a2bce954252364849beb45a54e
                                • Opcode Fuzzy Hash: db970309b4f266ca404b54b81a43f3f8264116373e29862b01ffa9ca20645a76
                                • Instruction Fuzzy Hash: A431937290004EABDB10DFA5DC48EEE7BBDFF08310F104226F616E6051EB34AA149BA0
                                Function 00FE15A7 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 111COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 66 fe15a7-fe1605 call fe1b83 call fe1000 72 fe160b-fe161d call fe154e 66->72 73 fe1715-fe1716 66->73 77 fe16e3-fe16f8 call fe1889 RemoveDirectoryW 72->77 78 fe1623-fe162c 72->78 75 fe170f ExitProcess 73->75 85 fe16fe-fe170c call fe17bc 77->85 80 fe162e 78->80 81 fe169a-fe16b3 call fe14dc call fe3ca2 78->81 83 fe1634-fe1646 call fe3c6b 80->83 98 fe16c8-fe16d7 call fe121f 81->98 99 fe16b5-fe16bf call fe12e1 81->99 92 fe1648-fe165a call fe3c6b 83->92 93 fe1689 83->93 85->73 96 fe170e 85->96 92->93 103 fe165c-fe166e call fe3c6b 92->103 95 fe168d-fe1698 93->95 95->81 95->83 96->75 105 fe16dc-fe16e1 98->105 104 fe16c4-fe16c6 99->104 108 fe1684-fe1687 103->108 109 fe1670-fe1682 call fe3c6b 103->109 104->105 105->77 105->85 108->95 109->95 109->108
                                APIs
                                  • Part of subcall function 00FE1B83: LoadLibraryA.KERNEL32(Kernel32.dll,?,00000000), ref: 00FE1B9F
                                  • Part of subcall function 00FE1B83: GetProcAddress.KERNEL32(00000000,?), ref: 00FE1BF1
                                  • Part of subcall function 00FE1B83: LoadLibraryA.KERNELBASE(?,?,00000000), ref: 00FE1C94
                                • ExitProcess.KERNEL32 ref: 00FE170F
                                  • Part of subcall function 00FE154E: _wcscpy.LIBCMT ref: 00FE1581
                                  • Part of subcall function 00FE154E: _wcscat.LIBCMT ref: 00FE158F
                                  • Part of subcall function 00FE154E: _wcscat.LIBCMT ref: 00FE1599
                                • _wcslen.LIBCMT ref: 00FE16AB
                                • RemoveDirectoryW.KERNELBASE(?,?,00000001,?), ref: 00FE16F8
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1892696389.0000000000FE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000001.00000002.1892662971.0000000000FE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892756318.0000000000FE6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_fe0000_DeltaTB.jbxd
                                Similarity
                                • API ID: LibraryLoad_wcscat$AddressDirectoryExitProcProcessRemove_wcscpy_wcslen
                                • String ID: -nodel$-rt$/nodel$/rt$ExecuteFiles$setup.exe
                                • API String ID: 1851553072-3790594100
                                • Opcode ID: 23898ed94fbe65d8dc439e7e80f06e45192a82a8175098cbf7b5685a5caf18a3
                                • Instruction ID: 5bf97bff8c3030470cc6b027fe476e0af5bde5a090ad0f4259a5657a49cd40b4
                                • Opcode Fuzzy Hash: 23898ed94fbe65d8dc439e7e80f06e45192a82a8175098cbf7b5685a5caf18a3
                                • Instruction Fuzzy Hash: 0441AE72E002C89ADB31EFA7DC85BDD36A9BF11700F15002DEE05A7142EB749B49EB95
                                Function 00FE1889 Relevance: 13.6, APIs: 9, Instructions: 89fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 112 fe1889-fe18a7 113 fe18ac-fe18c0 GetCurrentDirectoryW 112->113 114 fe18a9 112->114 115 fe18cd-fe18d6 SetCurrentDirectoryW 113->115 116 fe18c2-fe18c8 GetLastError 113->116 114->113 115->116 118 fe18d8 115->118 117 fe1975-fe1982 call fe3bc5 116->117 120 fe18d9-fe18de 118->120 122 fe1959-fe1968 SetCurrentDirectoryW 120->122 123 fe18e0-fe18f6 120->123 125 fe196a-fe1970 GetLastError 122->125 126 fe1972 122->126 123->122 124 fe18f8-fe18fa 123->124 127 fe18fc-fe1900 124->127 128 fe1907-fe1928 call fe17dd call fe3ca2 call fe17dd 124->128 129 fe1974 125->129 126->129 127->128 130 fe1902-fe1905 127->130 137 fe192a-fe1936 call fe1889 128->137 138 fe1941-fe194a DeleteFileW 128->138 129->117 130->128 137->129 143 fe1938-fe193f RemoveDirectoryW 137->143 138->120 140 fe194c-fe1955 GetLastError 138->140 140->120 141 fe1957 140->141 141->129 143->120
                                APIs
                                • GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,?), ref: 00FE18B8
                                • GetLastError.KERNEL32 ref: 00FE18C2
                                • SetCurrentDirectoryW.KERNELBASE(?), ref: 00FE18CE
                                • _wcslen.LIBCMT ref: 00FE1914
                                • RemoveDirectoryW.KERNELBASE(?,00000000), ref: 00FE1939
                                • DeleteFileW.KERNELBASE(?,00000000), ref: 00FE1942
                                • GetLastError.KERNEL32 ref: 00FE194C
                                • SetCurrentDirectoryW.KERNELBASE(?,00000000), ref: 00FE1960
                                • GetLastError.KERNEL32 ref: 00FE196A
                                Memory Dump Source
                                • Source File: 00000001.00000002.1892696389.0000000000FE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000001.00000002.1892662971.0000000000FE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892756318.0000000000FE6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_fe0000_DeltaTB.jbxd
                                Similarity
                                • API ID: Directory$CurrentErrorLast$DeleteFileRemove_wcslen
                                • String ID:
                                • API String ID: 2019885757-0
                                • Opcode ID: c89636a7adec4a77140b441218dc00b4c516a40e5ff8e05ea0bfc5aae2327531
                                • Instruction ID: 327ccfa812f7b68b401f0e023b26962cec8e9b9558e97638248def1dddf4f89f
                                • Opcode Fuzzy Hash: c89636a7adec4a77140b441218dc00b4c516a40e5ff8e05ea0bfc5aae2327531
                                • Instruction Fuzzy Hash: AA31BD31A002899BD734AF27DC88B6E73E9BF51720B20082DE683D7251D734EA44FB51
                                Function 00FE1B83 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 413libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 165 fe1b83-fe1bab LoadLibraryA 166 fe2207-fe2219 call fe3bc5 165->166 167 fe1bb1-fe1f4d GetProcAddress LoadLibraryA * 2 165->167 178 fe1f51-fe2204 167->178 178->166
                                APIs
                                • LoadLibraryA.KERNEL32(Kernel32.dll,?,00000000), ref: 00FE1B9F
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00FE1BF1
                                • LoadLibraryA.KERNELBASE(?,?,00000000), ref: 00FE1C94
                                • LoadLibraryA.KERNELBASE(?,?,00000000), ref: 00FE1F47
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1892696389.0000000000FE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000001.00000002.1892662971.0000000000FE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892756318.0000000000FE6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_fe0000_DeltaTB.jbxd
                                Similarity
                                • API ID: LibraryLoad$AddressProc
                                • String ID: Kernel32.dll
                                • API String ID: 1469910268-1926710522
                                • Opcode ID: 1c82b5e29e8e93e49518d39fcd7c641f3aebddab35fc28dc4fd07ca91fd9e267
                                • Instruction ID: e8fdde5da7904998743e3255cb261cba1d9e94a0fbd276e0263169e451532f8d
                                • Opcode Fuzzy Hash: 1c82b5e29e8e93e49518d39fcd7c641f3aebddab35fc28dc4fd07ca91fd9e267
                                • Instruction Fuzzy Hash: 3342771080C7D8DDEB12CB68C9487DEBFE51F22748F0841C995986A292C7FF5A58CB76
                                Function 00FE1372 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 187 fe1372-fe138c 188 fe1396-fe13a4 187->188 189 fe13aa-fe13b9 188->189 190 fe14c7-fe14db call fe3bc5 188->190 194 fe13bb-fe13fb 189->194 195 fe1402-fe142b 189->195 194->195 195->190 197 fe1431-fe14b4 call fe221a wsprintfW CreateDirectoryW 195->197 197->190 200 fe14b6-fe14c1 197->200 200->188 200->190
                                APIs
                                • wsprintfW.USER32 ref: 00FE14A4
                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 00FE14AF
                                Strings
                                • %s%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X\, xrefs: 00FE149E
                                Memory Dump Source
                                • Source File: 00000001.00000002.1892696389.0000000000FE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000001.00000002.1892662971.0000000000FE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892756318.0000000000FE6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_fe0000_DeltaTB.jbxd
                                Similarity
                                • API ID: CreateDirectorywsprintf
                                • String ID: %s%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X\
                                • API String ID: 2146621440-1982538544
                                • Opcode ID: 799997233bb829f4fe4ccf6c0f24237cc60be167bf3d1f143e21befb9a232f71
                                • Instruction ID: 47e825edfbf310592696b3e2fee2c1d2eb3e0e1d6b3da17d1335470b966af98d
                                • Opcode Fuzzy Hash: 799997233bb829f4fe4ccf6c0f24237cc60be167bf3d1f143e21befb9a232f71
                                • Instruction Fuzzy Hash: AB3183719452ACAEDB218BB69C4CBEEBBB86F29301F0400D5E548E6181D7389F84DF61
                                Function 00FE1000 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 202 fe1000-fe1013 call fe1372 205 fe101c-fe1032 FindResourceW 202->205 206 fe1015-fe101a 202->206 208 fe104a 205->208 209 fe1034-fe1048 call fe1b44 205->209 207 fe1097-fe109c 206->207 211 fe104f-fe1051 208->211 209->211 213 fe105a-fe1073 call fe17f0 211->213 214 fe1053-fe1058 211->214 217 fe1075-fe107f call fe17bc 213->217 218 fe1081-fe1089 call fe1985 213->218 214->207 217->207 222 fe108e-fe1092 218->222 222->207
                                APIs
                                  • Part of subcall function 00FE1372: wsprintfW.USER32 ref: 00FE14A4
                                  • Part of subcall function 00FE1372: CreateDirectoryW.KERNELBASE(?,00000000), ref: 00FE14AF
                                • FindResourceW.KERNEL32(?,Files,0000000A,?,?,?,?,?,00FE1603), ref: 00FE102A
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1892696389.0000000000FE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000001.00000002.1892662971.0000000000FE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892756318.0000000000FE6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_fe0000_DeltaTB.jbxd
                                Similarity
                                • API ID: CreateDirectoryFindResourcewsprintf
                                • String ID: Files
                                • API String ID: 975690600-3354685277
                                • Opcode ID: aadfdaf5dd86ee37081af2c657043fba2ad4ce36884605e92311316f92fbb0c3
                                • Instruction ID: 0ffc3c85fb713a69bb4b0d6a059fc4367f9e64df965ff03b9327710c0d6bc2f3
                                • Opcode Fuzzy Hash: aadfdaf5dd86ee37081af2c657043fba2ad4ce36884605e92311316f92fbb0c3
                                • Instruction Fuzzy Hash: FF01D673A046C16AD710563B8C01BABB38CBF91721F004229B616D71D0EB78E954A6A6
                                Function 00FE12E1 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 223 fe12e1-fe131f call fe3c21 226 fe135d-fe136f call fe3bc5 223->226 227 fe1321-fe1327 223->227 229 fe1334-fe1338 227->229 231 fe133a-fe1342 229->231 232 fe1329-fe132d 229->232 234 fe134a-fe1350 call fe121f 231->234 235 fe1344-fe1349 231->235 232->231 233 fe132f-fe1330 232->233 233->229 237 fe1355-fe135b 234->237 235->234 237->226 237->227
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.1892696389.0000000000FE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000001.00000002.1892662971.0000000000FE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892756318.0000000000FE6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_fe0000_DeltaTB.jbxd
                                Similarity
                                • API ID: _wcsncpy
                                • String ID:
                                • API String ID: 1735881322-0
                                • Opcode ID: b6d4564071ed8c01806b553b5d4541d389d387dffaf021e31df96683b7f4920c
                                • Instruction ID: 74948e5512c6f503b098c8cbb0a68c8668fdb894e5591d0ab1cb07bb2dc1b51f
                                • Opcode Fuzzy Hash: b6d4564071ed8c01806b553b5d4541d389d387dffaf021e31df96683b7f4920c
                                • Instruction Fuzzy Hash: CD0192319043849FC720FF66D84559B73E8FB84320F408D2AE58AC7590E774D984E7D2
                                Function 00FE17BC Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 238 fe17bc-fe17c1 239 fe17c3-fe17cb VirtualFree 238->239 240 fe17d1-fe17dc 238->240 239->240
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000,00FE107A,?,?,?,?,?,?,00FE1603), ref: 00FE17CB
                                Memory Dump Source
                                • Source File: 00000001.00000002.1892696389.0000000000FE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000001.00000002.1892662971.0000000000FE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892756318.0000000000FE6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_fe0000_DeltaTB.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-0
                                • Opcode ID: 60487d955227941ef38cbd67d86ab13a18b463ee10c8c06be5dc42b80a6b015b
                                • Instruction ID: f0a26a6c912e3070343d2557bf5a9cb9df89f40641810588d8b5568d84d75550
                                • Opcode Fuzzy Hash: 60487d955227941ef38cbd67d86ab13a18b463ee10c8c06be5dc42b80a6b015b
                                • Instruction Fuzzy Hash: 2ED00271650B459FE7304F12DC89B1673E4BB10B27F658C1CA1A5958D1D7B8F444DA14
                                Function 00FE2236 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 241 fe2236-fe223b 242 fe223d-fe223f 241->242 243 fe2240-fe2253 VirtualAlloc 241->243
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00FE1863,00000000,?,?), ref: 00FE224D
                                Memory Dump Source
                                • Source File: 00000001.00000002.1892696389.0000000000FE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000001.00000002.1892662971.0000000000FE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892756318.0000000000FE6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_fe0000_DeltaTB.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 7c58c81ee89254a1b53b9e088ac095add373bcc6b9f79ded9dead38633fbfe2d
                                • Instruction ID: 625165b151db959768ab338798a0ce4f0edb7bbd68c4b90df2ffaf384b42516f
                                • Opcode Fuzzy Hash: 7c58c81ee89254a1b53b9e088ac095add373bcc6b9f79ded9dead38633fbfe2d
                                • Instruction Fuzzy Hash: 95C04C70645344BBEE6146518E06B4576919784B67F008458B358584D4D7F45444B605
                                Function 00FE23AB Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 244 fe23ab-fe23bc VirtualFree
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00FE23B6
                                Memory Dump Source
                                • Source File: 00000001.00000002.1892696389.0000000000FE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000001.00000002.1892662971.0000000000FE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892756318.0000000000FE6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_fe0000_DeltaTB.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-0
                                • Opcode ID: 0870d50446a9d6013a29b41da88f970c50b12dfc8f4c9e7ee0884d5610405665
                                • Instruction ID: 927997faeda8e49f7a9aa7161ad8c460e6c541b2f608273d0d86f9eda91ce0b8
                                • Opcode Fuzzy Hash: 0870d50446a9d6013a29b41da88f970c50b12dfc8f4c9e7ee0884d5610405665
                                • Instruction Fuzzy Hash: FEA00130694785ABEE619B10AD4AB097B61BB80B01F204868B3A1690E08BA57518AA09

                                Non-executed Functions

                                Function 00FE3BC5 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • IsDebuggerPresent.KERNEL32 ref: 00FE3D77
                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FE3D8C
                                • UnhandledExceptionFilter.KERNEL32(00FE409C), ref: 00FE3D97
                                • GetCurrentProcess.KERNEL32(C0000409), ref: 00FE3DB3
                                • TerminateProcess.KERNEL32(00000000), ref: 00FE3DBA
                                Memory Dump Source
                                • Source File: 00000001.00000002.1892696389.0000000000FE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000001.00000002.1892662971.0000000000FE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892756318.0000000000FE6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_fe0000_DeltaTB.jbxd
                                Similarity
                                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                • String ID:
                                • API String ID: 2579439406-0
                                • Opcode ID: 6610af71d6c65857d367ad81249d0b5fc054b28d5c6c17bb734d952deabd4b24
                                • Instruction ID: b4b0f2b4d50ed7d4e964ecd605c73a72ac648a410ae6573b5d7af5e439f399f4
                                • Opcode Fuzzy Hash: 6610af71d6c65857d367ad81249d0b5fc054b28d5c6c17bb734d952deabd4b24
                                • Instruction Fuzzy Hash: 3521E274810A8DDBCB10DF55EDC97443BA0BB48B18F40406AF6088F260E3B89A84BF95
                                Function 00FE1B44 Relevance: 4.5, APIs: 3, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                • LoadResource.KERNEL32(?,?,?,?,00FE1045,?,?,?,00000000,?,?,?,?,?,00FE1603), ref: 00FE1B4E
                                • SizeofResource.KERNEL32(?,?,?,00FE1045,?,?,?,00000000,?,?,?,?,?,00FE1603), ref: 00FE1B60
                                • LockResource.KERNEL32(00000000,?,00FE1045,?,?,?,00000000,?,?,?,?,?,00FE1603), ref: 00FE1B6C
                                Memory Dump Source
                                • Source File: 00000001.00000002.1892696389.0000000000FE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000001.00000002.1892662971.0000000000FE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892756318.0000000000FE6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_fe0000_DeltaTB.jbxd
                                Similarity
                                • API ID: Resource$LoadLockSizeof
                                • String ID:
                                • API String ID: 2853612939-0
                                • Opcode ID: c468697086e40e96d3e91897ee4fcaa1a3181c0d5fff351a8310722eb9fdefe5
                                • Instruction ID: f5387b92e888092378f874f16fa00ef27435f2ad4647c6529e098546a3b4f378
                                • Opcode Fuzzy Hash: c468697086e40e96d3e91897ee4fcaa1a3181c0d5fff351a8310722eb9fdefe5
                                • Instruction Fuzzy Hash: A4E0ED32502159ABCB119F65DC5489A7F75FF493A0B004465FE099B220D7319810EB90
                                Function 00FE154E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1892696389.0000000000FE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00FE0000, based on PE: true
                                • Associated: 00000001.00000002.1892662971.0000000000FE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892728693.0000000000FE4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                • Associated: 00000001.00000002.1892756318.0000000000FE6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_fe0000_DeltaTB.jbxd
                                Similarity
                                • API ID: _wcscat$_wcscpy
                                • String ID: CommandLine
                                • API String ID: 1832442500-3253501508
                                • Opcode ID: c2a24682c9ef7a1ce0ba9803d49973a16a3430e4b162ddffb92f9a8958fb3fe8
                                • Instruction ID: 44a2ee4aa05f6002f4c98fc5abd00cdaf745373f0682f98079c5cf79bc90b101
                                • Opcode Fuzzy Hash: c2a24682c9ef7a1ce0ba9803d49973a16a3430e4b162ddffb92f9a8958fb3fe8
                                • Instruction Fuzzy Hash: 27E0E578C053E12A8726361B4C0AC7BB540FB90720BD84525FC8261065D738CD677193

                                Execution Graph

                                Execution Coverage:5.9%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:0.2%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:197
                                execution_graph 92997 401fc0 92998 40200b codecvt 92997->92998 93006 40210c codecvt 92998->93006 93009 401030 RaiseException codecvt _Immortalize Concurrency::details::ThreadVirtualProcessor::ThreadVirtualProcessor 92998->93009 93000 402047 codecvt 93002 4020b5 codecvt 93000->93002 93010 4cc8c0 93000->93010 93002->93006 93047 4f71a0 78 API calls 3 library calls 93002->93047 93003 402088 93020 44fafc 93003->93020 93007 402097 93033 47f670 93007->93033 93009->93000 93011 4cc8ed _Immortalize 93010->93011 93012 4cc95c GlobalAlloc 93011->93012 93014 4cc8fa codecvt 93011->93014 93013 4cc992 _memcpy_s 93012->93013 93012->93014 93015 4cc9a3 CreateStreamOnHGlobal 93013->93015 93014->93003 93015->93014 93016 4cc9c3 codecvt 93015->93016 93016->93014 93048 430540 93016->93048 93018 4cc9e8 codecvt 93018->93014 93054 4cc870 112 API calls 93018->93054 93022 44fb08 __sopen_helper 93020->93022 93021 44fb81 _realloc __sopen_helper 93021->93007 93022->93021 93032 44fb47 93022->93032 93308 457dfc 93022->93308 93023 44fb5c RtlFreeHeap 93023->93021 93025 44fb6e 93023->93025 93317 454477 67 API calls __getptd_noexit 93025->93317 93027 44fb73 GetLastError 93027->93021 93028 44fb1f ___sbh_find_block 93029 44fb39 93028->93029 93315 457e5f __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 93028->93315 93316 44fb52 LeaveCriticalSection __mtinitlocknum 93029->93316 93032->93021 93032->93023 93034 47f75a 93033->93034 93035 47f6a5 std::_Iterator_base::_Iterator_base 93033->93035 93036 44f6c8 __except_handler4 5 API calls 93034->93036 93359 41eea0 93035->93359 93038 47f785 93036->93038 93038->93002 93039 47f748 93369 41ef60 93039->93369 93041 47f6c8 _memset 93041->93039 93365 41ede0 93041->93365 93044 47f727 93044->93039 93372 452133 67 API calls _vscan_fn 93044->93372 93045 41ede0 codecvt RegQueryValueExW 93045->93044 93047->93006 93049 43057c 93048->93049 93052 430572 codecvt 93048->93052 93055 44f76f 93049->93055 93052->93018 93054->93014 93059 44f779 93055->93059 93057 4305a1 93057->93052 93067 430710 93057->93067 93059->93057 93062 44f795 std::bad_alloc::bad_alloc 93059->93062 93070 44fbd9 93059->93070 93088 456ffc 6 API calls __decode_pointer 93059->93088 93060 44f7bb 93090 417c20 67 API calls std::exception::exception 93060->93090 93062->93060 93089 44fae5 74 API calls _Immortalize 93062->93089 93063 44f7c5 93091 456a4c RaiseException 93063->93091 93066 44f7d3 93107 42fbc0 93067->93107 93071 44fc8c 93070->93071 93081 44fbeb 93070->93081 93101 456ffc 6 API calls __decode_pointer 93071->93101 93073 44fc92 93102 454477 67 API calls __getptd_noexit 93073->93102 93078 44fc48 RtlAllocateHeap 93078->93081 93079 44fbfc 93079->93081 93092 458a9e 67 API calls 2 library calls 93079->93092 93093 4588f3 67 API calls 7 library calls 93079->93093 93094 45799c 93079->93094 93081->93078 93081->93079 93082 44fc78 93081->93082 93085 44fc7d 93081->93085 93087 44fc84 93081->93087 93097 44fb8a 67 API calls 4 library calls 93081->93097 93098 456ffc 6 API calls __decode_pointer 93081->93098 93099 454477 67 API calls __getptd_noexit 93082->93099 93100 454477 67 API calls __getptd_noexit 93085->93100 93087->93059 93088->93059 93089->93060 93090->93063 93091->93066 93092->93079 93093->93079 93103 457971 GetModuleHandleW 93094->93103 93097->93081 93098->93081 93099->93085 93100->93087 93101->93073 93102->93087 93104 457985 GetProcAddress 93103->93104 93105 45799a ExitProcess 93103->93105 93104->93105 93106 457995 93104->93106 93106->93105 93108 42fbf0 _Immortalize 93107->93108 93119 4175c0 93108->93119 93110 42fc1f _Immortalize 93122 4cc800 93110->93122 93112 42fc40 93126 417910 93112->93126 93136 417580 93119->93136 93123 4cc80e 93122->93123 93125 4cc81f _wcscpy 93122->93125 93123->93125 93145 4f8180 93123->93145 93125->93112 93246 417880 93126->93246 93137 417595 std::_String_base::_Xlen _DebugHeapAllocator 93136->93137 93140 417e70 93137->93140 93139 4175a9 93139->93110 93141 417e81 std::_String_base::_Xlen _Immortalize 93140->93141 93142 417e83 93140->93142 93141->93139 93142->93141 93144 418000 67 API calls __mbstowcs_l 93142->93144 93144->93141 93146 4f81f9 93145->93146 93147 4f81b1 _Immortalize 93145->93147 93160 44f6c8 93146->93160 93150 4175c0 _Immortalize 67 API calls 93147->93150 93149 4f8211 93149->93125 93151 4f81c2 93150->93151 93155 4f80e0 93151->93155 93168 4f78f0 93155->93168 93161 44f6d0 93160->93161 93162 44f6d2 IsDebuggerPresent 93160->93162 93161->93149 93245 462ed7 93162->93245 93165 456fb4 SetUnhandledExceptionFilter UnhandledExceptionFilter 93245->93165 93247 417895 std::_String_base::_Xlen _DebugHeapAllocator 93246->93247 93248 417e70 _Immortalize 67 API calls 93247->93248 93249 4178a9 93248->93249 93309 457e24 EnterCriticalSection 93308->93309 93310 457e11 93308->93310 93309->93028 93318 457d39 93310->93318 93312 457e17 93312->93309 93346 457948 67 API calls 3 library calls 93312->93346 93314 457e23 93314->93309 93315->93029 93316->93032 93317->93027 93319 457d45 __sopen_helper 93318->93319 93320 457d55 93319->93320 93321 457d6d 93319->93321 93347 458a9e 67 API calls 2 library calls 93320->93347 93333 457d7b __sopen_helper 93321->93333 93349 457744 93321->93349 93323 457d5a 93348 4588f3 67 API calls 7 library calls 93323->93348 93327 457d61 93332 45799c __mtinitlocknum 3 API calls 93327->93332 93328 457d8d 93355 454477 67 API calls __getptd_noexit 93328->93355 93329 457d9c 93331 457dfc __lock 67 API calls 93329->93331 93334 457da3 93331->93334 93335 457d6b 93332->93335 93333->93312 93336 457dd7 93334->93336 93337 457dab 93334->93337 93335->93321 93339 44fafc __getptd_noexit 67 API calls 93336->93339 93356 46561d InitializeCriticalSectionAndSpinCount __sopen_helper 93337->93356 93340 457dc8 93339->93340 93358 457df3 LeaveCriticalSection __mtinitlocknum 93340->93358 93341 457db6 93341->93340 93343 44fafc __getptd_noexit 67 API calls 93341->93343 93344 457dc2 93343->93344 93357 454477 67 API calls __getptd_noexit 93344->93357 93346->93314 93347->93323 93348->93327 93352 45774d 93349->93352 93350 44fbd9 _malloc 66 API calls 93350->93352 93351 457783 93351->93328 93351->93329 93352->93350 93352->93351 93353 457764 Sleep 93352->93353 93354 457779 93353->93354 93354->93351 93354->93352 93355->93333 93356->93341 93357->93340 93358->93333 93360 41eea9 93359->93360 93360->93360 93361 41eeb1 RegOpenKeyExW 93360->93361 93362 41eed9 93361->93362 93363 41eee1 93361->93363 93373 41ef10 93362->93373 93363->93041 93366 41ede9 93365->93366 93366->93366 93367 41edf1 RegQueryValueExW 93366->93367 93368 41ee2b 93367->93368 93368->93044 93368->93045 93370 41ef10 codecvt RegCloseKey 93369->93370 93371 41ef6f 93370->93371 93371->93034 93372->93039 93374 41ef40 93373->93374 93375 41ef28 RegCloseKey 93373->93375 93374->93363 93375->93374 93376 423c00 93377 44f76f _Allocate 75 API calls 93376->93377 93378 423c2f 93377->93378 93379 423c62 93378->93379 93389 423cd0 75 API calls 2 library calls 93378->93389 93381 423c91 93379->93381 93382 423c87 93379->93382 93386 41a080 93381->93386 93390 422600 CloseHandle SetThreadPriority CoUninitialize 93382->93390 93385 423c8f 93391 451fc6 93386->93391 93389->93379 93390->93385 93392 451ff6 93391->93392 93393 451fda 93391->93393 93412 457212 TlsGetValue 93392->93412 93447 454477 67 API calls __getptd_noexit 93393->93447 93396 451fdf 93448 4557a5 6 API calls 2 library calls 93396->93448 93401 45205a 93402 44fafc __getptd_noexit 67 API calls 93401->93402 93404 452060 93402->93404 93406 41a0a7 93404->93406 93449 45449d 67 API calls 3 library calls 93404->93449 93406->93385 93413 457227 93412->93413 93414 451ffc 93412->93414 93450 457177 6 API calls __crt_waiting_on_module_handle 93413->93450 93417 457789 93414->93417 93416 457232 TlsSetValue 93416->93414 93420 457792 93417->93420 93419 452008 93419->93401 93423 457400 93419->93423 93420->93419 93421 4577b0 Sleep 93420->93421 93451 45d90b 93420->93451 93422 4577c5 93421->93422 93422->93419 93422->93420 93469 457387 GetLastError 93423->93469 93425 457408 93426 452015 93425->93426 93484 457948 67 API calls 3 library calls 93425->93484 93428 4572a0 93426->93428 93486 456860 93428->93486 93430 4572ac GetModuleHandleW 93431 4572c3 93430->93431 93432 4572bc 93430->93432 93434 4572fe 93431->93434 93435 4572da GetProcAddress GetProcAddress 93431->93435 93505 457918 Sleep GetModuleHandleW 93432->93505 93437 457dfc __lock 63 API calls 93434->93437 93435->93434 93436 4572c2 93436->93431 93438 45731d InterlockedIncrement 93437->93438 93487 457375 93438->93487 93441 457dfc __lock 63 API calls 93442 45733e 93441->93442 93490 45af05 InterlockedIncrement 93442->93490 93447->93396 93449->93406 93450->93416 93452 45d917 __sopen_helper 93451->93452 93453 45d92f 93452->93453 93458 45d94e _memset 93452->93458 93464 454477 67 API calls __getptd_noexit 93453->93464 93455 45d934 93465 4557a5 6 API calls 2 library calls 93455->93465 93457 45d9c0 HeapAlloc 93457->93458 93458->93457 93459 45d944 __sopen_helper 93458->93459 93461 457dfc __lock 66 API calls 93458->93461 93466 45860e 5 API calls 2 library calls 93458->93466 93467 45da07 LeaveCriticalSection __mtinitlocknum 93458->93467 93468 456ffc 6 API calls __decode_pointer 93458->93468 93459->93420 93461->93458 93464->93455 93466->93458 93467->93458 93468->93458 93470 457212 ___set_flsgetvalue 8 API calls 93469->93470 93471 45739e 93470->93471 93472 4573f4 SetLastError 93471->93472 93473 457789 __calloc_crt 64 API calls 93471->93473 93472->93425 93474 4573b2 93473->93474 93474->93472 93475 4573ba 93474->93475 93485 457177 6 API calls __crt_waiting_on_module_handle 93475->93485 93477 4573cc 93478 4573d3 93477->93478 93479 4573eb 93477->93479 93480 4572a0 __initptd 64 API calls 93478->93480 93481 44fafc __getptd_noexit 64 API calls 93479->93481 93482 4573db GetCurrentThreadId 93480->93482 93483 4573f1 93481->93483 93482->93472 93483->93472 93484->93426 93485->93477 93486->93430 93506 457d22 LeaveCriticalSection 93487->93506 93489 457337 93489->93441 93491 45af26 93490->93491 93492 45af23 InterlockedIncrement 93490->93492 93492->93491 93505->93436 93506->93489 93564 424e80 93567 424f20 93564->93567 93568 424f59 _Immortalize 93567->93568 93569 4175c0 _Immortalize 67 API calls 93568->93569 93570 424f62 StrStrW 93569->93570 93571 424fc6 _memset _Immortalize 93570->93571 93572 424f7c _Immortalize 93570->93572 93573 424fde InternetCrackUrlW 93571->93573 93575 417910 _Immortalize 75 API calls 93572->93575 93574 4176e0 codecvt 67 API calls 93573->93574 93576 4250b7 93574->93576 93577 424f98 93575->93577 93579 44f6c8 __except_handler4 5 API calls 93576->93579 93578 4181d0 _Immortalize 75 API calls 93577->93578 93580 424fab 93578->93580 93581 424ef0 93579->93581 93582 4176e0 codecvt 67 API calls 93580->93582 93583 424fba 93582->93583 93584 4130d0 _Immortalize 75 API calls 93583->93584 93584->93571 93585 423300 93588 491a00 93585->93588 93589 491a43 93588->93589 93594 42331a 93588->93594 93589->93594 93597 490300 93589->93597 93591 491a5c 93592 491abd 93591->93592 93596 491a67 93591->93596 93593 491160 100 API calls 93592->93593 93593->93594 93596->93594 93605 491160 93596->93605 93598 490333 _Immortalize 93597->93598 93599 490378 _Immortalize 93598->93599 93611 4901a0 93598->93611 93599->93591 93602 4181d0 _Immortalize 75 API calls 93603 490369 93602->93603 93604 4176e0 codecvt 67 API calls 93603->93604 93604->93599 93606 491177 93605->93606 93607 49116d 93605->93607 93649 4fc3d0 93606->93649 93621 4908a0 GetTickCount 93607->93621 93614 490070 93611->93614 93615 4900c3 93614->93615 93616 4900a1 93614->93616 93615->93602 93617 44f76f _Allocate 75 API calls 93616->93617 93618 4900a8 93617->93618 93618->93615 93620 432510 75 API calls 93618->93620 93620->93615 93622 4908e0 _Immortalize 93621->93622 93623 4175c0 _Immortalize 67 API calls 93622->93623 93637 4908f4 93622->93637 93626 49091d _Immortalize 93623->93626 93624 44f6c8 __except_handler4 5 API calls 93625 490ac8 93624->93625 93625->93606 93627 4175c0 _Immortalize 67 API calls 93626->93627 93628 490938 93627->93628 93629 49094d 93628->93629 93721 405140 93628->93721 93658 4903a0 93629->93658 93637->93624 93650 4fc3e8 93649->93650 93651 4fc3e0 93649->93651 93656 491183 93650->93656 93774 4fc240 93650->93774 93652 4fc3e6 93651->93652 93653 4fc402 93651->93653 93652->93656 93798 4fc180 93652->93798 93653->93656 93786 4fc300 93653->93786 93656->93596 93659 4903d9 std::_Iterator_base::_Iterator_base 93658->93659 93660 417a20 _Immortalize 75 API calls 93659->93660 93661 4903ef 93660->93661 93662 417a20 _Immortalize 75 API calls 93661->93662 93663 4903fe _Immortalize 93662->93663 93664 4175c0 _Immortalize 67 API calls 93663->93664 93665 490412 93664->93665 93666 494f20 6 API calls 93665->93666 93667 49041b _Immortalize 93666->93667 93669 49052c codecvt _Immortalize 93667->93669 93730 443050 CoCreateInstance 93667->93730 93670 41eea0 codecvt 2 API calls 93669->93670 93672 4905fc _Immortalize 93669->93672 93676 49055f _memset 93670->93676 93671 49083b _Immortalize 93678 4176e0 codecvt 67 API calls 93671->93678 93672->93671 93673 4130d0 _Immortalize 75 API calls 93672->93673 93674 49061c _Immortalize 93673->93674 93682 41eea0 codecvt 2 API calls 93674->93682 93675 490443 codecvt 93675->93669 93731 494f40 93675->93731 93676->93672 93677 41ede0 codecvt RegQueryValueExW 93676->93677 93686 4905b0 _Immortalize 93677->93686 93680 490862 93678->93680 93683 41ef60 codecvt RegCloseKey 93680->93683 93681 4905f4 93684 41ef10 codecvt RegCloseKey 93681->93684 93691 490634 _memset 93682->93691 93685 490871 93683->93685 93684->93672 93686->93681 93688 417910 _Immortalize 75 API calls 93686->93688 93690 4905d2 93688->93690 93691->93671 93693 41ede0 codecvt RegQueryValueExW 93691->93693 93722 405155 93721->93722 93740 406c00 93722->93740 93724 405193 93724->93629 93730->93675 93734 494af0 93731->93734 93735 494b3d 93734->93735 93736 494b0c GetVersionExW 93734->93736 93737 44f6c8 __except_handler4 5 API calls 93735->93737 93736->93735 93738 494b28 93736->93738 93739 494b4c 93737->93739 93738->93735 93741 406c15 93740->93741 93742 417a20 _Immortalize 75 API calls 93741->93742 93743 406c60 _DebugHeapAllocator _Immortalize 93742->93743 93743->93724 93810 484b40 93774->93810 93888 48c830 93786->93888 93789 4fc371 93791 44f76f _Allocate 75 API calls 93789->93791 93790 4fc331 93792 44f76f _Allocate 75 API calls 93790->93792 93794 4fc37b 93791->93794 93793 4fc338 93792->93793 93797 4fc353 93793->93797 93911 442f10 67 API calls _Immortalize 93793->93911 93794->93797 93912 48c180 75 API calls 93794->93912 93797->93656 93799 47f670 70 API calls 93798->93799 93800 4fc1ac 93799->93800 93801 4fc1f3 93800->93801 93802 4fc1b3 93800->93802 93804 44f76f _Allocate 75 API calls 93801->93804 93803 44f76f _Allocate 75 API calls 93802->93803 93806 4fc1ba 93803->93806 93805 4fc1fa 93804->93805 93807 4fc1d5 93805->93807 93956 442e40 67 API calls 2 library calls 93805->93956 93806->93807 93955 442f10 67 API calls _Immortalize 93806->93955 93807->93656 93811 484b70 _Immortalize 93810->93811 93812 4175c0 _Immortalize 67 API calls 93811->93812 93813 484b79 93812->93813 93824 484b20 93813->93824 93816 484b9b 93831 495e20 93824->93831 93827 49e7e0 93832 495e53 _Immortalize std::_Iterator_base::_Iterator_base 93831->93832 93833 417910 _Immortalize 75 API calls 93832->93833 93834 495e73 93833->93834 93835 4130d0 _Immortalize 75 API calls 93834->93835 93836 495e83 _Immortalize 93835->93836 93837 41eea0 codecvt 2 API calls 93836->93837 93841 495e9b _memset 93837->93841 93838 495fa5 93839 4176e0 codecvt 67 API calls 93838->93839 93840 495fbb 93839->93840 93842 41ef60 codecvt RegCloseKey 93840->93842 93841->93838 93843 41ede0 codecvt RegQueryValueExW 93841->93843 93844 495f9d 93842->93844 93845 495ee7 93843->93845 93846 44f6c8 __except_handler4 5 API calls 93844->93846 93845->93838 93848 495eef _wcslen 93845->93848 93847 484b31 93846->93847 93847->93816 93847->93827 93849 495f24 PathAddBackslashW 93848->93849 93850 495f3c _Immortalize 93849->93850 93851 417910 _Immortalize 75 API calls 93850->93851 93852 495f4f 93851->93852 93853 4181d0 _Immortalize 75 API calls 93852->93853 93889 48c860 _Immortalize 93888->93889 93890 4175c0 _Immortalize 67 API calls 93889->93890 93891 48c869 93890->93891 93913 48bd40 93891->93913 93893 48c879 93894 48c90c 93893->93894 93897 48c884 93893->93897 93895 4176e0 codecvt 67 API calls 93894->93895 93896 48c907 93895->93896 93899 44f6c8 __except_handler4 5 API calls 93896->93899 93930 4098d0 93897->93930 93901 48c937 93899->93901 93901->93789 93901->93790 93911->93797 93912->93797 93914 495e20 79 API calls 93913->93914 93915 48bd73 93914->93915 93916 495d00 78 API calls 93915->93916 93929 48bd7a _Immortalize 93915->93929 93917 48bd99 93916->93917 93918 4130d0 _Immortalize 75 API calls 93917->93918 93917->93929 93919 48bdb9 93918->93919 93920 4098d0 _Immortalize 75 API calls 93919->93920 93921 48bde3 93920->93921 93922 409810 _Immortalize 75 API calls 93921->93922 93923 48be02 93922->93923 93924 49e7e0 _Immortalize 69 API calls 93923->93924 93925 48be11 93924->93925 93926 4176e0 codecvt 67 API calls 93925->93926 93927 48be23 93926->93927 93928 4178c0 _Immortalize 67 API calls 93927->93928 93928->93929 93929->93893 93943 417620 93930->93943 93933 4130d0 _Immortalize 75 API calls 93934 409924 93933->93934 93935 417620 _Immortalize 75 API calls 93934->93935 93944 417633 _DebugHeapAllocator 93943->93944 93945 417e70 _Immortalize 67 API calls 93944->93945 93946 41763f 93945->93946 93947 4180c0 std::locale::_Locimp::_Addfac 75 API calls 93946->93947 93948 409908 93947->93948 93948->93933 93955->93807 93956->93807 93957 437880 93958 437891 93957->93958 93961 4246a0 93958->93961 93962 4246b0 93961->93962 93971 424630 93962->93971 93964 4246cd 93970 4246d4 93964->93970 93977 424570 93964->93977 93969 4245c0 22 API calls 93969->93970 93972 424640 93971->93972 93973 42465a IsValidCodePage 93972->93973 93976 42464a 93972->93976 93974 424669 93973->93974 93973->93976 93986 4244c0 7 API calls 93974->93986 93976->93964 93978 424580 DeleteObject 93977->93978 93979 424597 93977->93979 93978->93979 93980 4245a0 DeleteObject 93979->93980 93981 4245b7 93979->93981 93980->93981 93982 4245c0 93981->93982 93983 4245d4 93982->93983 93987 424280 GetDC 93983->93987 93986->93976 93988 4242f4 93987->93988 93989 424398 GetDeviceCaps MulDiv 93988->93989 93990 4243be MulDiv 93988->93990 93992 4243d7 93988->93992 93989->93992 93990->93992 93991 424436 93993 424463 _wcscpy 93991->93993 93994 42443c GetDeviceCaps MulDiv 93991->93994 93992->93991 93999 424140 93992->93999 93995 424479 ReleaseDC 93993->93995 93994->93993 93997 44f6c8 __except_handler4 5 API calls 93995->93997 93998 424492 93997->93998 93998->93969 94000 424156 93999->94000 94001 42415e GetDC 93999->94001 94002 424169 CreateFontW SelectObject GetTextFaceW 94000->94002 94001->94002 94003 4241cf GetTextCharset 94002->94003 94004 4241c6 94002->94004 94003->94004 94005 4241f6 SelectObject 94004->94005 94006 4241e8 GetTextMetricsW 94004->94006 94007 424216 94005->94007 94008 42420a ReleaseDC 94005->94008 94006->94005 94009 42423b DeleteObject 94007->94009 94010 424229 StrStrIW 94007->94010 94011 42424e _wcscpy 94007->94011 94008->94007 94009->94011 94010->94009 94010->94011 94012 44f6c8 __except_handler4 5 API calls 94011->94012 94013 424271 94012->94013 94013->93992 94014 434c80 94017 4c0d10 94014->94017 94016 434c8f codecvt 94026 4c0930 94017->94026 94020 4176e0 codecvt 67 API calls 94021 4c0d70 94020->94021 94022 4176e0 codecvt 67 API calls 94021->94022 94023 4c0d82 codecvt 94022->94023 94040 49f630 94023->94040 94027 4c0966 codecvt 94026->94027 94028 4c0977 GetLocalTime 94027->94028 94039 4c096d 94027->94039 94029 4c0989 _Immortalize 94028->94029 94032 4175c0 _Immortalize 67 API calls 94029->94032 94030 44f6c8 __except_handler4 5 API calls 94031 4c0a19 DeleteCriticalSection 94030->94031 94031->94020 94033 4c0992 94032->94033 94045 416600 94033->94045 94036 4c09eb 94038 4176e0 codecvt 67 API calls 94036->94038 94038->94039 94039->94030 94578 49f4c0 94040->94578 94043 4176e0 codecvt 67 API calls 94044 49f680 94043->94044 94044->94016 94093 416580 94045->94093 94048 4c0430 94343 434c10 94048->94343 94050 4c0470 GetLocalTime 94051 4c0489 _Immortalize 94050->94051 94344 4bfe70 94051->94344 94094 41658d __write_nolock 94093->94094 94104 4efbf0 94094->94104 94097 4165c2 94107 4163a0 94097->94107 94098 4165da 94113 416560 75 API calls std::ios_base::clear 94098->94113 94101 4165d8 94102 44f6c8 __except_handler4 5 API calls 94101->94102 94103 4165f1 94102->94103 94103->94036 94103->94048 94114 451961 94104->94114 94108 4163c2 94107->94108 94109 4163ad 94107->94109 94342 416560 75 API calls std::ios_base::clear 94108->94342 94110 4177a0 std::locale::_Locimp::_Addfac 75 API calls 94109->94110 94112 4163c0 94110->94112 94112->94101 94113->94101 94117 451869 94114->94117 94118 451899 94117->94118 94119 451879 94117->94119 94121 4518a9 94118->94121 94127 4518c9 94118->94127 94132 454477 67 API calls __getptd_noexit 94119->94132 94134 454477 67 API calls __getptd_noexit 94121->94134 94122 45187e 94133 4557a5 6 API calls 2 library calls 94122->94133 94125 4518ae 94135 4557a5 6 API calls 2 library calls 94125->94135 94128 451910 94127->94128 94130 4165b0 94127->94130 94136 458d95 94127->94136 94128->94130 94131 458d95 __flsbuf 101 API calls 94128->94131 94130->94097 94130->94098 94131->94130 94132->94122 94134->94125 94157 4544c0 94136->94157 94139 458dc7 94142 458dd8 __flsbuf 94139->94142 94143 458dcb 94139->94143 94140 458db0 94195 454477 67 API calls __getptd_noexit 94140->94195 94145 458db5 94142->94145 94153 458e2e 94142->94153 94156 458e39 94142->94156 94197 465b41 94142->94197 94196 454477 67 API calls __getptd_noexit 94143->94196 94145->94128 94146 458ec8 94148 45e4ee __locking 101 API calls 94146->94148 94147 458e48 94149 458e5f 94147->94149 94152 458e7c 94147->94152 94148->94145 94209 45e4ee 94149->94209 94152->94145 94163 4659df 94152->94163 94153->94156 94206 465af8 94153->94206 94156->94146 94156->94147 94158 4544e4 94157->94158 94159 4544cf 94157->94159 94158->94139 94158->94140 94234 454477 67 API calls __getptd_noexit 94159->94234 94161 4544d4 94235 4557a5 6 API calls 2 library calls 94161->94235 94164 4659eb __sopen_helper 94163->94164 94165 4659fc 94164->94165 94166 465a18 94164->94166 94256 45448a 67 API calls __getptd_noexit 94165->94256 94167 465a26 94166->94167 94169 465a47 94166->94169 94258 45448a 67 API calls __getptd_noexit 94167->94258 94173 465a67 94169->94173 94174 465a8d 94169->94174 94171 465a01 94257 454477 67 API calls __getptd_noexit 94171->94257 94172 465a2b 94259 454477 67 API calls __getptd_noexit 94172->94259 94261 45448a 67 API calls __getptd_noexit 94173->94261 94236 462136 94174->94236 94180 465a32 94260 4557a5 6 API calls 2 library calls 94180->94260 94181 465a6c 94262 454477 67 API calls __getptd_noexit 94181->94262 94188 465a73 94189 465a09 __sopen_helper 94189->94145 94195->94145 94196->94145 94198 465b4e 94197->94198 94199 465b5d 94197->94199 94267 454477 67 API calls __getptd_noexit 94198->94267 94202 465b81 94199->94202 94268 454477 67 API calls __getptd_noexit 94199->94268 94201 465b53 94201->94153 94202->94153 94204 465b71 94269 4557a5 6 API calls 2 library calls 94204->94269 94207 457744 __malloc_crt 67 API calls 94206->94207 94208 465b0d 94207->94208 94208->94156 94210 45e4fa __sopen_helper 94209->94210 94211 45e502 94210->94211 94212 45e51d 94210->94212 94334 45448a 67 API calls __getptd_noexit 94211->94334 94214 45e52b 94212->94214 94218 45e56c 94212->94218 94336 45448a 67 API calls __getptd_noexit 94214->94336 94216 45e507 94335 454477 67 API calls __getptd_noexit 94216->94335 94217 45e530 94337 454477 67 API calls __getptd_noexit 94217->94337 94221 462136 ___lock_fhandle 68 API calls 94218->94221 94223 45e572 94221->94223 94222 45e537 94338 4557a5 6 API calls 2 library calls 94222->94338 94225 45e595 94223->94225 94226 45e57f 94223->94226 94339 454477 67 API calls __getptd_noexit 94225->94339 94270 45ddbb 94226->94270 94227 45e50f __sopen_helper 94227->94145 94231 45e59a 94234->94161 94237 462142 __sopen_helper 94236->94237 94238 46219d 94237->94238 94241 457dfc __lock 67 API calls 94237->94241 94239 4621a2 EnterCriticalSection 94238->94239 94240 4621bf __sopen_helper 94238->94240 94239->94240 94242 46216e 94241->94242 94256->94171 94257->94189 94258->94172 94259->94180 94261->94181 94262->94188 94267->94201 94268->94204 94271 45ddca __write_nolock 94270->94271 94334->94216 94335->94227 94336->94217 94337->94222 94339->94231 94342->94112 94343->94050 94345 4bfeb3 _Immortalize 94344->94345 94346 4bff46 _Immortalize 94345->94346 94348 4175c0 _Immortalize 67 API calls 94345->94348 94347 417910 _Immortalize 75 API calls 94346->94347 94349 4bff6c 94347->94349 94350 4bff3c 94348->94350 94352 4181d0 _Immortalize 75 API calls 94349->94352 94414 44fae5 74 API calls _Immortalize 94350->94414 94353 4bff84 94352->94353 94414->94346 94579 49f4dc 94578->94579 94580 49f4d0 94578->94580 94579->94043 94582 454569 94580->94582 94583 454575 __sopen_helper 94582->94583 94584 4545a6 94583->94584 94585 454589 94583->94585 94588 45d801 __lock_file 68 API calls 94584->94588 94593 45459e __sopen_helper 94584->94593 94611 454477 67 API calls __getptd_noexit 94585->94611 94587 45458e 94612 4557a5 6 API calls 2 library calls 94587->94612 94590 4545be 94588->94590 94595 4544f2 94590->94595 94593->94579 94596 454506 94595->94596 94597 454522 94595->94597 94641 454477 67 API calls __getptd_noexit 94596->94641 94599 45451b 94597->94599 94601 4545e5 __flush 101 API calls 94597->94601 94613 4545dd LeaveCriticalSection LeaveCriticalSection __wfsopen 94599->94613 94600 45450b 94642 4557a5 6 API calls 2 library calls 94600->94642 94603 45452e 94601->94603 94614 460fad 94603->94614 94606 4544c0 __fileno 67 API calls 94607 45453c 94606->94607 94618 460ee0 94607->94618 94611->94587 94613->94593 94615 460fbd 94614->94615 94616 454536 94614->94616 94615->94616 94617 44fafc __getptd_noexit 67 API calls 94615->94617 94616->94606 94617->94616 94619 460eec __sopen_helper 94618->94619 94620 460ef4 94619->94620 94621 460f0f 94619->94621 94658 45448a 67 API calls __getptd_noexit 94620->94658 94622 460f1d 94621->94622 94628 460f5e 94621->94628 94660 45448a 67 API calls __getptd_noexit 94622->94660 94624 460ef9 94659 454477 67 API calls __getptd_noexit 94624->94659 94627 460f22 94630 462136 ___lock_fhandle 68 API calls 94628->94630 94631 460f64 94630->94631 94641->94600 94658->94624 94660->94627 94685 430900 94704 4bf560 94685->94704 94688 43098e 94691 44f6c8 __except_handler4 5 API calls 94688->94691 94689 4bf560 112 API calls 94690 430960 94689->94690 94693 430989 94690->94693 94694 4309a8 _Immortalize 94690->94694 94692 430a73 94691->94692 94695 4bf560 112 API calls 94693->94695 94696 4175c0 _Immortalize 67 API calls 94694->94696 94695->94688 94697 4309b9 94696->94697 94698 416600 codecvt 109 API calls 94697->94698 94699 4309e0 _Immortalize 94698->94699 94700 4309f2 MessageBoxW 94699->94700 94707 4c2160 111 API calls 6 library calls 94700->94707 94702 430a05 94703 4176e0 codecvt 67 API calls 94702->94703 94703->94688 94708 4c0dc0 94704->94708 94707->94702 94709 4c0dec 94708->94709 94710 430942 94708->94710 94714 4c0300 112 API calls _Immortalize 94709->94714 94710->94688 94710->94689 94712 4c0e0c 94715 44fae5 74 API calls _Immortalize 94712->94715 94714->94712 94715->94710 94716 435600 94719 453f33 94716->94719 94718 435613 94720 453f3f __sopen_helper 94719->94720 94721 453f4d 94720->94721 94722 453f6a 94720->94722 94749 454477 67 API calls __getptd_noexit 94721->94749 94723 45d801 __lock_file 68 API calls 94722->94723 94725 453f72 94723->94725 94732 453d96 94725->94732 94726 453f52 94750 4557a5 6 API calls 2 library calls 94726->94750 94731 453f62 __sopen_helper 94731->94718 94733 453dc9 94732->94733 94734 453da9 94732->94734 94736 4544c0 __fileno 67 API calls 94733->94736 94777 454477 67 API calls __getptd_noexit 94734->94777 94737 453dcf 94736->94737 94752 45d64e 94737->94752 94738 453dae 94778 4557a5 6 API calls 2 library calls 94738->94778 94741 453de4 94742 453e58 94741->94742 94744 453e13 94741->94744 94748 453dbe 94741->94748 94779 454477 67 API calls __getptd_noexit 94742->94779 94745 45d64e __locking 71 API calls 94744->94745 94744->94748 94746 453eb3 94745->94746 94747 45d64e __locking 71 API calls 94746->94747 94746->94748 94747->94748 94751 453f97 LeaveCriticalSection LeaveCriticalSection __wfsopen 94748->94751 94749->94726 94751->94731 94753 45d65a __sopen_helper 94752->94753 94754 45d662 94753->94754 94755 45d67d 94753->94755 94790 45448a 67 API calls __getptd_noexit 94754->94790 94756 45d68b 94755->94756 94761 45d6cc 94755->94761 94792 45448a 67 API calls __getptd_noexit 94756->94792 94759 45d667 94791 454477 67 API calls __getptd_noexit 94759->94791 94760 45d690 94793 454477 67 API calls __getptd_noexit 94760->94793 94764 462136 ___lock_fhandle 68 API calls 94761->94764 94766 45d6d2 94764->94766 94765 45d697 94794 4557a5 6 API calls 2 library calls 94765->94794 94768 45d6f5 94766->94768 94769 45d6df 94766->94769 94795 454477 67 API calls __getptd_noexit 94768->94795 94780 45d5d9 94769->94780 94772 45d66f __sopen_helper 94772->94741 94773 45d6ed 94797 45d720 LeaveCriticalSection __unlock_fhandle 94773->94797 94774 45d6fa 94796 45448a 67 API calls __getptd_noexit 94774->94796 94777->94738 94779->94748 94781 4620bf __lseeki64_nolock 67 API calls 94780->94781 94782 45d5e8 94781->94782 94783 45d5fe SetFilePointer 94782->94783 94784 45d5ee 94782->94784 94786 45d615 GetLastError 94783->94786 94787 45d61d 94783->94787 94798 454477 67 API calls __getptd_noexit 94784->94798 94786->94787 94788 45d5f3 94787->94788 94799 45449d 67 API calls 3 library calls 94787->94799 94788->94773 94790->94759 94791->94772 94792->94760 94793->94765 94795->94774 94796->94773 94797->94772 94798->94788 94799->94788 94800 430a80 94803 4528a9 94800->94803 94802 430a9b 94806 4528b5 __sopen_helper 94803->94806 94804 4528c3 94828 454477 67 API calls __getptd_noexit 94804->94828 94806->94804 94807 4528f1 94806->94807 94808 45d801 __lock_file 68 API calls 94807->94808 94810 4528f9 94808->94810 94809 4528c8 94829 4557a5 6 API calls 2 library calls 94809->94829 94816 45281f 94810->94816 94815 4528d8 __sopen_helper 94815->94802 94817 45283f 94816->94817 94818 45282f 94816->94818 94820 453d96 __ftell_nolock 71 API calls 94817->94820 94823 452851 94817->94823 94831 454477 67 API calls __getptd_noexit 94818->94831 94820->94823 94821 4545e5 __flush 101 API calls 94824 45285f 94821->94824 94822 452834 94830 452924 LeaveCriticalSection LeaveCriticalSection __wfsopen 94822->94830 94823->94821 94825 4544c0 __fileno 67 API calls 94824->94825 94826 452891 94825->94826 94827 45d64e __locking 71 API calls 94826->94827 94827->94822 94828->94809 94830->94815 94831->94822 94832 430780 CLSIDFromProgID 94833 4307aa CoCreateInstance 94832->94833 94834 4307c8 94832->94834 94833->94834 94835 44f6c8 __except_handler4 5 API calls 94834->94835 94836 4307d5 94835->94836 94837 437780 94838 437794 _Immortalize 94837->94838 94839 4377c6 94838->94839 94840 43779b _Immortalize 94838->94840 94841 4377d1 SetSecurityInfo 94839->94841 94842 4377f7 94839->94842 94843 4377bd SetNamedSecurityInfoW 94840->94843 94841->94842 94843->94842 94844 44f140 94847 44f120 94844->94847 94846 44f14f codecvt 94850 470870 94847->94850 94851 470880 94850->94851 94852 47088c 94850->94852 94854 44fafc __getptd_noexit 67 API calls 94851->94854 94853 44f138 94852->94853 94855 44fafc __getptd_noexit 67 API calls 94852->94855 94853->94846 94854->94852 94855->94853 94856 4cd380 94857 4cd38f LoadIconW 94856->94857 94858 4cd3a3 94856->94858 94859 4cd3aa 94857->94859 94861 4d5a80 94858->94861 94862 4d5ab8 94861->94862 94863 4098d0 _Immortalize 75 API calls 94862->94863 94864 4d5ade 94863->94864 94865 409810 _Immortalize 75 API calls 94864->94865 94866 4d5afd 94865->94866 94867 4178c0 _Immortalize 67 API calls 94866->94867 94868 4d5b09 94867->94868 94869 49e7e0 _Immortalize 69 API calls 94868->94869 94871 4d5b14 _Immortalize 94869->94871 94870 4d5b43 94872 4d5b5f IsWindow 94870->94872 94876 4d5b55 LoadIconW 94870->94876 94871->94870 94878 4d5b39 LoadImageW 94871->94878 94873 4d5b6d SendMessageW SendMessageW 94872->94873 94874 4d5b97 94872->94874 94873->94874 94875 4176e0 codecvt 67 API calls 94874->94875 94877 4d5bac 94875->94877 94876->94872 94879 44f6c8 __except_handler4 5 API calls 94877->94879 94878->94870 94880 4d5bc4 94879->94880 94880->94859 94881 6091c89c 94900 6091c0f8 94881->94900 94884 6091c8c6 94916 60953294 sqlite3_log 94884->94916 94885 6091c8d8 sqlite3_mutex_enter 94887 6091c8f5 94885->94887 94890 6091c92b 94887->94890 94897 6091c8e8 sqlite3_reset 94887->94897 94905 6091c678 94887->94905 94917 6093d3d8 156 API calls 94887->94917 94888 6091c8d3 94891 6091c96f 94890->94891 94894 6091c941 sqlite3_value_text 94890->94894 94920 60904abc 127 API calls 94891->94920 94918 60904648 sqlite3_free 94894->94918 94895 6091c99d sqlite3_mutex_leave 94895->94888 94897->94887 94898 6091c959 94898->94891 94919 609049ec 7 API calls 94898->94919 94901 6091c110 sqlite3_log 94900->94901 94902 6091c105 94900->94902 94904 6091c10e 94901->94904 94921 6091c0a0 sqlite3_log 94902->94921 94904->94884 94904->94885 94906 6091c68d sqlite3_log 94905->94906 94914 6091c6b4 94905->94914 94965 60953294 sqlite3_log 94906->94965 94908 6091c7ac 94915 6091c7a7 94908->94915 94940 6091e070 94908->94940 94909 6091c79e 94922 6091a104 94909->94922 94911 6091c6af 94911->94887 94914->94908 94914->94909 94914->94911 94966 60904abc 127 API calls 94915->94966 94916->94888 94917->94887 94918->94898 94919->94891 94920->94895 94921->94904 94967 6091a024 94922->94967 94924 6091a156 94924->94915 94926 6091a202 94972 60904a84 11 API calls 94926->94972 94929 6091a392 94929->94924 94975 60919d84 7 API calls 94929->94975 94930 6091a238 94936 6091a30e 94930->94936 94973 60918210 10 API calls 94930->94973 94932 6091a3b1 94935 6091a3c9 94932->94935 94976 60918b0c 122 API calls 94932->94976 94935->94924 94977 60918210 10 API calls 94935->94977 94974 60918210 10 API calls 94936->94974 94938 6091a400 94938->94924 94939 6091a40b sqlite3_snprintf 94938->94939 94939->94924 94980 6091af44 sqlite3_mutex_enter 94940->94980 94942 60924314 94987 60904a84 11 API calls 94942->94987 94944 60924333 94944->94915 94945 609243c0 94988 60904a84 11 API calls 94945->94988 94947 6092426a 94947->94915 94949 609241e5 sqlite3_log 94984 6091afe4 132 API calls 94949->94984 94951 6091e5b8 94953 6091e5dd 94951->94953 94954 6091e61c 94951->94954 94952 609242c8 94952->94949 94982 60904a84 11 API calls 94953->94982 94957 6091e620 sqlite3_log 94954->94957 94958 6091e646 94954->94958 94955 6092421b 94962 6091e652 94955->94962 94985 6092e0e4 16 API calls 94955->94985 94957->94958 94983 6091afe4 132 API calls 94958->94983 94959 6091e0fd 94959->94942 94959->94945 94959->94949 94959->94951 94959->94952 94981 60918528 116 API calls 94959->94981 94960 6091e5f5 sqlite3_log 94960->94958 94986 6090edb0 sqlite3_mutex_leave 94962->94986 94965->94911 94966->94911 94968 6091a08c 94967->94968 94971 6091a037 94967->94971 94968->94924 94968->94926 94968->94930 94971->94968 94978 6091859c 116 API calls 94971->94978 94979 60904648 sqlite3_free 94971->94979 94972->94924 94973->94936 94974->94929 94975->94932 94976->94935 94977->94938 94978->94971 94979->94971 94980->94959 94981->94959 94982->94960 94983->94962 94984->94955 94985->94962 94986->94947 94987->94944 94988->94947 94989 60922640 94990 6092266d 94989->94990 95007 6091e154 94989->95007 95015 60912738 94990->95015 94992 609241e5 sqlite3_log 95023 6091afe4 132 API calls 94992->95023 94994 60924314 95026 60904a84 11 API calls 94994->95026 94995 6092421b 94998 6091e652 94995->94998 95024 6092e0e4 16 API calls 94995->95024 94997 60924333 95025 6090edb0 sqlite3_mutex_leave 94998->95025 95002 6091e5b8 95005 6091e5dd 95002->95005 95006 6091e61c 95002->95006 95003 609242c8 95003->94992 95004 6092426a 95021 60904a84 11 API calls 95005->95021 95009 6091e620 sqlite3_log 95006->95009 95010 6091e646 95006->95010 95007->94992 95007->94994 95007->95002 95007->95003 95011 609243c0 95007->95011 95020 60918528 116 API calls 95007->95020 95009->95010 95022 6091afe4 132 API calls 95010->95022 95027 60904a84 11 API calls 95011->95027 95012 6091e5f5 sqlite3_log 95012->95010 95028 609124f0 95015->95028 95018 6091275c 95018->95007 95020->95007 95021->95012 95022->94998 95023->94995 95024->94998 95025->95004 95026->94997 95027->95004 95029 60912521 95028->95029 95030 6091250a 95028->95030 95031 6091252b 95029->95031 95032 6091255c 95029->95032 95036 6091250e 95030->95036 95056 6090f20c sqlite3_free 95030->95056 95039 60912552 95031->95039 95057 609101f8 95031->95057 95049 609101b0 95032->95049 95036->95018 95045 60912620 95036->95045 95038 60912595 95061 6095323c sqlite3_log 95038->95061 95039->95036 95041 609125d3 95039->95041 95042 609125e4 95039->95042 95062 6095323c sqlite3_log 95041->95062 95063 60912428 95042->95063 95046 6091269b 95045->95046 95047 60912641 95045->95047 95046->95018 95047->95046 95048 60912428 100 API calls 95047->95048 95048->95047 95071 60910110 95049->95071 95051 609101c9 95052 609101ef 95051->95052 95074 6090fe3c sqlite3_log 95051->95074 95052->95036 95052->95038 95052->95039 95054 609101dc 95054->95052 95055 609101f8 100 API calls 95054->95055 95055->95052 95056->95029 95058 60910210 95057->95058 95059 60910205 95057->95059 95058->95031 95165 6090dcf4 100 API calls 95059->95165 95061->95036 95062->95036 95064 60912442 95063->95064 95065 60912454 95063->95065 95166 6095323c sqlite3_log 95064->95166 95067 609101b0 100 API calls 95065->95067 95068 60912464 95067->95068 95069 6091244f 95068->95069 95167 6095323c sqlite3_log 95068->95167 95069->95036 95075 6090db54 95071->95075 95073 6091012d 95073->95051 95074->95054 95076 6090db67 95075->95076 95077 6090db7c 95075->95077 95110 6095323c sqlite3_log 95076->95110 95084 6090db88 95077->95084 95096 60909e7c 95077->95096 95080 6090db74 95080->95073 95081 6090dbe2 95081->95080 95114 6090db10 100 API calls 95081->95114 95083 6090dbd5 95111 6095323c sqlite3_log 95083->95111 95084->95080 95084->95081 95084->95083 95086 6090dbec 95084->95086 95086->95081 95087 6090dc1f 95086->95087 95089 6090dc78 95086->95089 95087->95081 95091 6090dc30 95087->95091 95088 6090dc61 memset 95088->95080 95103 6090d78c 95089->95103 95091->95088 95092 6090dc4c 95091->95092 95112 6090979c 8 API calls 95091->95112 95113 6090bc10 8 API calls 95092->95113 95095 6090dc59 95095->95088 95097 60909e90 95096->95097 95099 60909eb6 95097->95099 95100 60909f02 95097->95100 95115 6090a980 95097->95115 95126 6090a984 sqlite3_mutex_enter 95097->95126 95098 60909f7f memset 95098->95099 95099->95084 95100->95098 95100->95099 95104 6090d7c4 95103->95104 95105 6090d7a9 memset 95103->95105 95155 6090358c 95104->95155 95108 6090d840 95105->95108 95108->95081 95109 6090d828 memset 95109->95108 95110->95080 95111->95081 95112->95092 95113->95095 95114->95080 95116 6090a984 sqlite3_mutex_enter 95115->95116 95117 6090a9a9 95116->95117 95121 6090a9dc 95117->95121 95124 6090aa3f 95117->95124 95139 6090a5dc sqlite3_mutex_leave sqlite3_malloc sqlite3_mutex_enter memset sqlite3_free 95117->95139 95119 6090aa99 95119->95121 95136 6090a508 95119->95136 95120 6090ab1a sqlite3_mutex_leave 95122 6090ab2c 95120->95122 95121->95120 95122->95100 95124->95119 95124->95121 95140 6090a53c sqlite3_free 95124->95140 95127 6090a9a9 95126->95127 95131 6090a9dc 95127->95131 95134 6090aa3f 95127->95134 95153 6090a5dc sqlite3_mutex_leave sqlite3_malloc sqlite3_mutex_enter memset sqlite3_free 95127->95153 95129 6090aa99 95129->95131 95133 6090a508 8 API calls 95129->95133 95130 6090ab1a sqlite3_mutex_leave 95132 6090ab2c 95130->95132 95131->95130 95132->95100 95133->95131 95134->95129 95134->95131 95154 6090a53c sqlite3_free 95134->95154 95141 6090a414 95136->95141 95138 6090a520 95138->95121 95139->95124 95140->95119 95142 6090a454 sqlite3_mutex_leave 95141->95142 95143 6090a427 95141->95143 95147 609042e8 95142->95147 95143->95142 95146 6090a430 95143->95146 95146->95138 95148 60904308 95147->95148 95149 609042fc sqlite3_mutex_enter 95147->95149 95148->95149 95150 60904311 sqlite3_mutex_enter 95148->95150 95149->95146 95151 60904228 malloc sqlite3_log sqlite3_mutex_leave sqlite3_mutex_enter 95150->95151 95152 6090432c sqlite3_mutex_leave 95151->95152 95152->95149 95153->95134 95154->95129 95158 6090857c SetFilePointer 95155->95158 95159 609085b0 GetLastError 95158->95159 95160 609085c4 ReadFile 95158->95160 95159->95160 95161 609035af 95159->95161 95162 609085f0 95160->95162 95163 609085de GetLastError 95160->95163 95161->95108 95161->95109 95162->95161 95164 609085f7 memset 95162->95164 95163->95161 95164->95161 95165->95058 95166->95069 95167->95069 95168 437410 95169 437443 95168->95169 95176 43743e 95168->95176 95170 44f76f _Allocate 75 API calls 95169->95170 95171 43744a 95170->95171 95173 437465 95171->95173 95192 4371b0 67 API calls _Immortalize 95171->95192 95173->95176 95178 4375d0 95173->95178 95179 437600 95178->95179 95190 4374a0 95178->95190 95179->95190 95194 4372a0 95179->95194 95181 43761a _Immortalize 95182 417910 _Immortalize 75 API calls 95181->95182 95183 43762f 95182->95183 95184 4181d0 _Immortalize 75 API calls 95183->95184 95185 437647 95184->95185 95186 4176e0 codecvt 67 API calls 95185->95186 95187 437656 _Immortalize 95186->95187 95188 437691 GetNamedSecurityInfoW 95187->95188 95189 4376a1 95188->95189 95188->95190 95191 4372a0 codecvt 76 API calls 95189->95191 95190->95176 95193 437360 76 API calls codecvt 95190->95193 95191->95190 95192->95173 95193->95176 95195 4372b0 LocalFree 95194->95195 95196 4372bd 95194->95196 95195->95196 95197 417a20 _Immortalize 75 API calls 95196->95197 95198 4372ea 95197->95198 95198->95181 95199 434d10 95200 432440 codecvt 69 API calls 95199->95200 95201 434d28 95200->95201 95202 437a90 CoCreateInstance 95203 448f10 95206 47e260 95203->95206 95205 448f1f codecvt 95207 47e286 95206->95207 95208 47e279 FreeLibrary 95206->95208 95209 47e291 SetCurrentDirectoryW 95207->95209 95210 47e29e 95207->95210 95208->95207 95209->95210 95210->95205 95211 6093d484 95214 6093d314 95211->95214 95230 609076e4 95214->95230 95217 6093d339 95293 60953294 sqlite3_log 95217->95293 95218 6093d34c sqlite3_mutex_enter 95238 6090ebf8 95218->95238 95221 6093d346 95225 6093d38b sqlite3_finalize 95227 6093cfa8 148 API calls 95225->95227 95226 6093d3b3 95294 6090ec98 sqlite3_mutex_leave 95226->95294 95227->95226 95229 6093d3c1 sqlite3_mutex_leave 95229->95221 95231 609076f1 95230->95231 95232 60907704 95230->95232 95295 609076c0 sqlite3_log 95231->95295 95237 609076fe 95232->95237 95296 6090773c sqlite3_log 95232->95296 95235 60907716 95235->95237 95297 609076c0 sqlite3_log 95235->95297 95237->95217 95237->95218 95242 6090ec08 95238->95242 95239 6090ec90 95243 6093cfa8 95239->95243 95242->95239 95298 6090eae8 sqlite3_mutex_leave 95242->95298 95299 6090eabc sqlite3_mutex_enter 95242->95299 95300 60904848 95243->95300 95245 6093d03f 95305 60946100 95245->95305 95249 6093d2f6 95378 60904abc 127 API calls 95249->95378 95251 6093d104 95255 60950838 128 API calls 95251->95255 95253 6093cfd0 95253->95245 95257 6093d274 95253->95257 95264 6093cfd9 95253->95264 95354 6091755c sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_mutex_try 95253->95354 95254 6093d070 95258 6093d0a4 95254->95258 95259 6093d07b 95254->95259 95267 6093d0dc 95255->95267 95256 6093d306 95256->95225 95256->95226 95261 60906888 127 API calls 95257->95261 95309 60904a38 95258->95309 95355 60906888 95259->95355 95261->95264 95377 60904648 sqlite3_free 95264->95377 95268 6093d144 95267->95268 95368 6093ce18 113 API calls 95267->95368 95275 6093d15b 95268->95275 95369 6092e0e4 16 API calls 95268->95369 95274 6093d200 95276 6093d222 95274->95276 95373 60919410 7 API calls 95274->95373 95275->95274 95279 6093d1b8 95275->95279 95280 6093d19d 95275->95280 95277 6093d244 95276->95277 95374 6091b3b8 139 API calls 95276->95374 95284 6093d298 95277->95284 95285 6093d258 95277->95285 95371 6091a878 117 API calls 95279->95371 95370 6091a878 117 API calls 95280->95370 95286 60906888 127 API calls 95284->95286 95287 60906888 127 API calls 95285->95287 95288 6093d26b 95286->95288 95287->95288 95288->95264 95375 60919ab8 116 API calls 95288->95375 95376 60904648 sqlite3_free 95288->95376 95290 6093d1aa 95290->95274 95372 6091a900 122 API calls 95290->95372 95293->95221 95294->95229 95295->95237 95296->95235 95297->95237 95298->95242 95299->95242 95379 60904880 95300->95379 95303 60904874 95303->95253 95304 60904868 memset 95304->95303 95306 6093d04b 95305->95306 95307 6094611f 95305->95307 95306->95251 95306->95254 95307->95306 95383 6094606c sqlite3_free 95307->95383 95310 60904a50 95309->95310 95313 60904a4b 95309->95313 95311 60904880 6 API calls 95310->95311 95312 60904a5f 95311->95312 95312->95313 95314 60904a68 memcpy 95312->95314 95313->95267 95315 60950838 95313->95315 95314->95313 95316 60950863 95315->95316 95384 6094d548 95316->95384 95318 6093d0cf 95367 60904648 sqlite3_free 95318->95367 95319 60950a1c 95403 6094d794 13 API calls 95319->95403 95322 609508ff 95322->95319 95323 609509f3 95322->95323 95325 6094fa50 17 API calls 95322->95325 95326 6094fa50 17 API calls 95323->95326 95324 60950a74 95329 60950a7d sqlite3_log 95324->95329 95325->95323 95326->95319 95327 60950910 95399 60904648 sqlite3_free 95327->95399 95330 6095088c 95330->95318 95330->95322 95330->95327 95336 609508f1 95330->95336 95387 6094fa50 95330->95387 95394 60950104 95330->95394 95331 6095091e 95400 60905ed4 95331->95400 95398 6090690c 11 API calls 95336->95398 95340 60950a30 95340->95324 95340->95329 95404 60904a84 11 API calls 95340->95404 95354->95253 95356 609068e9 95355->95356 95357 6090689a 95355->95357 95366 60904abc 127 API calls 95356->95366 95358 609068ac 95357->95358 95447 609190bc 7 API calls 95357->95447 95358->95356 95359 609068c3 95358->95359 95360 609068ec 95358->95360 95362 60905e68 11 API calls 95359->95362 95449 60919324 122 API calls 95360->95449 95364 609068d1 95362->95364 95448 60919324 122 API calls 95364->95448 95366->95264 95367->95267 95368->95268 95369->95275 95370->95290 95371->95290 95372->95290 95373->95276 95374->95277 95375->95288 95376->95288 95377->95249 95378->95256 95381 60904891 95379->95381 95380 609042e8 6 API calls 95382 6090485f 95380->95382 95381->95380 95381->95382 95382->95303 95382->95304 95383->95307 95386 609042e8 6 API calls 95384->95386 95385 6094d55b 95385->95330 95386->95385 95388 6094fa6a 95387->95388 95393 6094fb1c 95388->95393 95413 6094dd68 95388->95413 95420 6094d8f0 17 API calls 95388->95420 95421 6094f9f0 11 API calls 95388->95421 95422 6094d568 13 API calls 95388->95422 95393->95330 95395 609507c8 95394->95395 95397 60950122 95394->95397 95395->95397 95425 6095004c sqlite3_strnicmp 95395->95425 95397->95330 95398->95322 95399->95331 95426 60905e68 95400->95426 95403->95340 95404->95324 95414 6094ddac 95413->95414 95415 6094f9dc 95414->95415 95416 6094f99a 95414->95416 95420->95388 95421->95388 95422->95388 95425->95397 95447->95358 95448->95356 95449->95356 95450 45255d 95451 45258e GetFileAttributesW 95450->95451 95452 45256a 95450->95452 95453 45259c GetLastError 95451->95453 95454 4525ab SetFileAttributesW 95451->95454 95465 45448a 67 API calls __getptd_noexit 95452->95465 95468 45449d 67 API calls 3 library calls 95453->95468 95454->95453 95462 4525c7 95454->95462 95458 45256f 95466 454477 67 API calls __getptd_noexit 95458->95466 95459 452586 95462->95459 95463 452576 95467 4557a5 6 API calls 2 library calls 95463->95467 95465->95458 95466->95463 95468->95459 95469 60952f4c 95472 60952b74 sqlite3_initialize 95469->95472 95473 60952f41 95472->95473 95474 60952b95 95472->95474 95523 60904814 95474->95523 95476 60952ef2 sqlite3_errcode 95477 60952f20 95476->95477 95478 60952f08 sqlite3_close 95476->95478 95582 60904abc 127 API calls 95477->95582 95478->95477 95479 60952c3c sqlite3_mutex_enter 95483 60952ca7 95479->95483 95480 60952bf9 95480->95476 95480->95479 95482 60952c22 sqlite3_free 95480->95482 95484 60952de6 95482->95484 95485 60952cbb sqlite3_vfs_find 95483->95485 95484->95476 95487 60952ee1 sqlite3_mutex_leave 95484->95487 95486 60952ce4 95485->95486 95504 60952cd3 95485->95504 95528 60952974 95486->95528 95487->95476 95490 60906888 127 API calls 95490->95484 95491 60952974 135 API calls 95492 60952d20 95491->95492 95493 60952974 135 API calls 95492->95493 95494 60952d3e 95493->95494 95495 60952974 135 API calls 95494->95495 95496 60952d5c 95495->95496 95496->95484 95544 60932934 95496->95544 95499 60952974 135 API calls 95500 60952d96 95499->95500 95548 60952630 95500->95548 95504->95490 95524 609042e8 6 API calls 95523->95524 95525 60904828 95524->95525 95526 60904831 memset 95525->95526 95527 6090483d 95525->95527 95526->95527 95527->95480 95529 60952995 95528->95529 95530 609529b5 95529->95530 95531 609529c8 95529->95531 95583 60953294 sqlite3_log 95530->95583 95532 60932934 15 API calls 95531->95532 95534 609529e0 95532->95534 95537 60952a03 95534->95537 95541 60952a20 95534->95541 95543 60952a4f 95534->95543 95535 609529c2 95535->95491 95536 60932934 15 API calls 95538 60952a9a 95536->95538 95539 60906888 127 API calls 95537->95539 95540 60906888 127 API calls 95538->95540 95539->95535 95540->95535 95541->95543 95584 60907a48 sqlite3_strnicmp 95541->95584 95543->95536 95545 60932948 95544->95545 95546 60932955 95544->95546 95585 60932884 15 API calls 95545->95585 95546->95499 95550 60952652 95548->95550 95586 60910274 95550->95586 95582->95473 95583->95535 95584->95543 95585->95546 95587 609102a0 95586->95587 95588 60904814 7 API calls 95587->95588 95591 609102d0 95588->95591 95589 609102d9 95590 60910450 95591->95589 95591->95590 95594 609042e8 6 API calls 95591->95594 95814 60921348 95815 60921369 95814->95815 95853 6091e154 95814->95853 95816 60921386 95815->95816 95817 609215a8 95815->95817 95876 6091db98 122 API calls 95816->95876 95820 60921607 95817->95820 95879 60918368 11 API calls 95817->95879 95818 609241e5 sqlite3_log 95897 6091afe4 132 API calls 95818->95897 95861 609127e0 95820->95861 95823 60924314 95900 60904a84 11 API calls 95823->95900 95824 6092139e 95877 60918650 120 API calls 95824->95877 95828 60924376 95828->95818 95849 6092439c 95828->95849 95829 6092421b 95831 6091e652 95829->95831 95898 6092e0e4 16 API calls 95829->95898 95830 60924333 95899 6090edb0 sqlite3_mutex_leave 95831->95899 95833 609214bc 95836 609127e0 123 API calls 95833->95836 95834 609216a4 95834->95853 95896 60912d14 124 API calls 95834->95896 95835 6092166b 95835->95853 95880 60912bd4 95835->95880 95842 60921563 95836->95842 95839 609213a7 95839->95833 95848 60921432 95839->95848 95839->95853 95840 6091e5b8 95846 6091e5dd 95840->95846 95847 6091e61c 95840->95847 95841 6092426a 95842->95828 95842->95834 95842->95835 95843 609242c8 95843->95818 95874 60904a84 11 API calls 95846->95874 95851 6091e620 sqlite3_log 95847->95851 95852 6091e646 95847->95852 95857 60921470 95848->95857 95858 6092144c 95848->95858 95901 60904a84 11 API calls 95849->95901 95851->95852 95875 6091afe4 132 API calls 95852->95875 95853->95818 95853->95823 95853->95828 95853->95840 95853->95843 95853->95849 95873 60918528 116 API calls 95853->95873 95855 6091e5f5 sqlite3_log 95855->95852 95857->95853 95878 6091277c 101 API calls 95857->95878 95858->95853 95859 60912738 101 API calls 95858->95859 95859->95853 95862 609127fe 95861->95862 95863 609124f0 101 API calls 95862->95863 95864 60912820 95862->95864 95871 60912864 95863->95871 95864->95842 95866 609042e8 6 API calls 95866->95871 95868 60912898 sqlite3_free 95868->95864 95870 60912ae7 sqlite3_free 95870->95871 95871->95864 95871->95866 95871->95868 95872 60912428 100 API calls 95871->95872 95902 6091bb9c 121 API calls 95871->95902 95903 6091203c 102 API calls 95871->95903 95904 6091bb9c 121 API calls 95871->95904 95872->95871 95873->95853 95874->95855 95875->95831 95876->95824 95877->95839 95878->95853 95879->95820 95881 60912be9 95880->95881 95884 60912bf2 95880->95884 95908 6090f2b4 124 API calls 95881->95908 95883 60912c08 95883->95853 95884->95883 95885 60912c66 95884->95885 95886 60912ce8 95884->95886 95887 60912ca4 95885->95887 95888 60912c6c 95885->95888 95886->95883 95889 60912620 100 API calls 95886->95889 95887->95883 95892 60912ccb 95887->95892 95905 609124c0 95887->95905 95891 60912428 100 API calls 95888->95891 95889->95883 95893 60912c8a 95891->95893 95892->95883 95894 60912bd4 124 API calls 95892->95894 95893->95883 95895 60912620 100 API calls 95893->95895 95894->95883 95895->95883 95896->95853 95897->95829 95898->95831 95899->95841 95900->95830 95901->95841 95902->95871 95903->95871 95904->95870 95906 609101f8 100 API calls 95905->95906 95907 609124dc 95906->95907 95907->95887 95908->95884 95909 609391c8 95910 609076e4 sqlite3_log 95909->95910 95911 609391fc 95910->95911 95912 60939203 95911->95912 95913 60939258 sqlite3_mutex_enter 95911->95913 95968 60953294 sqlite3_log 95912->95968 95916 60906888 127 API calls 95913->95916 95939 6093927f 95916->95939 95917 60939210 95918 60939218 95920 60939472 95918->95920 95972 6091b3b8 139 API calls 95918->95972 95919 60939288 sqlite3_prepare 95919->95939 95973 60904648 sqlite3_free 95920->95973 95923 609392cc sqlite3_column_count 95925 609392e4 sqlite3_step 95923->95925 95924 60939485 95974 60904abc 127 API calls 95924->95974 95925->95939 95927 60939495 95929 609394a3 sqlite3_errcode 95927->95929 95930 60939523 95927->95930 95929->95930 95933 609394b7 95929->95933 95932 60939537 sqlite3_mutex_leave 95930->95932 95931 60904848 7 API calls 95931->95939 95932->95917 95933->95932 95934 609394bd sqlite3_errmsg 95933->95934 95937 609394d2 95934->95937 95936 6093938c sqlite3_column_text 95936->95939 95940 609393a5 sqlite3_column_type 95936->95940 95942 609042e8 6 API calls 95937->95942 95938 60939224 95969 6091b3b8 139 API calls 95938->95969 95939->95918 95939->95919 95939->95923 95939->95925 95939->95931 95939->95936 95939->95938 95941 60939354 sqlite3_column_name 95939->95941 95951 6093c700 95939->95951 95970 6091b3b8 139 API calls 95939->95970 95971 60904648 sqlite3_free 95939->95971 95940->95918 95940->95939 95941->95939 95941->95941 95945 609394e1 95942->95945 95944 60939236 95948 60906888 127 API calls 95944->95948 95946 609394ef sqlite3_errmsg memcpy 95945->95946 95947 6093950c 95945->95947 95946->95932 95949 60906888 127 API calls 95947->95949 95948->95918 95949->95930 95952 6093c72a 95951->95952 95956 6093c744 95951->95956 95975 6093c678 11 API calls 95952->95975 95954 6093c737 95954->95939 95955 6093c752 95978 6093c678 11 API calls 95955->95978 95956->95954 95956->95955 95957 6093c7ec 95956->95957 95960 6093c770 atoi sqlite3_exec 95956->95960 95957->95955 95958 6093c804 95957->95958 95979 6092df5c sqlite3_strnicmp 95958->95979 95960->95954 95964 6093c7ab 95960->95964 95962 6093c7b9 95977 60904648 sqlite3_free 95962->95977 95964->95962 95976 6093c678 11 API calls 95964->95976 95966 6093c814 95966->95954 95980 6093c678 11 API calls 95966->95980 95968->95917 95969->95944 95970->95939 95971->95939 95972->95920 95973->95924 95974->95927 95975->95954 95976->95962 95977->95954 95978->95954 95979->95966 95980->95954 95981 609047f0 sqlite3_initialize 95982 6090480d 95981->95982 95983 609047ff 95981->95983 95985 60904690 95983->95985 95986 609046a0 95985->95986 95987 609046b4 95985->95987 95988 609042e8 6 API calls 95986->95988 95989 609046ba sqlite3_free 95987->95989 95990 609046cc 95987->95990 95991 609046ac 95988->95991 95989->95991 95990->95991 95992 60904715 sqlite3_mutex_enter 95990->95992 95991->95982 95993 60904731 95992->95993 95994 60904769 95993->95994 96005 609041b0 sqlite3_mutex_leave sqlite3_mutex_enter 95993->96005 96001 60903b74 realloc 95994->96001 95998 609047c7 sqlite3_mutex_leave 95998->95991 95999 60904796 95999->95998 96002 60903ba2 96001->96002 96003 60903bb0 96001->96003 96002->95999 96006 609041b0 sqlite3_mutex_leave sqlite3_mutex_enter 96002->96006 96004 60903bba sqlite3_log 96003->96004 96004->96002 96005->95994 96006->95999 96007 42a0e0 96008 4181d0 _Immortalize 75 API calls 96007->96008 96009 42a114 96008->96009 96022 49f850 96009->96022 96012 4098d0 _Immortalize 75 API calls 96013 42a14c 96012->96013 96014 409810 _Immortalize 75 API calls 96013->96014 96015 42a16b 96014->96015 96036 49e5b0 96015->96036 96018 4176e0 codecvt 67 API calls 96019 42a189 96018->96019 96020 4178c0 _Immortalize 67 API calls 96019->96020 96021 42a198 96020->96021 96023 49f88a 96022->96023 96024 49f91f 96023->96024 96043 405260 96023->96043 96027 44f6c8 __except_handler4 5 API calls 96024->96027 96029 42a11f 96027->96029 96028 409810 _Immortalize 75 API calls 96030 49f8c8 96028->96030 96029->96012 96031 4178c0 _Immortalize 67 API calls 96030->96031 96032 49f8d4 _Immortalize 96031->96032 96033 49f8f0 96032->96033 96047 49f700 96032->96047 96035 4176e0 codecvt 67 API calls 96033->96035 96035->96024 96037 49e5bc _Immortalize 96036->96037 96038 49e5d3 _Immortalize 96036->96038 96039 49e5cc SetFileAttributesW 96037->96039 96040 49e5de DeleteFileW 96038->96040 96039->96038 96041 49e5e9 GetLastError 96040->96041 96042 42a17a 96040->96042 96041->96042 96042->96018 96044 40529b allocator 96043->96044 96072 406b90 96044->96072 96048 49e7e0 _Immortalize 69 API calls 96047->96048 96051 49f733 96048->96051 96049 49f73d 96050 44f6c8 __except_handler4 5 API calls 96049->96050 96052 49f83f 96050->96052 96051->96049 96053 49f81a 96051->96053 96055 405260 75 API calls 96051->96055 96052->96033 96078 49e610 96053->96078 96056 49f778 96055->96056 96057 409810 _Immortalize 75 API calls 96056->96057 96058 49f794 96057->96058 96059 4178c0 _Immortalize 67 API calls 96058->96059 96060 49f7a0 _Immortalize 96059->96060 96061 49f7de 96060->96061 96062 49f700 79 API calls 96060->96062 96063 49e7e0 _Immortalize 69 API calls 96061->96063 96064 49f7bc 96062->96064 96065 49f7e9 96063->96065 96064->96061 96068 49f7c6 96064->96068 96066 49f80b 96065->96066 96067 49f7f3 96065->96067 96070 4176e0 codecvt 67 API calls 96066->96070 96069 4176e0 codecvt 67 API calls 96067->96069 96071 4176e0 codecvt 67 API calls 96068->96071 96069->96049 96070->96053 96071->96049 96073 406ba5 std::_String_base::_Xlen _DebugHeapAllocator 96072->96073 96074 417e70 _Immortalize 67 API calls 96073->96074 96075 406bb9 96074->96075 96076 4180c0 std::locale::_Locimp::_Addfac 75 API calls 96075->96076 96077 4052b0 96076->96077 96077->96028 96084 416a30 96078->96084 96080 49e621 CreateDirectoryW 96081 49e631 96080->96081 96082 49e642 96080->96082 96081->96082 96083 49e637 GetLastError 96081->96083 96082->96049 96083->96082 96085 416a3f _Immortalize 96084->96085 96085->96080 96086 4231e0 96089 4edd10 96086->96089 96090 4edd2d 96089->96090 96091 4edd20 InternetCloseHandle 96089->96091 96092 4edd35 InternetCloseHandle 96090->96092 96093 4231ef 96090->96093 96091->96090 96092->96093 96094 430c60 96097 430ca0 96094->96097 96096 430c6c LoadIconW 96098 430cad codecvt 96097->96098 96098->96096 96099 44f0e0 96102 4708c0 96099->96102 96103 4708d2 96102->96103 96104 44fbd9 _malloc 67 API calls 96103->96104 96109 44f10c 96103->96109 96105 47091a 96104->96105 96106 44fbd9 _malloc 67 API calls 96105->96106 96105->96109 96107 470940 96106->96107 96108 44fafc __getptd_noexit 67 API calls 96107->96108 96107->96109 96108->96109 96110 442ee0 96113 4809f0 96110->96113 96114 417a20 _Immortalize 75 API calls 96113->96114 96115 480a30 96114->96115 96116 47f670 70 API calls 96115->96116 96119 480a37 std::_Iterator_base::_Iterator_base 96116->96119 96117 480a3f 96118 44f6c8 __except_handler4 5 API calls 96117->96118 96120 442ef3 96118->96120 96119->96117 96121 41eea0 codecvt 2 API calls 96119->96121 96122 480a69 96121->96122 96123 480ad6 96122->96123 96124 41ede0 codecvt RegQueryValueExW 96122->96124 96125 41ef60 codecvt RegCloseKey 96123->96125 96126 480a92 _Immortalize 96124->96126 96125->96117 96126->96123 96127 417910 _Immortalize 75 API calls 96126->96127 96128 480ab4 96127->96128 96129 4181d0 _Immortalize 75 API calls 96128->96129 96130 480ac7 96129->96130 96131 4176e0 codecvt 67 API calls 96130->96131 96131->96123 96132 6092eb34 96133 6092eb56 96132->96133 96142 6092eb73 96132->96142 96134 6092eb62 96133->96134 96135 6092eb78 96133->96135 96164 6090690c 11 API calls 96134->96164 96148 6092e3f4 96135->96148 96138 6092ebef 96138->96142 96152 60904904 96138->96152 96139 6092eb87 96139->96138 96139->96142 96144 6092ec20 96139->96144 96166 6090690c 11 API calls 96144->96166 96146 6092ec32 96167 60904648 sqlite3_free 96146->96167 96149 6092e402 96148->96149 96151 6092e412 96148->96151 96150 60904a38 7 API calls 96149->96150 96150->96151 96151->96139 96153 60904930 96152->96153 96154 6090491f 96152->96154 96153->96142 96165 60904648 sqlite3_free 96153->96165 96155 60904923 96154->96155 96156 60904934 96154->96156 96157 60904880 6 API calls 96155->96157 96158 60904945 96156->96158 96159 6090498c sqlite3_realloc 96156->96159 96157->96153 96158->96153 96160 60904880 6 API calls 96158->96160 96159->96153 96161 60904965 96160->96161 96161->96153 96162 6090496e memcpy 96161->96162 96168 60904648 sqlite3_free 96162->96168 96164->96142 96165->96142 96166->96146 96167->96142 96168->96153 96169 609226f8 96170 6092270c 96169->96170 96172 609243c0 96169->96172 96175 60922759 96170->96175 96176 6092276c 96170->96176 96191 6091e154 96170->96191 96171 609241e5 sqlite3_log 96202 6091afe4 132 API calls 96171->96202 96206 60904a84 11 API calls 96172->96206 96174 60924314 96205 60904a84 11 API calls 96174->96205 96179 60912bd4 124 API calls 96175->96179 96201 60912d14 124 API calls 96176->96201 96178 6092421b 96197 6091e652 96178->96197 96203 6092e0e4 16 API calls 96178->96203 96179->96191 96182 6092426a 96183 60924333 96187 6091e5b8 96189 6091e5dd 96187->96189 96190 6091e61c 96187->96190 96188 609242c8 96188->96171 96199 60904a84 11 API calls 96189->96199 96193 6091e620 sqlite3_log 96190->96193 96194 6091e646 96190->96194 96191->96171 96191->96172 96191->96174 96191->96187 96191->96188 96198 60918528 116 API calls 96191->96198 96193->96194 96200 6091afe4 132 API calls 96194->96200 96195 6091e5f5 sqlite3_log 96195->96194 96204 6090edb0 sqlite3_mutex_leave 96197->96204 96198->96191 96199->96195 96200->96197 96201->96191 96202->96178 96203->96197 96204->96182 96205->96183 96206->96182 96207 404430 96208 404451 96207->96208 96211 40444c 96207->96211 96221 403a70 9 API calls 96208->96221 96210 404472 96210->96211 96212 4044a5 96210->96212 96253 4f3610 203 API calls 4 library calls 96210->96253 96212->96211 96214 4044df 96212->96214 96254 4efcd0 SetWindowPos 96212->96254 96214->96211 96215 404519 96214->96215 96222 4f3ed0 96214->96222 96215->96211 96218 404553 96215->96218 96255 4f0410 81 API calls _Immortalize 96215->96255 96218->96211 96256 4efc10 ShowWindow DestroyWindow codecvt 96218->96256 96221->96210 96225 4f3f03 96222->96225 96223 4f4069 96283 4049b0 74 API calls _Immortalize 96223->96283 96227 4f3fae 96225->96227 96228 4f3f5c 96225->96228 96229 4f3f7a 96225->96229 96226 4f406e 96284 4049b0 74 API calls _Immortalize 96226->96284 96227->96223 96230 4f405a 96227->96230 96257 4049b0 74 API calls _Immortalize 96227->96257 96276 417430 VariantClear 96228->96276 96232 4f3f94 96229->96232 96277 4161a0 IsWindow 96229->96277 96282 417430 VariantClear 96230->96282 96278 417430 VariantClear 96232->96278 96238 4f4002 96258 4e40d0 96238->96258 96239 4f407f 96285 415f10 DestroyWindow 96239->96285 96242 4f4098 96244 4f40ba 96242->96244 96246 4f40a6 PostMessageW 96242->96246 96252 4f3f72 96244->96252 96245 4f4020 96279 4049b0 74 API calls _Immortalize 96245->96279 96246->96244 96248 4f4027 96280 415f30 SetFocus 96248->96280 96250 4f403f 96281 417430 VariantClear 96250->96281 96252->96215 96253->96212 96254->96214 96255->96218 96256->96211 96257->96238 96286 424aa0 83 API calls _Immortalize 96258->96286 96260 4e4106 96287 4cd7c0 117 API calls 96260->96287 96262 4e411c 96288 4cd7f0 117 API calls 96262->96288 96264 4e412e 96289 425e10 22 API calls 2 library calls 96264->96289 96266 4e4159 96267 4e4190 96266->96267 96268 4e4160 96266->96268 96320 424d70 69 API calls codecvt 96267->96320 96290 4e2680 96268->96290 96272 4e4188 96274 44f6c8 __except_handler4 5 API calls 96272->96274 96275 4e41c7 96274->96275 96275->96230 96275->96245 96276->96252 96277->96232 96278->96227 96279->96248 96280->96250 96281->96252 96282->96223 96283->96226 96284->96239 96285->96242 96286->96260 96287->96262 96288->96264 96289->96266 96321 4dc1b0 77 API calls 4 library calls 96290->96321 96292 4e26b6 _Immortalize 96293 4e26e1 96292->96293 96554 4cb860 75 API calls _Immortalize 96292->96554 96322 4099f0 75 API calls 96293->96322 96296 4e2708 96297 4e2726 96296->96297 96298 4e2712 96296->96298 96323 4dffd0 96297->96323 96299 4176e0 codecvt 67 API calls 96298->96299 96301 4e2721 96299->96301 96303 44f6c8 __except_handler4 5 API calls 96301->96303 96304 4e2814 96303->96304 96319 424d70 69 API calls codecvt 96304->96319 96319->96272 96320->96272 96321->96292 96322->96296 96324 4e000d _Immortalize 96323->96324 96325 4175c0 _Immortalize 67 API calls 96324->96325 96326 4e0016 _Immortalize 96325->96326 96327 4175c0 _Immortalize 67 API calls 96326->96327 96554->96293 97836 4041f0 97837 404211 97836->97837 97838 40420c 97836->97838 97839 40423f 97837->97839 97895 4f1cb0 119 API calls 2 library calls 97837->97895 97839->97838 97841 404282 97839->97841 97846 4f3180 97839->97846 97841->97838 97843 4042c2 97841->97843 97896 4f3900 182 API calls 7 library calls 97841->97896 97843->97838 97897 403620 97 API calls 97843->97897 97847 4f31b9 _Immortalize 97846->97847 97848 4175c0 _Immortalize 67 API calls 97847->97848 97849 4f31c2 97848->97849 97850 4f31cf _Immortalize 97849->97850 97851 4f320c 97849->97851 97854 417910 _Immortalize 75 API calls 97850->97854 97852 416600 codecvt 109 API calls 97851->97852 97853 4f321e 97852->97853 97898 4f2770 97853->97898 97855 4f31e4 97854->97855 97857 4181d0 _Immortalize 75 API calls 97855->97857 97859 4f31f4 97857->97859 97858 4f322c 97860 4f3233 97858->97860 97861 4f3251 97858->97861 97862 4176e0 codecvt 67 API calls 97859->97862 97863 4176e0 codecvt 67 API calls 97860->97863 97914 4f2350 88 API calls 97861->97914 97866 4f3200 SysFreeString 97862->97866 97892 4f3249 97863->97892 97865 4f325c 97867 4f326b _Immortalize 97865->97867 97915 4f2370 88 API calls 2 library calls 97865->97915 97866->97853 97871 417910 _Immortalize 75 API calls 97867->97871 97869 44f6c8 __except_handler4 5 API calls 97870 4f339d 97869->97870 97870->97841 97872 4f3287 97871->97872 97873 501ce0 75 API calls 97872->97873 97874 4f329e 97873->97874 97875 501530 75 API calls 97874->97875 97876 4f32a5 97875->97876 97877 4224b0 codecvt 67 API calls 97876->97877 97878 4f32da 97877->97878 97879 4176e0 codecvt 67 API calls 97878->97879 97880 4f32e9 97879->97880 97881 4f334e 97880->97881 97916 416a10 VariantInit 97880->97916 97919 4049b0 74 API calls _Immortalize 97881->97919 97884 4f3353 97920 4f30e0 129 API calls _Immortalize 97884->97920 97886 4f3342 97918 417430 VariantClear 97886->97918 97887 4f3369 97888 4f32f7 97888->97886 97891 404820 _Immortalize 74 API calls 97888->97891 97893 4f333b 97891->97893 97892->97869 97917 4048a0 75 API calls 2 library calls 97893->97917 97895->97839 97896->97843 97897->97838 97899 404820 _Immortalize 74 API calls 97898->97899 97901 4f279d _Immortalize 97899->97901 97900 4f283b codecvt 97900->97858 97901->97900 97921 4f06e0 6 API calls 2 library calls 97901->97921 97903 4f27e3 97903->97900 97922 416a10 VariantInit 97903->97922 97905 4f27f2 97906 404820 _Immortalize 74 API calls 97905->97906 97907 4f281d 97906->97907 97923 4d9ef0 97907->97923 97910 4f284f 97940 417430 VariantClear 97910->97940 97911 4f282b 97939 417430 VariantClear 97911->97939 97914->97865 97915->97867 97916->97888 97917->97886 97918->97881 97919->97884 97920->97887 97921->97903 97922->97905 97941 4d63e0 97923->97941 97926 4d9f2d 97966 4227c0 97926->97966 97927 4d9f4e _Immortalize 97931 417910 _Immortalize 75 API calls 97927->97931 97932 4d9f63 97931->97932 97933 4181d0 _Immortalize 75 API calls 97932->97933 97934 4d9f79 97933->97934 97935 4176e0 codecvt 67 API calls 97934->97935 97936 4d9f88 97935->97936 97973 422290 75 API calls _Immortalize 97936->97973 97938 4d9f47 97938->97910 97938->97911 97939->97900 97940->97900 97942 4d6425 97941->97942 97945 4d641b _Immortalize 97941->97945 97943 44f6c8 __except_handler4 5 API calls 97942->97943 97944 4d6606 97943->97944 97944->97926 97944->97927 97945->97942 97946 4175c0 _Immortalize 67 API calls 97945->97946 97947 4d6491 _Immortalize 97946->97947 97948 417910 _Immortalize 75 API calls 97947->97948 97962 4d64ad 97948->97962 97949 4d6560 97950 49e7e0 _Immortalize 69 API calls 97949->97950 97951 4d656b 97950->97951 97952 4d65cd 97951->97952 97956 4181d0 _Immortalize 75 API calls 97951->97956 97954 4176e0 codecvt 67 API calls 97952->97954 97953 405260 75 API calls 97953->97962 97955 4d65df 97954->97955 97958 4176e0 codecvt 67 API calls 97955->97958 97963 4d658b 97956->97963 97957 409880 75 API calls 97957->97962 97958->97942 97959 4178c0 _Immortalize 67 API calls 97959->97962 97960 49e7e0 _Immortalize 69 API calls 97960->97962 97961 417a20 _Immortalize 75 API calls 97961->97963 97962->97949 97962->97953 97962->97957 97962->97959 97962->97960 97964 49e610 2 API calls 97962->97964 97963->97952 97963->97961 97974 49e590 97963->97974 97964->97962 97967 4227ec 97966->97967 97971 422816 97966->97971 97985 4f1500 97967->97985 97972 4cd8f0 148 API calls 2 library calls 97971->97972 97972->97938 97973->97938 97975 49e59e _Immortalize 97974->97975 97978 455218 RemoveDirectoryW 97975->97978 97986 4f1533 _Immortalize 97985->97986 97987 44f76f _Allocate 75 API calls 97986->97987 97988 4f1592 97987->97988 97990 4f15aa 97988->97990 98008 4f1000 75 API calls _Immortalize 97988->98008 97991 4098d0 _Immortalize 75 API calls 97990->97991 97992 4f15f8 97991->97992 98008->97990 98010 4251b0 98011 4251dc _wcscpy 98010->98011 98018 4251d5 98010->98018 98013 4251ec PathFindFileNameW 98011->98013 98012 44f6c8 __except_handler4 5 API calls 98014 425279 98012->98014 98019 4250e0 LoadLibraryW 98013->98019 98017 4250e0 6 API calls 98017->98018 98018->98012 98020 425108 GetProcAddress 98019->98020 98022 42513b 98019->98022 98021 425131 FreeLibrary 98020->98021 98027 425120 98020->98027 98021->98022 98023 425188 LoadLibraryW 98022->98023 98024 425166 98022->98024 98025 425147 GetCurrentDirectoryW SetCurrentDirectoryW 98022->98025 98023->98017 98024->98023 98026 425171 SetCurrentDirectoryW 98024->98026 98025->98023 98026->98023 98027->98021 98028 60921aa0 98029 60921ad7 98028->98029 98051 6091e154 98028->98051 98030 609127e0 123 API calls 98029->98030 98030->98051 98031 609241e5 sqlite3_log 98057 6091afe4 132 API calls 98031->98057 98033 60924314 98060 60904a84 11 API calls 98033->98060 98034 6092421b 98053 6091e652 98034->98053 98058 6092e0e4 16 API calls 98034->98058 98036 60924333 98040 6091e5b8 98043 6091e5dd 98040->98043 98044 6091e61c 98040->98044 98041 609242c8 98041->98031 98042 6092426a 98055 60904a84 11 API calls 98043->98055 98046 6091e620 sqlite3_log 98044->98046 98047 6091e646 98044->98047 98046->98047 98056 6091afe4 132 API calls 98047->98056 98048 609243c0 98061 60904a84 11 API calls 98048->98061 98049 6091e5f5 sqlite3_log 98049->98047 98051->98031 98051->98033 98051->98040 98051->98041 98051->98048 98054 60918528 116 API calls 98051->98054 98059 6090edb0 sqlite3_mutex_leave 98053->98059 98054->98051 98055->98049 98056->98053 98057->98034 98058->98053 98059->98042 98060->98036 98061->98042 98062 6093d460 98063 6093d314 153 API calls 98062->98063 98064 6093d481 98063->98064 98065 4352f0 98068 4ad660 98065->98068 98067 4352ff codecvt 98069 4ad6ae codecvt 98068->98069 98070 4ad6ba 98069->98070 98072 4ad120 98069->98072 98070->98067 98073 4ad165 codecvt 98072->98073 98080 4a9da0 98073->98080 98075 4ad1af 98078 44fafc __getptd_noexit 67 API calls 98075->98078 98079 4ad1c4 98075->98079 98077 4ad16d 98077->98075 98084 4aa4b0 98077->98084 98078->98079 98079->98070 98083 4a9de8 98080->98083 98081 4a9e2c 98081->98077 98082 4bf540 _Immortalize 74 API calls 98082->98083 98083->98081 98083->98082 98085 4aa4f5 98084->98085 98086 44fafc __getptd_noexit 67 API calls 98085->98086 98087 4aa525 codecvt 98085->98087 98086->98087 98087->98077 98088 60910828 98106 6090eb0c 98088->98106 98090 60910861 98116 60911b18 98090->98116 98091 60910840 98091->98090 98137 60911da0 105 API calls 98091->98137 98097 60910885 98099 6090cd94 101 API calls 98097->98099 98103 609108d5 sqlite3_free 98097->98103 98105 60910896 sqlite3_free 98099->98105 98102 609108c6 sqlite3_free 98102->98103 98139 60910804 sqlite3_free sqlite3_mutex_enter sqlite3_mutex_leave 98105->98139 98107 6090eb3b 98106->98107 98108 6090eb1d 98106->98108 98107->98091 98108->98107 98109 6090eb26 sqlite3_mutex_try 98108->98109 98109->98107 98112 6090eb4c 98109->98112 98110 6090eb6d 98141 6090eabc sqlite3_mutex_enter 98110->98141 98112->98110 98140 6090eae8 sqlite3_mutex_leave 98112->98140 98115 6090eb76 98115->98107 98142 6090eabc sqlite3_mutex_enter 98115->98142 98117 6090eb0c 3 API calls 98116->98117 98118 60911b30 98117->98118 98143 6090f1bc 98118->98143 98121 60911b50 98123 60911b8c 98121->98123 98155 6090e560 100 API calls 98121->98155 98147 60911968 98123->98147 98127 60911b63 98130 60910110 100 API calls 98127->98130 98128 6090eba0 sqlite3_mutex_leave 98129 6091086a 98128->98129 98133 6090eba0 98129->98133 98131 60911b7a 98130->98131 98131->98123 98132 609101f8 100 API calls 98131->98132 98132->98123 98134 6090ebc6 98133->98134 98135 6090ebaf 98133->98135 98134->98097 98138 60910754 sqlite3_mutex_enter sqlite3_mutex_free sqlite3_mutex_leave 98134->98138 98135->98134 98166 6090eae8 sqlite3_mutex_leave 98135->98166 98137->98091 98138->98097 98139->98102 98140->98112 98141->98115 98142->98115 98144 6090f202 98143->98144 98145 6090f1d5 98143->98145 98144->98121 98154 60911a84 104 API calls 98144->98154 98145->98144 98156 6090f0ec 104 API calls 98145->98156 98157 6090f0c8 98147->98157 98150 6091197f 98151 609119cf 98150->98151 98153 609119ad 98150->98153 98160 6090eee4 sqlite3_free 98150->98160 98151->98128 98161 60910e1c 100 API calls 98153->98161 98154->98121 98155->98127 98156->98145 98162 60909a20 98157->98162 98160->98153 98161->98151 98163 60909a58 98162->98163 98164 60909a2f 98162->98164 98163->98150 98165 60909a4f sqlite3_free 98164->98165 98165->98163 98166->98134 98167 4f2a70 98168 4f2ab3 _Immortalize 98167->98168 98169 4175c0 _Immortalize 67 API calls 98168->98169 98170 4f2abf 98169->98170 98269 4f0440 75 API calls 3 library calls 98170->98269 98172 4f2bf4 98270 404150 67 API calls _Immortalize 98172->98270 98174 4f2bfc 98271 4f19a0 75 API calls 4 library calls 98174->98271 98175 4f2ae1 98175->98172 98323 4099f0 75 API calls 98175->98323 98178 4f2c1f _Immortalize 98182 4175c0 _Immortalize 67 API calls 98178->98182 98179 4f2b2c 98179->98172 98180 4f2bce 98179->98180 98183 4176e0 codecvt 67 API calls 98180->98183 98181 4f2b22 98181->98179 98324 4099f0 75 API calls 98181->98324 98185 4f2c3a _Immortalize 98182->98185 98240 4f2be9 98183->98240 98186 416600 codecvt 109 API calls 98185->98186 98188 4f2c6f _Immortalize 98186->98188 98187 44f6c8 __except_handler4 5 API calls 98190 4f30d3 98187->98190 98272 4162c0 98188->98272 98189 4f2b6e 98189->98179 98325 4099f0 75 API calls 98189->98325 98194 4176e0 codecvt 67 API calls 98195 4f2c9a 98194->98195 98276 4f0440 75 API calls 3 library calls 98195->98276 98197 4f2cb8 98198 4f2cc3 98197->98198 98199 4f2e51 98197->98199 98277 4099f0 75 API calls 98198->98277 98328 4f0440 75 API calls 3 library calls 98199->98328 98201 4f2e6c 98202 4f2ebd 98201->98202 98203 4f2e73 _Immortalize 98201->98203 98329 4f0440 75 API calls 3 library calls 98202->98329 98210 417910 _Immortalize 75 API calls 98203->98210 98206 4f2d03 98214 4f2d9a _Immortalize 98206->98214 98215 4f2d59 98206->98215 98207 4f2edb 98208 4f2fb6 98207->98208 98209 4f2ee6 98207->98209 98211 4176e0 codecvt 67 API calls 98208->98211 98220 409760 75 API calls 98209->98220 98213 4f2e8f 98210->98213 98216 4f2fce 98211->98216 98212 4f2cf9 98212->98206 98326 4099f0 75 API calls 98212->98326 98218 4181d0 _Immortalize 75 API calls 98213->98218 98224 4175c0 _Immortalize 67 API calls 98214->98224 98219 4176e0 codecvt 67 API calls 98215->98219 98332 404e10 67 API calls codecvt 98216->98332 98222 4f2ea2 98218->98222 98223 4f2d71 98219->98223 98225 4f2f23 98220->98225 98227 4176e0 codecvt 67 API calls 98222->98227 98327 404e10 67 API calls codecvt 98223->98327 98229 4f2db1 98224->98229 98230 409880 75 API calls 98225->98230 98226 4f2fda 98231 4176e0 codecvt 67 API calls 98226->98231 98235 4f2e4c 98227->98235 98278 4f0440 75 API calls 3 library calls 98229->98278 98234 4f2f4b 98230->98234 98231->98240 98232 4f2d7d 98236 4176e0 codecvt 67 API calls 98232->98236 98238 4178c0 _Immortalize 67 API calls 98234->98238 98239 4f2fff 98235->98239 98248 4f3016 98235->98248 98236->98240 98237 4f2dd3 98241 4181d0 _Immortalize 75 API calls 98237->98241 98333 404fc0 75 API calls _Immortalize 98239->98333 98240->98187 98244 4f2de2 98241->98244 98279 4f24a0 98244->98279 98247 4f305f 98248->98247 98334 4067e0 75 API calls _Immortalize 98248->98334 98269->98175 98270->98174 98271->98178 98274 416308 98272->98274 98273 41631a 98273->98194 98274->98273 98275 4bf560 112 API calls 98274->98275 98275->98273 98276->98197 98277->98212 98278->98237 98323->98181 98324->98189 98325->98179 98326->98206 98327->98232 98328->98201 98329->98207 98332->98226 98334->98247

                                Executed Functions

                                Function 004F4BC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 130COMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • _memset.LIBCMT ref: 004F4BFD
                                • GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004F4C21
                                • _memset.LIBCMT ref: 004F4C44
                                • GetAdaptersInfo.IPHLPAPI(?,?), ref: 004F4C57
                                • _memset.LIBCMT ref: 004F4CC5
                                • StringFromGUID2.OLE32(?,?,00000104,?,?,?,?,?,?,&moldid=,00000000,?,?,?,?,?), ref: 004F4CDD
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: _memset$AdaptersFromInfoInformationStringVolume
                                • String ID: C:\${-}${-}
                                • API String ID: 3941708474-2681429196
                                • Opcode ID: 277fe76580b6b5641c28248c775d4be4752942d67b8e2e01e579d970f1343ab9
                                • Instruction ID: 2c91b6d981af4eadff72b74c93defabb846fcc535acab3a6063feb5631383c31
                                • Opcode Fuzzy Hash: 277fe76580b6b5641c28248c775d4be4752942d67b8e2e01e579d970f1343ab9
                                • Instruction Fuzzy Hash: 1A5170749042189BDB24DF94CC51BEEB778AF48714F1042DEE609A72C1EB746A84CF68
                                Function 004C0430 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 192timeCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetLocalTime.KERNEL32(?,B211AFF1), ref: 004C0478
                                • EnterCriticalSection.KERNEL32(?,00000000,?,L,00000000), ref: 004C066A
                                • LeaveCriticalSection.KERNEL32(?), ref: 004C06E8
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeaveLocalTime
                                • String ID: (%s)-$ - $%02d:%02d:%02d$L$L
                                • API String ID: 4028604170-277455988
                                • Opcode ID: 406b6ea7e0672b0afd588d775c5360ce2bad1a900807bb89163098e037d5e3be
                                • Instruction ID: b6ba546bcca6b752919d731749c00327d36a6aeed96f0a45b65dd2a2bc66ba2c
                                • Opcode Fuzzy Hash: 406b6ea7e0672b0afd588d775c5360ce2bad1a900807bb89163098e037d5e3be
                                • Instruction Fuzzy Hash: 30812970900158EBDB14DB95DC91FEEB774AF54308F5081AEE10AB7281DB786A88CF68
                                Function 0049D9C0 Relevance: 7.6, APIs: 5, Instructions: 59processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0049D9DE
                                • GetCurrentProcessId.KERNEL32 ref: 0049DA00
                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0049DA14
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0049DA54
                                • CloseHandle.KERNEL32(00000000), ref: 0049DA85
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32
                                • String ID:
                                • API String ID: 592884611-0
                                • Opcode ID: d861248f22b9e8738e682d16beab98e63d0608105bc6e0e536ca83f65de22f70
                                • Instruction ID: 2ab5695731c723cb54ced3e96b23633eb8c252716f13112e9c65ba2f165a2eb0
                                • Opcode Fuzzy Hash: d861248f22b9e8738e682d16beab98e63d0608105bc6e0e536ca83f65de22f70
                                • Instruction Fuzzy Hash: C3211D70D04218EBDF20DFA5C8887EDBBB4AF14304F1441EAE409A7290DB789AD8CF54
                                Function 60941B74 Relevance: 3.8, Strings: 2, Instructions: 1292COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: 8$too many terms in compound SELECT
                                • API String ID: 0-582876648
                                • Opcode ID: 2e53d0e286ffeaa08284a889eb509b90c82c6586479bba55785ebc6701211c70
                                • Instruction ID: b4bd6903abf05f50785a7f3c3daebca4123585f726e3d750e1432d862c8ff98c
                                • Opcode Fuzzy Hash: 2e53d0e286ffeaa08284a889eb509b90c82c6586479bba55785ebc6701211c70
                                • Instruction Fuzzy Hash: 70B265B5E002199BDB14CF68CC81F997776BB69324F148294FA28AB2D1E735DE90CF50
                                Function 0049F0E0 Relevance: 3.2, APIs: 2, Instructions: 164fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000,-00000001,0000005C,000000FF,00000000,00000000,B211AFF1), ref: 0049F1F8
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: FileFindFirst
                                • String ID:
                                • API String ID: 1974802433-0
                                • Opcode ID: 90796a18ae1ed393754df1fc7f639163134edfd9e388af5d1aa5fce0e2782bc1
                                • Instruction ID: cc1ef078bf7205146ab4a592bcf7a98bcf4aa0962d6995632bada8dfdccf46d9
                                • Opcode Fuzzy Hash: 90796a18ae1ed393754df1fc7f639163134edfd9e388af5d1aa5fce0e2782bc1
                                • Instruction Fuzzy Hash: 03716D70914258DFDB19DBA5CC94BEDBBB8AF14304F1441EEE00AA7291DB382B88CF55
                                Function 004DFFD0 Relevance: 51.6, APIs: 5, Strings: 24, Instructions: 823COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 4dffd0-4e0043 call 434050 call 4175c0 call 434050 call 4175c0 call 4d6610 11 4e0045-4e0051 0->11 12 4e0053 0->12 13 4e005d-4e00f6 call 409760 call 409880 call 4178c0 call 4fdb00 call 4181d0 call 4176e0 call 416630 11->13 12->13 28 4e00f8-4e00fd 13->28 29 4e0166-4e01a2 call 4228a0 call 483530 13->29 31 4e00ff-4e010b 28->31 32 4e010d 28->32 40 4e01a4-4e01b3 29->40 41 4e01b5 29->41 33 4e0117-4e0161 call 409760 call 405120 call 4178c0 31->33 32->33 33->29 43 4e01bf-4e0262 call 409760 call 405120 call 4178c0 call 4176e0 call 434050 call 417910 40->43 41->43 57 4e0264-4e0273 43->57 58 4e0275 43->58 59 4e027f-4e0300 call 4f4dc0 call 4098d0 call 405120 call 4178c0 call 4176e0 call 49d9c0 * 2 call 496160 57->59 58->59 76 4e0306-4e034b call 434050 call 417910 59->76 77 4e03d1-4e04d0 call 434050 call 417910 call 501ce0 call 501530 call 490220 call 490d50 call 404760 call 4dcb20 call 4d4bc0 call 416a30 call 48cc50 call 484ea0 call 47f670 call 416600 call 4176e0 call 4224b0 call 4176e0 59->77 87 4e035e 76->87 88 4e034d-4e035c 76->88 128 4e04d2-4e04de 77->128 129 4e04e0 77->129 89 4e0368-4e03cc call 416a30 PathFindFileNameW call 4098d0 call 405120 call 4178c0 call 4176e0 87->89 88->89 89->77 130 4e04ea-4e0531 call 405120 call 482b50 128->130 129->130 135 4e0544 130->135 136 4e0533-4e0542 130->136 137 4e054e-4e0586 call 483160 135->137 136->137 140 4e0588-4e0597 137->140 141 4e0599 137->141 142 4e05a3-4e06c2 call 409760 call 4098d0 call 409960 call 405120 call 4178c0 * 3 call 4176e0 * 2 call 4160e0 call 416630 140->142 141->142 166 4e06c4-4e06c9 142->166 167 4e0732-4e0786 call 494af0 call 404820 call 423be0 call 404820 call 4d4c10 call 416600 142->167 169 4e06cb-4e06d7 166->169 170 4e06d9 166->170 188 4e0788-4e0794 167->188 189 4e0796 167->189 172 4e06e3-4e072d call 409760 call 405120 call 4178c0 169->172 170->172 172->167 190 4e07a0-4e07ff call 405120 call 4956b0 call 4181d0 call 4176e0 call 416630 188->190 189->190 201 4e0888-4e08c0 call 4d7b30 190->201 202 4e0805-4e081f call 416a30 call 4a0280 190->202 207 4e08c2-4e08d1 201->207 208 4e08d3 201->208 212 4e082f 202->212 213 4e0821-4e082d 202->213 210 4e08dd-4e0909 call 405120 call 4176e0 call 4d2f80 207->210 208->210 225 4e090b-4e0910 210->225 226 4e0979-4e0982 210->226 215 4e0839-4e0883 call 409760 call 405120 call 4178c0 212->215 213->215 215->201 228 4e0912-4e091e 225->228 229 4e0920 225->229 230 4e0984-4e098c call 4130d0 226->230 231 4e0991-4e09a6 call 4cb910 226->231 233 4e092a-4e0974 call 409760 call 405120 call 4178c0 228->233 229->233 230->231 237 4e09a8-4e09b0 call 4130d0 231->237 238 4e09b5-4e09bf call 494a70 231->238 233->226 237->238 245 4e09ce-4e09e3 call 4cb910 238->245 246 4e09c1-4e09c9 call 4130d0 238->246 251 4e09e5-4e09ed call 4130d0 245->251 252 4e09f2-4e0a05 call 502490 245->252 246->245 251->252 256 4e0a07-4e0a13 252->256 257 4e0a15 252->257 258 4e0a1f-4e0aa6 call 409760 call 405120 call 4178c0 call 4df870 256->258 257->258 267 4e0aa8-4e0ab7 258->267 268 4e0ab9 258->268 269 4e0ac3-4e0aeb call 405120 call 4176e0 call 4953b0 267->269 268->269 276 4e0aed-4e0af7 269->276 277 4e0af9 269->277 278 4e0b03-4e0b19 call 4130d0 276->278 277->278 281 4e0b2b 278->281 282 4e0b1b-4e0b29 278->282 283 4e0b35-4e0b8e call 409760 call 405120 call 4178c0 call 503f30 281->283 282->283 292 4e0c02-4e0c0c call 423810 283->292 293 4e0b90-4e0b97 283->293 299 4e0c0e-4e0c23 call 4240a0 call 4130a0 * 2 292->299 300 4e0c28-4e0c3e call 4e7a30 call 4e7a50 292->300 295 4e0ba9 293->295 296 4e0b99-4e0ba7 293->296 298 4e0bb3-4e0bfd call 409760 call 405120 call 4178c0 295->298 296->298 298->292 299->300 312 4e0c43-4e0c6c 300->312 315 4e0c6e-4e0c7d 312->315 316 4e0c7f 312->316 317 4e0c89-4e0d41 call 409760 call 405120 call 4178c0 call 4176e0 call 417660 call 4e7a10 call 4176e0 * 2 call 44f6c8 315->317 316->317
                                APIs
                                • _Immortalize.LIBCPMTD ref: 004E016D
                                • _Immortalize.LIBCPMTD ref: 004E027F
                                • PathFindFileNameW.SHLWAPI(00000000,&sufn=,00000000,?,?,?,?,&moldid=,00000000,?,?,?,?,?), ref: 004E0371
                                  • Part of subcall function 00484EA0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 00484F0F
                                  • Part of subcall function 00484EA0: _memset.LIBCMT ref: 00484F43
                                  • Part of subcall function 00484EA0: __wcstoi64.LIBCMT ref: 00484F6F
                                  • Part of subcall function 0047F670: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 0047F6A8
                                  • Part of subcall function 0047F670: _memset.LIBCMT ref: 0047F6DE
                                  • Part of subcall function 0047F670: _swscanf.LIBCMT ref: 0047F743
                                • _Immortalize.LIBCPMTD ref: 004E073F
                                • _Immortalize.LIBCPMTD ref: 004E074F
                                  • Part of subcall function 00502490: GetLocaleInfoW.KERNEL32(00000400,0000005A,?,00000008,B211AFF1,?,00000000,00508795,000000FF,?,004E09FD,?,00000000,0000000C,0000005A,00000000), ref: 005024F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Immortalize$Iterator_baseIterator_base::__memsetstd::_$FileFindInfoLocaleNamePath__wcstoi64_swscanf
                                • String ID: &avr=$&cntry=$&dnt=$&gloss=$&ibprs=$&ibprv=$&iev=%d&ffv=%d&crv=%d&dwb=%s&dlb=%s&wbr=%d$&mntrId=$&moldid=$&notc=1$&noupgrd=1$&osp=$&sufn=$&sutp=%d&sufl=%d&tbp=%d&prver=%d&minreq=%d&dtct=%d&wvr=%d$&tbinst=1$&tbtp=$&test=$&voices=$&w64=1$/'N$/'N$WBR$hbS$ver=
                                • API String ID: 327512372-716390181
                                • Opcode ID: df486e88c4299f072a18183b124c595605ff24670e846b093139c2e6581e67f2
                                • Instruction ID: 3b98f8d82bb84df878d0254f465412ed47e9ad28aab4b3b75e605d2f278c53bf
                                • Opcode Fuzzy Hash: df486e88c4299f072a18183b124c595605ff24670e846b093139c2e6581e67f2
                                • Instruction Fuzzy Hash: B2828DB0D012589BDB24EB65DD45BDEB7B4AF54308F1080EEE10967282DB786F88CF59
                                Function 60910274 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 381COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 336 60910274-6091029e 337 609102a0-609102b2 336->337 338 609102be-609102d7 call 60904814 336->338 337->338 339 609102b4 337->339 342 609102e4-609102fe 338->342 343 609102d9-609102de 338->343 339->338 345 60910450-60910452 342->345 346 60910304-60910308 342->346 344 60910748-60910752 343->344 347 60910673-60910677 345->347 348 60910458-60910469 call 60904814 345->348 346->345 349 6091030e-60910314 346->349 350 609106f4-609106f7 347->350 351 60910679-60910689 347->351 362 60910478-6091049f call 6090d234 348->362 363 6091046b-60910472 348->363 349->345 353 6091031a-60910322 349->353 354 609106f9-609106fd 350->354 351->350 355 6091068b-6091068d 351->355 353->345 357 60910328-6091034c call 609042e8 353->357 359 60910733-60910737 354->359 360 609106ff-60910701 354->360 361 60910690-6091069c 355->361 373 60910364-609103b9 call 60903744 call 60903cdc sqlite3_mutex_enter call 60903cdc sqlite3_mutex_enter 357->373 374 6091034e-6091035c sqlite3_free 357->374 369 60910745 359->369 370 60910739-60910740 sqlite3_mutex_leave 359->370 365 60910703-60910707 360->365 366 60910715-60910730 sqlite3_free * 2 360->366 367 609106e8-609106f2 361->367 368 6091069e-609106a2 361->368 362->360 377 609104a5-609104bd call 6090cc00 362->377 363->360 365->366 375 60910709-60910712 call 6090cd94 365->375 366->359 367->350 367->361 368->367 376 609106a4-609106a8 368->376 369->344 370->369 403 609103bb 373->403 404 6091042f-6091044d sqlite3_mutex_leave sqlite3_free 373->404 374->344 375->366 380 609106b5-609106bb 376->380 381 609106aa 376->381 377->360 391 609104c3-60910514 call 6090cadc call 6090e60c 377->391 386 609106c1 380->386 387 6091063c-60910649 380->387 385 609106ac-609106b3 381->385 385->380 385->385 390 609106c6-609106cb 386->390 387->350 393 609106d2-609106dd 390->393 394 609106cd-609106d0 390->394 407 60910521-6091052b 391->407 408 60910516-6091051f 391->408 398 609106e2-609106e5 393->398 399 609106df 393->399 394->393 397 609106c4 394->397 397->390 398->350 399->398 406 609103bc-609103db call 6090e82c strcmp 403->406 404->345 416 60910428-6091042d 406->416 417 609103dd-609103ed call 6090e83c 406->417 411 6091052d-60910534 407->411 412 6091053e-60910542 407->412 408->407 410 60910544-60910579 call 60907574 * 2 408->410 415 6091057c-6091058a call 6090caf8 410->415 411->412 414 60910536-6091053a 411->414 412->415 414->412 424 6091058f-60910597 415->424 416->404 416->406 417->416 425 609103ef-609103f6 417->425 424->360 427 6091059d-609105b0 424->427 428 609103f8-609103fd 425->428 429 6091041d-60910423 425->429 427->350 430 609105b6-609105d3 call 60903cdc 427->430 431 60910400-6091040c 428->431 429->404 437 60910650-60910670 sqlite3_mutex_enter sqlite3_mutex_leave 430->437 438 609105d5-609105e7 call 60903cdc 430->438 433 60910417-6091041b 431->433 434 6091040e-60910411 431->434 433->429 433->431 434->433 436 609105fc-60910637 sqlite3_mutex_leave * 2 sqlite3_free * 2 434->436 436->344 437->347 438->437 441 609105e9-609105f7 438->441 441->354
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: :memory:
                                • API String ID: 0-2920599690
                                • Opcode ID: 82497f04b53d4fd6fe53d7db06479e0520f7b9b38939269baa1f75721907a5d8
                                • Instruction ID: 45b4f05c4a9be21495f505260580b83099c411410a0b074a2ab6a3e5554857f9
                                • Opcode Fuzzy Hash: 82497f04b53d4fd6fe53d7db06479e0520f7b9b38939269baa1f75721907a5d8
                                • Instruction Fuzzy Hash: E1E10C70E042098BEB11CF68CC817597BB6AF71324F148398E8789B2D1E7B5D9A4CF91
                                Function 60952B74 Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 306COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 442 60952b74-60952b8f sqlite3_initialize 443 60952b95-60952b9c 442->443 444 60952f41-60952f48 442->444 445 60952ba5-60952ba7 443->445 446 60952b9e-60952ba3 443->446 448 60952bc2-60952bcb 445->448 446->445 447 60952bac-60952bba 446->447 447->448 449 60952bbc 447->449 450 60952bcd-60952bd6 448->450 451 60952bd8-60952bdf 448->451 449->448 452 60952be5-60952c01 call 60904814 450->452 451->452 453 60952be1 451->453 456 60952c07-60952c09 452->456 457 60952ef2-60952f06 sqlite3_errcode 452->457 453->452 460 60952c3c-60952cd1 sqlite3_mutex_enter call 60907778 * 2 sqlite3_vfs_find 456->460 461 60952c0b-60952c20 call 60903cdc 456->461 458 60952f20-60952f22 457->458 459 60952f08-60952f1b sqlite3_close 457->459 463 60952f2e-60952f3c call 60904abc 458->463 464 60952f24-60952f27 458->464 459->463 473 60952ce4-60952d63 call 60952974 * 4 460->473 474 60952cd3-60952cdf 460->474 461->460 469 60952c22-60952c35 sqlite3_free 461->469 463->444 464->463 471 60952edb-60952edf 469->471 471->457 475 60952ee1-60952eef sqlite3_mutex_leave 471->475 473->471 487 60952d69-60952dc8 call 60932934 call 60952974 call 60952630 473->487 476 60952de1-60952de9 call 60906888 474->476 475->457 476->471 494 60952df0-60952e4c call 60932ce8 * 2 487->494 495 60952dca-60952dd0 487->495 494->471 502 60952e52-60952e84 call 60906888 call 60935394 call 60939cf8 sqlite3_errcode 494->502 496 60952dd7-60952de0 495->496 497 60952dd2 495->497 496->476 497->496 502->471 509 60952e86-60952e8a 502->509 510 60952eb2-60952ed3 call 60906888 call 60951588 509->510 511 60952e8c-60952e9e call 60956ae8 509->511 518 60952ed8 510->518 511->510 517 60952ea0-60952ea2 511->517 517->510 519 60952ea4-60952eaf call 609624e4 517->519 518->471 519->510
                                APIs
                                • sqlite3_initialize.SQLITE3(?,?,?,?,?,60952F61,?,00000000,00000006,00000000), ref: 60952B86
                                • sqlite3_free.SQLITE3(00000000), ref: 60952C26
                                • sqlite3_mutex_leave.SQLITE3(?), ref: 60952EEA
                                • sqlite3_errcode.SQLITE3(00000000), ref: 60952EF9
                                • sqlite3_close.SQLITE3(00000000), ref: 60952F0C
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_closesqlite3_errcodesqlite3_freesqlite3_initializesqlite3_mutex_leave
                                • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                • API String ID: 3875421754-2641926074
                                • Opcode ID: 5ecfc4c87aa058d6e4b09509b2b9988f20ed07802adca467c9bf9de0f5d1e0d9
                                • Instruction ID: 59d3d431cc135c20f766feb87aa470e622af840783d7f3693742950369ffa570
                                • Opcode Fuzzy Hash: 5ecfc4c87aa058d6e4b09509b2b9988f20ed07802adca467c9bf9de0f5d1e0d9
                                • Instruction Fuzzy Hash: CDB1E6B1E0070167EB22CE66CC42B8976A66B37328F144358F9746B3D1EBB5DF648781
                                Function 609391C8 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 289COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 522 609391c8-60939201 call 609076e4 525 60939203-60939210 call 60953294 522->525 526 60939258-6093925a 522->526 533 60939548-6093954f 525->533 527 60939261-60939282 sqlite3_mutex_enter call 60906888 526->527 528 6093925c 526->528 534 60939444-60939448 527->534 528->527 535 6093944a-6093944e 534->535 536 60939459-6093945c 534->536 537 60939462-60939467 535->537 539 60939450-60939457 535->539 536->537 538 60939288-609392b5 sqlite3_prepare 536->538 540 60939475-6093949d call 60904648 call 60904abc 537->540 541 60939469-60939472 call 6091b3b8 537->541 538->535 542 609392bb-609392c0 538->542 539->536 539->537 560 609394a3-609394b5 sqlite3_errcode 540->560 561 60939528-6093952c 540->561 541->540 545 609392c2-609392c5 542->545 546 609392cc-609392e1 sqlite3_column_count 542->546 545->534 549 609392e4-609392f9 sqlite3_step 546->549 551 609393df-609393e3 549->551 552 609392ff-60939302 549->552 551->549 553 609393e9-60939404 call 6091b3b8 551->553 555 60939324-60939328 552->555 556 60939304-60939307 552->556 572 60939406-6093941c 553->572 573 6093942a-60939441 call 60904648 553->573 557 60939375-60939379 555->557 558 6093932a-60939345 call 60904848 555->558 556->551 562 6093930d-60939311 556->562 568 609393c2-609393d2 call 6093c700 557->568 569 6093937b-60939388 557->569 558->537 577 6093934b-6093934f 558->577 560->561 570 609394b7-609394bb 560->570 566 60939537-60939545 sqlite3_mutex_leave 561->566 567 6093952e-60939531 561->567 562->551 563 60939317-6093931e 562->563 563->551 563->555 566->533 567->566 576 609393d4-609393d9 568->576 569->568 574 6093938a 569->574 570->566 575 609394bd-609394ed sqlite3_errmsg call 60906860 call 609042e8 570->575 572->573 578 6093941e 572->578 573->534 580 6093938c-609393a3 sqlite3_column_text 574->580 596 609394ef-60939509 sqlite3_errmsg memcpy 575->596 597 6093950c-60939526 call 60906888 575->597 576->551 582 60939224-60939250 call 6091b3b8 call 60906888 576->582 583 60939351 577->583 584 6093936e 577->584 585 60939420-60939428 578->585 587 609393a5-609393b7 sqlite3_column_type 580->587 588 609393bd-609393c0 580->588 582->537 590 60939354-6093936c sqlite3_column_name 583->590 584->557 585->573 585->585 587->588 591 60939218-6093921f 587->591 588->568 588->580 590->584 590->590 591->537 596->566 597->566
                                APIs
                                • sqlite3_mutex_enter.SQLITE3(?), ref: 6093926A
                                • sqlite3_errcode.SQLITE3(00000000), ref: 609394AA
                                • sqlite3_errmsg.SQLITE3(00000000), ref: 609394C7
                                • sqlite3_errmsg.SQLITE3(00000000), ref: 609394F6
                                • memcpy.MSVCRT ref: 60939501
                                • sqlite3_mutex_leave.SQLITE3(?), ref: 60939540
                                  • Part of subcall function 60953294: sqlite3_log.SQLITE3(00000015,misuse detected by source line %d,60901481), ref: 609532A7
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_errmsg$memcpysqlite3_errcodesqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                • String ID: d
                                • API String ID: 468436209-2564639436
                                • Opcode ID: 6fdbd4cee05a7c07a2af1700081f7f7bad4c492e9ca7867712be8f5193b268a7
                                • Instruction ID: b931029f5f13ee1141a90d0413d9540e4ebe50aff3fee7efef0cbc1a2594bb19
                                • Opcode Fuzzy Hash: 6fdbd4cee05a7c07a2af1700081f7f7bad4c492e9ca7867712be8f5193b268a7
                                • Instruction Fuzzy Hash: E8B195B1D04219ABDB058FA8CC8179E7BBAEB31328F144254E974972D1EB75CA918FC1
                                Function 00424140 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 603 424140-424154 604 424156-42415c 603->604 605 42415e-424166 GetDC 603->605 606 424169-4241c4 CreateFontW SelectObject GetTextFaceW 604->606 605->606 607 4241c6-4241cd 606->607 608 4241cf-4241d9 GetTextCharset 606->608 609 4241dc-4241e6 607->609 608->609 610 4241f6-424208 SelectObject 609->610 611 4241e8-4241f0 GetTextMetricsW 609->611 612 424216-42421d 610->612 613 42420a-424210 ReleaseDC 610->613 611->610 614 42423b-42424c DeleteObject 612->614 615 42421f-424227 612->615 613->612 618 424264-424274 call 44f6c8 614->618 616 424229-424239 StrStrIW 615->616 617 42424e-424252 615->617 616->614 616->617 617->618 619 424254-424261 call 45184a 617->619 619->618
                                APIs
                                • GetDC.USER32(00000000), ref: 00424160
                                • CreateFontW.GDI32(0053C118,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00424194
                                • SelectObject.GDI32(00000000,?), ref: 004241A5
                                • GetTextFaceW.GDI32(00000000,00000020,?), ref: 004241B8
                                • GetTextCharset.GDI32(00000000), ref: 004241D3
                                • GetTextMetricsW.GDI32(00000000,00000000), ref: 004241F0
                                • SelectObject.GDI32(00000000,?), ref: 004241FE
                                • ReleaseDC.USER32(00000000,00000000), ref: 00424210
                                • StrStrIW.SHLWAPI(?,?), ref: 00424231
                                • DeleteObject.GDI32(?), ref: 0042423F
                                • _wcscpy.LIBCMT ref: 0042425C
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: ObjectText$Select$CharsetCreateDeleteFaceFontMetricsRelease_wcscpy
                                • String ID: .DB
                                • API String ID: 588102623-3243579461
                                • Opcode ID: 4ca0d98cf20631fccaf790c2c32be238378f39f3350437f1d2a6cd27e18ae94b
                                • Instruction ID: ea6a59b79ecef2f09fddcaa62a7bb6481acd72d89f002cd1ffdad0adaeb43d27
                                • Opcode Fuzzy Hash: 4ca0d98cf20631fccaf790c2c32be238378f39f3350437f1d2a6cd27e18ae94b
                                • Instruction Fuzzy Hash: A7415C74A00208EFEB14CFE4DC48BEE7BB5EF98701F10814AF919AB284D7749945DB64
                                Function 004903A0 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 327COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 624 4903a0-490420 call 434e30 call 417a20 * 2 call 434050 call 4175c0 call 494f20 637 490538-490545 call 416630 624->637 638 490426-49044a call 414c90 call 443050 624->638 644 49054b-490561 call 41eea0 637->644 645 4905fc-490609 call 416630 637->645 649 49052c-490533 call 40d320 638->649 650 490450-49045a call 41d530 638->650 644->645 655 490567-4905b2 call 451d90 call 41ede0 644->655 656 49083b-49088f call 416630 call 4176e0 call 41ef60 call 44f6c8 645->656 657 49060f-490636 call 4130d0 call 416a30 call 41eea0 645->657 649->637 650->649 664 490460-490471 call 494f40 650->664 676 4905f4-4905f7 call 41ef10 655->676 677 4905b4-4905ef call 434050 call 417910 call 4181d0 call 4176e0 655->677 657->656 688 49063c-4906ae call 451d90 call 41ede0 call 41ef10 call 4168f0 657->688 674 490473-49049d call 41d530 664->674 675 4904a7-4904d6 call 41d530 664->675 694 4904a2-4904a5 674->694 698 4904d9-4904dd 675->698 676->645 677->676 714 4906ca-4906d1 688->714 715 4906b0-4906c4 call 4168f0 688->715 694->698 698->649 703 4904df-4904e3 698->703 703->649 706 4904e5-490526 call 434050 call 417910 call 4181d0 call 4176e0 CoTaskMemFree 703->706 706->649 718 4906de-49071c call 4296f0 714->718 719 4906d3-4906db 714->719 715->714 726 4907aa-4907ae 718->726 727 490722-49073c 718->727 719->718 728 4907eb-490836 call 434050 call 417910 call 4181d0 call 4176e0 726->728 729 4907b0-4907b8 726->729 730 49074d-490759 727->730 728->656 729->728 731 4907ba-4907ca call 416630 729->731 732 49075b 730->732 733 49075d-490768 730->733 743 4907dc-4907e6 call 4130d0 731->743 744 4907cc-4907d7 call 4130d0 731->744 732->730 733->726 737 49076a-490783 call 434050 call 417910 733->737 750 490788-4907a5 call 4181d0 call 4176e0 737->750 743->728 744->743 750->726
                                APIs
                                • std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 004903D4
                                • CoTaskMemFree.OLE32(00000000,?,00000000,00000000), ref: 00490526
                                • _memset.LIBCMT ref: 00490583
                                • _memset.LIBCMT ref: 00490658
                                  • Part of subcall function 00443050: CoCreateInstance.OLE32(000000FF,00000000,000000FF,0053D3B4,B211AFF1,?,?,00490443,0051BAFC,00000000,00000017,00000000,00000000,000000FF,00000000,000000FF), ref: 0044306C
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: _memset$CreateFreeInstanceIterator_baseIterator_base::_Taskstd::_
                                • String ID: "%1"$.html$.html$\shell\open\command$bI$http
                                • API String ID: 2934898464-3068258827
                                • Opcode ID: 56df2de5682139578c7e6c077cc85dacf8306cffeebd10794e69037b1276f082
                                • Instruction ID: a00b38a2294e0f63c61b35cacd2b43a42522c649960b94876aacb899d072ca9d
                                • Opcode Fuzzy Hash: 56df2de5682139578c7e6c077cc85dacf8306cffeebd10794e69037b1276f082
                                • Instruction Fuzzy Hash: 8AD1A3B0900218AEDF14DF55CD91BEEB774AF54308F0040AEE606671D2EB786E89CF59
                                Function 6093C9A8 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 286COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 756 6093c9a8-6093c9c4 757 6093c9c6 756->757 758 6093c9cb-6093c9d6 756->758 757->758 759 6093c9d8 758->759 760 6093c9df-6093ca28 call 6093c700 758->760 759->760 763 6093ca34-6093ca59 call 6092de24 760->763 764 6093ca2a-6093ca2c 760->764 771 6093ca5b 763->771 772 6093ca5f-6093ca6f 763->772 765 6093ccf7-6093ccfa 764->765 767 6093cd04 765->767 768 6093ccfc-6093cd02 765->768 770 6093cd08 767->770 768->767 768->770 773 6093cd0a-6093cd11 770->773 771->772 774 6093ca71-6093ca75 772->774 775 6093ca88-6093caa4 call 6090eb0c call 609174e0 772->775 776 6093ca77-6093ca7a 774->776 777 6093ca7e-6093ca80 774->777 782 6093cae7-6093cae9 775->782 783 6093caa6-6093cab1 call 60910f3c 775->783 776->777 777->773 785 6093caec-6093cb0b call 60916018 782->785 786 6093cab6-6093cabd 783->786 792 6093cb0d-6093cb1d 785->792 788 6093cae0 786->788 789 6093cabf-6093cadb call 60951f90 call 60904a84 786->789 788->782 810 6093ccd2-6093ccd6 789->810 794 6093cb70-6093cb7a 792->794 795 6093cb1f-6093cb23 792->795 799 6093cb7e-6093cb97 794->799 796 6093cb50-6093cb5c 795->796 797 6093cb25-6093cb2b 795->797 796->799 802 6093cb5e-6093cb6b 796->802 800 6093cb2f-6093cb4d call 60932934 797->800 801 6093cb2d 797->801 804 6093cbc5-6093cbd8 799->804 805 6093cb99-6093cb9e 799->805 800->799 801->800 809 6093cbf7-6093cc04 call 60904a84 802->809 806 6093cbda 804->806 807 6093cbde-6093cbe8 804->807 811 6093cba0 805->811 812 6093cba5-6093cba7 805->812 806->807 813 6093cbea-6093cbf6 807->813 814 6093cc0c-6093cc10 807->814 809->810 817 6093cce9-6093ccf2 call 6090eba0 810->817 818 6093ccd8-6093cce6 call 60911a3c 810->818 811->812 819 6093cbab-6093cbc2 call 60910904 812->819 820 6093cba9 812->820 813->809 823 6093cc12-6093cc16 814->823 824 6093cc1c-6093cc76 call 60905ed4 sqlite3_exec 814->824 817->765 818->817 819->804 820->819 823->824 827 6093cc18 823->827 832 6093cc7b-6093cc8d call 60904648 824->832 833 6093cc78 824->833 827->824 836 6093cc9f-6093cca3 832->836 837 6093cc8f-6093cc9c call 6092c9f8 832->837 833->832 839 6093cca5-6093ccb5 call 6092e0e4 836->839 840 6093ccb8-6093ccba 836->840 837->836 839->840 843 6093ccc2-6093ccd0 840->843 844 6093ccbc-6093ccc0 840->844 843->810 844->810 844->843
                                Strings
                                • sqlite_master, xrefs: 6093C9CB
                                • CREATE TABLE sqlite_master( type text, name text, tbl_name text, rootpage integer, sql text), xrefs: 6093C9BB
                                • sqlite_temp_master, xrefs: 6093C9D8
                                • BINARY, xrefs: 6093CB3A
                                • CREATE TEMP TABLE sqlite_temp_master( type text, name text, tbl_name text, rootpage integer, sql text), xrefs: 6093C9C6
                                • SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid, xrefs: 6093CC33
                                • attached databases must use the same text encoding as main database, xrefs: 6093CB61
                                • unsupported file format, xrefs: 6093CBED
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: BINARY$CREATE TABLE sqlite_master( type text, name text, tbl_name text, rootpage integer, sql text)$CREATE TEMP TABLE sqlite_temp_master( type text, name text, tbl_name text, rootpage integer, sql text)$SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid$attached databases must use the same text encoding as main database$sqlite_master$sqlite_temp_master$unsupported file format
                                • API String ID: 0-3137964939
                                • Opcode ID: 6160e7f980953135eff03ac447684fac8116f56e0f24148a585dc6abc05f1b34
                                • Instruction ID: 3b74052db322c3c7f41c21f68541d6c673b2096f073b13579ef731a7fb36f445
                                • Opcode Fuzzy Hash: 6160e7f980953135eff03ac447684fac8116f56e0f24148a585dc6abc05f1b34
                                • Instruction Fuzzy Hash: 75B1E4B1E005299FDB14CF98C881B9DFBB6AF65324F148658E8689B381E731ED51CF81
                                Function 004908A0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 147COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 953 4908a0-4908de GetTickCount 954 4908e0-4908f2 953->954 955 490902-490940 call 434050 call 4175c0 call 434050 call 4175c0 953->955 954->955 956 4908f4-4908fd 954->956 968 49094d-49095d call 4903a0 955->968 969 490942-490948 call 405140 955->969 958 490ab3-490acb call 44f6c8 956->958 972 490962-490967 968->972 969->968 973 490a89-490aad call 4176e0 * 2 972->973 974 49096d-490971 972->974 973->958 975 49097a-4909b3 call 416a30 call 45508b call 452266 974->975 976 490973 974->976 975->973 987 4909b9-4909de call 455a52 call 4522f9 975->987 976->975 992 4909e9-4909ff call 4522f9 987->992 993 4909e0-4909e7 987->993 1000 490a0a-490a20 call 4522f9 992->1000 1001 490a01-490a08 992->1001 994 490a29-490a2d 993->994 997 490a2f-490a6f call 434050 call 417910 call 4181d0 call 4176e0 994->997 998 490a71-490a86 994->998 997->973 998->973 1000->994 1007 490a22 1000->1007 1001->994 1007->994
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: CountTick__wcsicoll__wcslwr__wsplitpath
                                • String ID: .exe$chrome$firefox$iexplore
                                • API String ID: 2438297081-2896129864
                                • Opcode ID: 0c16d4e8d45f10bbeb24814ebcb86d236f73079e051c7e1be0917bfe770b6c3e
                                • Instruction ID: 37f3a4782168a7ba4b219689af37ff2fec423a0874b7ec890f9b0939c7c311b7
                                • Opcode Fuzzy Hash: 0c16d4e8d45f10bbeb24814ebcb86d236f73079e051c7e1be0917bfe770b6c3e
                                • Instruction Fuzzy Hash: 265173B19102189FDF14DF95CD85BEEBBB4BF14304F1085AEE50667281EB786A48CF98
                                Function 004D22E0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 144COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1012 4d22e0-4d233a call 434050 call 4175c0 1017 4d234c 1012->1017 1018 4d233c-4d234a 1012->1018 1019 4d2356-4d23f0 call 4098d0 call 409810 call 4178c0 call 451d90 call 416a30 GetPrivateProfileStringW 1017->1019 1018->1019 1030 4d2435-4d2445 call 416630 1019->1030 1031 4d23f2-4d2430 call 434050 call 417910 call 4181d0 call 4176e0 1019->1031 1036 4d2447-4d245c call 4d1b70 call 4160e0 1030->1036 1037 4d2461-4d2477 call 425a20 1030->1037 1031->1030 1036->1037 1047 4d2479-4d2483 1037->1047 1048 4d2485-4d249b call 425a20 1037->1048 1050 4d24cb-4d24cf 1047->1050 1055 4d249d-4d24a7 1048->1055 1056 4d24a9-4d24bf call 425a20 1048->1056 1053 4d24d1-4d24db call 4181d0 1050->1053 1054 4d24e0-4d252b call 4176e0 * 2 call 44f6c8 1050->1054 1053->1054 1055->1050 1056->1050 1063 4d24c1 1056->1063 1063->1050
                                APIs
                                • _memset.LIBCMT ref: 004D23BC
                                • GetPrivateProfileStringW.KERNEL32(toolbar,name,00534670,?,00000040,00000000), ref: 004D23E8
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: PrivateProfileString_memset
                                • String ID: TBConfig.inf$bstl$cndt$mntr$name$toolbar
                                • API String ID: 52020338-616969326
                                • Opcode ID: 97321c3be23239772a1099ce70d305b93514c1de6b36d8352811663245684aba
                                • Instruction ID: 179ce378cb9408fc47fb286d9aad18257402b0420dcce1f1aa30694a285b3d12
                                • Opcode Fuzzy Hash: 97321c3be23239772a1099ce70d305b93514c1de6b36d8352811663245684aba
                                • Instruction Fuzzy Hash: 4C513170A002189ADB24DF65DD52BEEB774AF54304F0041DBE609B62C1EF786B88CF59
                                Function 00496160 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • _memset.LIBCMT ref: 004961A6
                                • OpenProcess.KERNEL32(00000410,00000000,004E02FB,?,N/A,00000000,?,?,B211AFF1), ref: 004961FD
                                • EnumProcessModules.PSAPI(00000000,00000000,00000004,00000000,?,?,B211AFF1), ref: 00496238
                                • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000104,00000000,00000000,00000004,00000000,?,?,B211AFF1), ref: 00496258
                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,00000000,00000000,00000004,00000000,?,?,B211AFF1), ref: 0049626F
                                • CloseHandle.KERNEL32(00000000,00000000,?,00000104,00000000,00000000,00000004,00000000,?,?,B211AFF1), ref: 0049627C
                                • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,?,00000104,00000000,00000000,00000004,00000000,?,?,B211AFF1), ref: 004962D6
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Process$CloseFileHandleName$EnumImageModuleModulesOpen_memset
                                • String ID: N/A
                                • API String ID: 1655748874-2525114547
                                • Opcode ID: d9e1fb03d6710b4d8507a610e4e5a244d867c33e6e08b90005a4f5eb9ea59eff
                                • Instruction ID: 42d94aa43d634cfac3a89f673f245cccc0f2457812a480bc51963134419dc0f8
                                • Opcode Fuzzy Hash: d9e1fb03d6710b4d8507a610e4e5a244d867c33e6e08b90005a4f5eb9ea59eff
                                • Instruction Fuzzy Hash: 5B41BF71900218ABDB14EFA0DC49FEEB374FF18300F0046AEB519A7190EB786A48CF58
                                Function 0048CC50 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 107COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 0048CCC9
                                  • Part of subcall function 0041EEA0: RegOpenKeyExW.KERNEL32(00000001,?,00000000,00000000,00000000,Software\Microsoft\Internet Explorer\,00000001), ref: 0041EECA
                                • _memset.LIBCMT ref: 0048CCFB
                                  • Part of subcall function 0041EDE0: RegQueryValueExW.KERNEL32(00000020,00000001,00000000,00000020,?,00000001,0047F702,svcVersion,00000001,00000020,Software\Microsoft\Internet Explorer\,00000001,B211AFF1), ref: 0041EE1C
                                • __wcstoi64.LIBCMT ref: 0048CD27
                                  • Part of subcall function 00451CBD: wcstoxl.LIBCMT ref: 00451CDE
                                • PathFindFileNameW.SHLWAPI(00000000,00000000,0000000A,?,B211AFF1), ref: 0048CD70
                                • __wcstoi64.LIBCMT ref: 0048CD77
                                Strings
                                • Version, xrefs: 0048CD12
                                • , xrefs: 0048CD03
                                • Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\, xrefs: 0048CCD7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: __wcstoi64$FileFindIterator_baseIterator_base::_NameOpenPathQueryValue_memsetstd::_wcstoxl
                                • String ID: $Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\$Version
                                • API String ID: 1568900015-1727943444
                                • Opcode ID: 187431bf13687f55b0746edd7c50c956f2455a44415b8d52bdb4aea22dfb5e5c
                                • Instruction ID: 835d22ece1afbabd0d8e238a4dcff697028dac8f7890ad11750f1be22d999115
                                • Opcode Fuzzy Hash: 187431bf13687f55b0746edd7c50c956f2455a44415b8d52bdb4aea22dfb5e5c
                                • Instruction Fuzzy Hash: DF41DF71D006089FCB24EBA4ED86BEDB7B4EB14704F10852EE516A72D1EB386708CB59
                                Function 0047F670 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 80COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1135 47f670-47f69f 1136 47f6a5-47f6ca call 434e30 call 41eea0 1135->1136 1137 47f75a-47f75e 1135->1137 1146 47f6cc-47f6fd call 451d90 call 41ede0 1136->1146 1147 47f74b-47f755 call 41ef60 1136->1147 1139 47f760-47f769 1137->1139 1140 47f76b-47f788 call 44f6c8 1137->1140 1139->1140 1152 47f702-47f709 1146->1152 1147->1137 1153 47f70b-47f727 call 41ede0 1152->1153 1154 47f72a-47f72e 1152->1154 1153->1154 1154->1147 1156 47f730-47f748 call 452133 1154->1156 1156->1147
                                APIs
                                • std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 0047F6A8
                                  • Part of subcall function 0041EEA0: RegOpenKeyExW.KERNEL32(00000001,?,00000000,00000000,00000000,Software\Microsoft\Internet Explorer\,00000001), ref: 0041EECA
                                • _memset.LIBCMT ref: 0047F6DE
                                  • Part of subcall function 0041EDE0: RegQueryValueExW.KERNEL32(00000020,00000001,00000000,00000020,?,00000001,0047F702,svcVersion,00000001,00000020,Software\Microsoft\Internet Explorer\,00000001,B211AFF1), ref: 0041EE1C
                                • _swscanf.LIBCMT ref: 0047F743
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Iterator_baseIterator_base::_OpenQueryValue_memset_swscanfstd::_
                                • String ID: $%d.%d$Software\Microsoft\Internet Explorer\$Version$svcVersion
                                • API String ID: 1427520148-2889293724
                                • Opcode ID: 60a7087462cd0ad2db57f95b17272d67c37496140b87a370b2bab6ffd724d74d
                                • Instruction ID: a19b341dfb138a983270e55979cb8246c53d88c77a451253226e6c69376a3b92
                                • Opcode Fuzzy Hash: 60a7087462cd0ad2db57f95b17272d67c37496140b87a370b2bab6ffd724d74d
                                • Instruction Fuzzy Hash: 33316B74900208AFDB14DFA5D946FEEB774FB14704F00852EE9196B2D0E7781A49CB94
                                Function 6090D234 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 315COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1160 6090d234-6090d290 call 60909df4 call 60924f2c 1165 6090d2a0-6090d2aa call 60924f2c 1160->1165 1166 6090d292-6090d29b 1160->1166 1167 6090d2ad-6090d2ba 1165->1167 1166->1167 1169 6090d2c0-6090d2c6 1167->1169 1170 6090d384-6090d3bd call 60904814 1167->1170 1169->1170 1172 6090d2cc-6090d2e9 call 609042e8 1169->1172 1177 6090d3d8-6090d410 1170->1177 1178 6090d3bf-6090d3d0 sqlite3_free 1170->1178 1179 6090d2f8-6090d30a 1172->1179 1180 6090d2eb-6090d2f0 1172->1180 1182 6090d481-6090d490 1177->1182 1183 6090d412-6090d467 memcpy * 2 1177->1183 1181 6090d62a-6090d631 1178->1181 1184 6090d31c-6090d337 call 60903744 1179->1184 1185 6090d30c-6090d319 1179->1185 1180->1181 1188 6090d492-6090d498 1182->1188 1189 6090d508-6090d516 1182->1189 1186 6090d472-6090d47e sqlite3_free 1183->1186 1187 6090d469-6090d46f 1183->1187 1190 6090d33a-6090d350 call 60906860 1184->1190 1185->1190 1186->1182 1187->1186 1188->1189 1193 6090d49a-6090d49e 1188->1193 1192 6090d519-6090d51d 1189->1192 1206 6090d352-6090d35b 1190->1206 1207 6090d376-6090d37d 1190->1207 1195 6090d538-6090d546 call 60903564 1192->1195 1196 6090d51f-6090d536 call 6090caf8 1192->1196 1193->1189 1198 6090d4a0-6090d4b9 call 609036e4 1193->1198 1208 6090d547-6090d54f sqlite3_free 1195->1208 1196->1195 1210 6090d554-6090d56c 1196->1210 1204 6090d4be-6090d4cc 1198->1204 1204->1195 1209 6090d4ce-6090d4d0 1204->1209 1211 6090d370-6090d374 1206->1211 1212 6090d35d-6090d36d call 609532f4 1206->1212 1207->1208 1208->1181 1209->1192 1214 6090d4d2-6090d4e7 call 6090c510 1209->1214 1215 6090d573-6090d597 call 60909e00 1210->1215 1216 6090d56e 1210->1216 1211->1170 1211->1207 1212->1211 1214->1192 1222 6090d4e9-6090d4ef 1214->1222 1223 6090d599 1215->1223 1224 6090d59b-6090d607 call 6090c510 1215->1224 1216->1215 1225 6090d4f1-6090d4f7 1222->1225 1226 6090d4fc-6090d504 1222->1226 1223->1224 1229 6090d610-6090d614 1224->1229 1230 6090d609-6090d60d 1224->1230 1225->1192 1226->1192 1231 6090d61a-6090d628 1229->1231 1232 6090d616 1229->1232 1230->1231 1231->1181 1232->1231
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: -journal$:memory:
                                • API String ID: 0-354093883
                                • Opcode ID: 13bb599ff53f1823477aa947ec29ebac76ce17666d17f0c75a439a4f6da9f5d7
                                • Instruction ID: eb67e857fae33e7608cb8325f23064a61e65f1a6721745fde53bea917fbedffb
                                • Opcode Fuzzy Hash: 13bb599ff53f1823477aa947ec29ebac76ce17666d17f0c75a439a4f6da9f5d7
                                • Instruction Fuzzy Hash: 5DD1C2B1D042459FDF01CFA8CC8179E7BB6AF25314F188258EC65AB385E735D941CB61
                                Function 00482D30 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156COMMON
                                Download Yara Rule
                                APIs
                                • std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 00482D5E
                                  • Part of subcall function 00482980: __wsplitpath.LIBCMT ref: 00482A17
                                  • Part of subcall function 00482980: PathAddBackslashW.SHLWAPI(?), ref: 00482A26
                                  • Part of subcall function 00482980: GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00482A43
                                  • Part of subcall function 00482980: _sprintf.LIBCMT ref: 00482A59
                                  • Part of subcall function 00482980: _strlen.LIBCMT ref: 00482A6F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: BackslashInformationIterator_baseIterator_base::_PathVolume__wsplitpath_sprintf_strlenstd::_
                                • String ID: GUID$INSTALL_FOLDER_NAME$LIpq0hKVkVaLMSLNpdvbwZ1ujeVTM3C6kW4BzYpnFeY3Qs6E$Software\$version$/H
                                • API String ID: 296098145-1771210073
                                • Opcode ID: 2f3614578ad41728640ef95af8b65f1439f7307b340dc54aeb202920c08e5e4c
                                • Instruction ID: a4e47fa03a4ea7bb8f9dc1b7f546aa884ffc29575824f17271174dd53e9144ec
                                • Opcode Fuzzy Hash: 2f3614578ad41728640ef95af8b65f1439f7307b340dc54aeb202920c08e5e4c
                                • Instruction Fuzzy Hash: 7B619F70900119AFDB14EF65DD9ABEDBBB4EF04308F4041AEF50967281EB746A84CF94
                                Function 00495E20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON
                                Download Yara Rule
                                APIs
                                • std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 00495E4E
                                  • Part of subcall function 0041EEA0: RegOpenKeyExW.KERNEL32(00000001,?,00000000,00000000,00000000,Software\Microsoft\Internet Explorer\,00000001), ref: 0041EECA
                                • _memset.LIBCMT ref: 00495EBA
                                  • Part of subcall function 0041EDE0: RegQueryValueExW.KERNEL32(00000020,00000001,00000000,00000020,?,00000001,0047F702,svcVersion,00000001,00000020,Software\Microsoft\Internet Explorer\,00000001,B211AFF1), ref: 0041EE1C
                                • _wcslen.LIBCMT ref: 00495EF6
                                • _wcslen.LIBCMT ref: 00495F12
                                • PathAddBackslashW.SHLWAPI(?,00000104,Software\Microsoft\Windows\CurrentVersion\App Paths\,00000000,B211AFF1), ref: 00495F2B
                                Strings
                                • Path, xrefs: 00495EDA
                                • Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 00495E66
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: _wcslen$BackslashIterator_baseIterator_base::_OpenPathQueryValue_memsetstd::_
                                • String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\
                                • API String ID: 3112264913-2411794369
                                • Opcode ID: d69cbafe9bd5e174215ceff42f20010bee6b9cf2072c6a20597dabb22528a612
                                • Instruction ID: 0e721211a411d4d4bd81d772e4ff45de3ad52a7a022707b1392635551f2e36b6
                                • Opcode Fuzzy Hash: d69cbafe9bd5e174215ceff42f20010bee6b9cf2072c6a20597dabb22528a612
                                • Instruction Fuzzy Hash: 4441AF70904108AADB14EB65DD4ABEEB774EF14314F2041AEF40AA71D1EF782F88CB55
                                Function 00424280 Relevance: 12.2, APIs: 8, Instructions: 154COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 0042429C
                                • GetDeviceCaps.GDI32(?,0000005A), ref: 004243A0
                                • MulDiv.KERNEL32(00000000,00000000), ref: 004243AE
                                • MulDiv.KERNEL32(00000000,00000060,00000048), ref: 004243C9
                                • GetDeviceCaps.GDI32(?,0000005A), ref: 00424442
                                • MulDiv.KERNEL32(?,00000048,00000000), ref: 00424458
                                • _wcscpy.LIBCMT ref: 00424471
                                • ReleaseDC.USER32(00000000,?), ref: 0042447F
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: CapsDevice$Release_wcscpy
                                • String ID:
                                • API String ID: 218543050-0
                                • Opcode ID: addc902abe19bcb2e843a8c4ff13a2c574d834c9b2b0b35da3bccb5100abd372
                                • Instruction ID: 6a1f34e3b352a9f831fe859dfbab1ec0b461a88cf26c78c58544564a76178256
                                • Opcode Fuzzy Hash: addc902abe19bcb2e843a8c4ff13a2c574d834c9b2b0b35da3bccb5100abd372
                                • Instruction Fuzzy Hash: D4614E70A0031CDFDB10CFA4D849BAEBBB5FB48305F548159E919AB280D7789A84CF95
                                Function 004BFE70 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 285COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 004C0041
                                • std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 004C0191
                                • _memset.LIBCMT ref: 004C01B6
                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004C01CA
                                Strings
                                • %d/%02d/%02d v%ls %ls\%ls , xrefs: 004C0007
                                • ----------- %d/%02d/%02d - running v%s on %s (user:%s) ----------- Windows Path: %s, xrefs: 004C0221
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Iterator_baseIterator_base::_std::_$DirectoryWindows_memset
                                • String ID: ----------- %d/%02d/%02d - running v%s on %s (user:%s) ----------- Windows Path: %s$%d/%02d/%02d v%ls %ls\%ls
                                • API String ID: 2967078197-765409714
                                • Opcode ID: 7b7a3ce50d6daf23506811767d9f9265df7ace9681a59d0e41f40972b12cdd9c
                                • Instruction ID: ab18e10870b75b720690bdc6b26e86038ed9c618c4c06bc44b11da37832a0666
                                • Opcode Fuzzy Hash: 7b7a3ce50d6daf23506811767d9f9265df7ace9681a59d0e41f40972b12cdd9c
                                • Instruction Fuzzy Hash: F1C1DFB09002189FDB18DF55CC95BEEB7B4BF54304F00819EE54AA7291EB789E84CF68
                                Function 004547CB Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                • String ID:
                                • API String ID: 3886058894-0
                                • Opcode ID: 24e9373897bc8a5cc2d72240ab2ba003cf9559ff3a241c8706108772e9f9b500
                                • Instruction ID: b48dc7675cf6e0c95097a90f61d0df77d4aa9603786d68242fc11d6efe4b1aba
                                • Opcode Fuzzy Hash: 24e9373897bc8a5cc2d72240ab2ba003cf9559ff3a241c8706108772e9f9b500
                                • Instruction Fuzzy Hash: 8A510A74900244EBCB209FB9884559F7BB5EFC132DF14821BFC259A292D3389D99CB59
                                Function 0049E850 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 167fileCOMMON
                                Download Yara Rule
                                APIs
                                • CopyFileW.KERNEL32(00000000,00000000,00000000,B211AFF1), ref: 0049E89E
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0049E8C3
                                • _wcscpy.LIBCMT ref: 0049E941
                                • _wcscpy.LIBCMT ref: 0049E97A
                                • SHFileOperationW.SHELL32(00000000,00000000,Copying file: ,00000000), ref: 0049EA25
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: File_wcscpy$CopyErrorLastOperation
                                • String ID: Copying file:
                                • API String ID: 3886142043-2745297420
                                • Opcode ID: 91d18f2c532208141a1acb3c8a1a4a502e4c1ab12b0ad22f2397694df76365de
                                • Instruction ID: a6f92e093719e1156d40ab8a949d46b3cf385c5dc05f844406c9d6db8a0a06ea
                                • Opcode Fuzzy Hash: 91d18f2c532208141a1acb3c8a1a4a502e4c1ab12b0ad22f2397694df76365de
                                • Instruction Fuzzy Hash: B1619470904258DFDB14EFA6C955BEE7BB4EF14308F04412EE407AB292DB789A44CB99
                                Function 00482980 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00495D00: _memset.LIBCMT ref: 00495D56
                                  • Part of subcall function 00495D00: SHGetFolderPathW.SHELL32(00000000,004CC849,00000000,00000000,?,?,?,B211AFF1), ref: 00495D6F
                                  • Part of subcall function 00495D00: PathAddBackslashW.SHLWAPI(?,?,?,B211AFF1), ref: 00495D93
                                • __wsplitpath.LIBCMT ref: 00482A17
                                  • Part of subcall function 0045508B: __wsplitpath_helper.LIBCMT ref: 004550CD
                                • PathAddBackslashW.SHLWAPI(?), ref: 00482A26
                                • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00482A43
                                • _sprintf.LIBCMT ref: 00482A59
                                • _strlen.LIBCMT ref: 00482A6F
                                  • Part of subcall function 00448860: __vswprintf.LIBCMT ref: 00448878
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Path$Backslash$FolderInformationVolume__vswprintf__wsplitpath__wsplitpath_helper_memset_sprintf_strlen
                                • String ID: %.8x
                                • API String ID: 2556234588-3443174927
                                • Opcode ID: 5ddf3dbc3d0f2505a6d088568dfd2321809349ecef2a8d186b304d4875879ac8
                                • Instruction ID: 7867479c3adea28f3d0d62ba70a56522cd4e3f6b322498506d0fd7f1f505525c
                                • Opcode Fuzzy Hash: 5ddf3dbc3d0f2505a6d088568dfd2321809349ecef2a8d186b304d4875879ac8
                                • Instruction Fuzzy Hash: 7B518DB1E00218AFDB14EF94DC52FEEB778AF45304F40859AF509A7281EB746A44CF95
                                Function 00424F20 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109networkCOMMON
                                Download Yara Rule
                                APIs
                                • StrStrW.SHLWAPI(?,://,00000000,B211AFF1), ref: 00424F72
                                • _memset.LIBCMT ref: 00424FD9
                                • InternetCrackUrlW.WININET(?,00000000,00000000,0000003C), ref: 00425070
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: CrackInternet_memset
                                • String ID: ://$<$http://
                                • API String ID: 1413715105-1638580327
                                • Opcode ID: b2a5d57281ab4e15df3b49dd6a38c205249146e54f8d4e8f1bd79284d93d7471
                                • Instruction ID: f39e0366ce6a2fa3048447456540e6740b4b34e659bafcac72065bd2d148b5cb
                                • Opcode Fuzzy Hash: b2a5d57281ab4e15df3b49dd6a38c205249146e54f8d4e8f1bd79284d93d7471
                                • Instruction Fuzzy Hash: 765149B4D14258DBEB14DFA4DC81BDDBBB4EF14304F1081AEE509AB282DB746A88CF54
                                Function 004D5A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadImageW.USER32(00000000,00000000,00000001,00000000,00000000,00000050), ref: 004D5B3A
                                • LoadIconW.USER32(00000000,00000001), ref: 004D5B56
                                • IsWindow.USER32(004CD3AA), ref: 004D5B63
                                • SendMessageW.USER32(004CD3AA,00000080,00000001,00000000), ref: 004D5B7C
                                • SendMessageW.USER32(004CD3AA,00000080,00000000,00000000), ref: 004D5B91
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: LoadMessageSend$IconImageWindow
                                • String ID: setup.ico
                                • API String ID: 2942324917-2566955499
                                • Opcode ID: 35c2c02fabb79bfe6a61175876d826283cdc7f2526a5d99de91ffdbe60243637
                                • Instruction ID: 2bd365032c2f552ced306848ea20a241a52543378c904a779762d3456a8b84a7
                                • Opcode Fuzzy Hash: 35c2c02fabb79bfe6a61175876d826283cdc7f2526a5d99de91ffdbe60243637
                                • Instruction Fuzzy Hash: 02414D75A01248ABDB04DFE4DC55BEEBBB9BB48704F10852EF502AB381DB746904CB54
                                Function 00484EA0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Iterator_baseIterator_base::___wcstoi64_memsetstd::_
                                • String ID: $CurrentVersion$SOFTWARE\Mozilla\Mozilla Firefox
                                • API String ID: 3485345583-1023798336
                                • Opcode ID: 8ec54b35839880bdc462f0d4c3067cae3f75a04ddb9aed69623262d3650c350f
                                • Instruction ID: 5e62964c8161c01d3a93b7efa467fe588d9bb2ef01a0888bc2b9f6aa12e67c5a
                                • Opcode Fuzzy Hash: 8ec54b35839880bdc462f0d4c3067cae3f75a04ddb9aed69623262d3650c350f
                                • Instruction Fuzzy Hash: AA21D0B09006099FDB14DF95D842FAEB7B4FB54714F00821EF911AB2D1EB382E08CB45
                                Function 00426E60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: allocator
                                • String ID: gB$gB
                                • API String ID: 3447690668-476456316
                                • Opcode ID: 7ba04398ed68b6f607c7a6b9766246f1c326657cb50e3bfe485833e572fa4e4f
                                • Instruction ID: da325da1d0d0f6029cf94d867a0c2159dc7c1cf2997bc7afbf56aa29c0e544d4
                                • Opcode Fuzzy Hash: 7ba04398ed68b6f607c7a6b9766246f1c326657cb50e3bfe485833e572fa4e4f
                                • Instruction Fuzzy Hash: 1F213DB1E00109AFCB04DF99D852BEFBBB8FB48318F10452EE515A7381D635AA54CBA5
                                Function 00451FC6 Relevance: 10.6, APIs: 7, Instructions: 71threadCOMMON
                                Download Yara Rule
                                APIs
                                • ___set_flsgetvalue.LIBCMT ref: 00451FF7
                                • __calloc_crt.LIBCMT ref: 00452003
                                • __getptd.LIBCMT ref: 00452010
                                • __initptd.LIBCMT ref: 00452019
                                • CreateThread.KERNEL32(?,?,00451F43,00000000,?,?), ref: 00452047
                                • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00452051
                                • __dosmaperr.LIBCMT ref: 00452069
                                  • Part of subcall function 00454477: __getptd_noexit.LIBCMT ref: 00454477
                                  • Part of subcall function 004557A5: __decode_pointer.LIBCMT ref: 004557B0
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit__initptd
                                • String ID:
                                • API String ID: 3358092440-0
                                • Opcode ID: f3fab543d81965245935eb16c0c98bf6d82d37b6c79a0449a0a89e1a97f40dbf
                                • Instruction ID: c78e5e2b538e6bd289abf04ab91bbdd9a97470878333c0d25e63948099598028
                                • Opcode Fuzzy Hash: f3fab543d81965245935eb16c0c98bf6d82d37b6c79a0449a0a89e1a97f40dbf
                                • Instruction Fuzzy Hash: 11110872504205AFDB10BFA5EC4199F77E4EF05329B10403FFD00961A3EBB89D49DA68
                                Function 004956B0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 293comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.OLE32(0051D91C,00000000,00000001,0051D84C,00000000,00000000,B211AFF1), ref: 0049571D
                                • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00495813
                                  • Part of subcall function 00417300: SysFreeString.OLEAUT32(?), ref: 0041730D
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: BlanketCreateFreeInstanceProxyString
                                • String ID: SELECT * FROM AntivirusProduct$WQL$displayName
                                • API String ID: 2425965127-1899659945
                                • Opcode ID: a1e139e2aeb3b371caf46a098323219f476679264e6dd816aa5c0d4aac64eb1c
                                • Instruction ID: a90a17872c16f0e7047f23e41f78ce943a9bde9899b374faa89ec17282e8318f
                                • Opcode Fuzzy Hash: a1e139e2aeb3b371caf46a098323219f476679264e6dd816aa5c0d4aac64eb1c
                                • Instruction Fuzzy Hash: 71C17F70D05248EEDF15EBA5D851BEDBBB0BF14308F60806EE412B71D2DB782A49CB59
                                Function 00483370 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON
                                Download Yara Rule
                                APIs
                                • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,00000000), ref: 004833CF
                                • _malloc.LIBCMT ref: 004833D8
                                  • Part of subcall function 0044FBD9: __FF_MSGBANNER.LIBCMT ref: 0044FBFC
                                  • Part of subcall function 0044FBD9: __NMSG_WRITE.LIBCMT ref: 0044FC03
                                  • Part of subcall function 0044FBD9: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00457755,?,00000001,?,?,00457D86,00000018,005444D8,0000000C,00457E17), ref: 0044FC50
                                • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,00000000), ref: 00483420
                                • wsprintfW.USER32 ref: 004834B7
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: AdaptersAddresses$AllocateHeap_mallocwsprintf
                                • String ID: %02X
                                • API String ID: 1271595815-436463671
                                • Opcode ID: d98c3d86e2023d1da9d40ef67c3cdeb00527ce2c862d077feb75bdbbf60aef80
                                • Instruction ID: 74c00cfa6e4194ed32f9d88a42d5c1b14a641d40552b31fe4e7540d7c5541a95
                                • Opcode Fuzzy Hash: d98c3d86e2023d1da9d40ef67c3cdeb00527ce2c862d077feb75bdbbf60aef80
                                • Instruction Fuzzy Hash: 78514B70E04248DFDB08DF99D881BEEBBB1BF48B05F10452EE405A7380D774AA05CB59
                                Function 00482B50 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 118COMMON
                                Download Yara Rule
                                APIs
                                • std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 00482B88
                                  • Part of subcall function 00482980: __wsplitpath.LIBCMT ref: 00482A17
                                  • Part of subcall function 00482980: PathAddBackslashW.SHLWAPI(?), ref: 00482A26
                                  • Part of subcall function 00482980: GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00482A43
                                  • Part of subcall function 00482980: _sprintf.LIBCMT ref: 00482A59
                                  • Part of subcall function 00482980: _strlen.LIBCMT ref: 00482A6F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: BackslashInformationIterator_baseIterator_base::_PathVolume__wsplitpath_sprintf_strlenstd::_
                                • String ID: $LIpq0hKVkVaLMSLNpdvbwZ1ujeVTM3C6kW4BzYpnFeY3Qs6E$Software\$version
                                • API String ID: 296098145-3287272050
                                • Opcode ID: a0609ea55025cb93577164dc7c27cfd111d5423c57d6caf95589918a0e934bbe
                                • Instruction ID: c9e1c919f2778ae1223114ef198848190ed5c3c8b707527d29b4e5ca660a6d17
                                • Opcode Fuzzy Hash: a0609ea55025cb93577164dc7c27cfd111d5423c57d6caf95589918a0e934bbe
                                • Instruction Fuzzy Hash: 38513A70904258EFEB14EFA5DD51BEDBBB4BF14308F10459EE409A7281EB742A88CF65
                                Function 004D6EA0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 118COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00495D00: _memset.LIBCMT ref: 00495D56
                                  • Part of subcall function 00495D00: SHGetFolderPathW.SHELL32(00000000,004CC849,00000000,00000000,?,?,?,B211AFF1), ref: 00495D6F
                                  • Part of subcall function 00495D00: PathAddBackslashW.SHLWAPI(?,?,?,B211AFF1), ref: 00495D93
                                • _memset.LIBCMT ref: 004D6F46
                                • GetPrivateProfileStringW.KERNEL32(babylon,00000000,00000000,?,00000104,00000000), ref: 004D6F70
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Path_memset$BackslashFolderPrivateProfileString
                                • String ID: Methods.txt$babylon$OS
                                • API String ID: 3325740732-1399207056
                                • Opcode ID: 79ea747c600c12ed845a97a3b984cf424ea5d29d7f69f156a864705a60bf2d9b
                                • Instruction ID: 98828ad401be4145f9bc075ff7626690436c1c006785f8cac0dd7b97ecea69fe
                                • Opcode Fuzzy Hash: 79ea747c600c12ed845a97a3b984cf424ea5d29d7f69f156a864705a60bf2d9b
                                • Instruction Fuzzy Hash: 44418A70904218ABDB14EF65DC55FEEB774BF04304F00869EF416A7291EF786A88CB94
                                Function 00430900 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 109windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004BF560: _Immortalize.LIBCPMTD ref: 004BF563
                                • MessageBoxW.USER32(00000000,00000000,Babylon,00000000), ref: 004309F5
                                Strings
                                • T+\, xrefs: 00430991
                                • Init Log error: ver = %ls; regpath = %ls; source = %ls; path = %ls; client = %d, xrefs: 004309D2
                                • Cannot Initialize Log System, xrefs: 004309FB
                                • Babylon, xrefs: 004309E5
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: ImmortalizeMessage
                                • String ID: Babylon$Cannot Initialize Log System$Init Log error: ver = %ls; regpath = %ls; source = %ls; path = %ls; client = %d$T+\
                                • API String ID: 3458089389-1508235849
                                • Opcode ID: 9f2ed7312bdccca74a08af8adf89606ca495d0e40603939f533ecc465d3a3bb6
                                • Instruction ID: 3aa62c223d2f527ab1d1930d992f4a2b115000cc683b61c1cd2b1778655259ef
                                • Opcode Fuzzy Hash: 9f2ed7312bdccca74a08af8adf89606ca495d0e40603939f533ecc465d3a3bb6
                                • Instruction Fuzzy Hash: 28416BB1A00248AFCB04EF99DC51FEEBBB8EF48710F10421EF515A7291DB34A905CBA5
                                Function 6090857C Relevance: 7.6, APIs: 5, Instructions: 61fileCOMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 609085A6
                                • GetLastError.KERNEL32(?,?,?,00000000), ref: 609085B0
                                • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 609085D2
                                • GetLastError.KERNEL32(?,?,00000000), ref: 609085DE
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: ErrorFileLast$PointerRead
                                • String ID:
                                • API String ID: 2170121939-0
                                • Opcode ID: ab877bc36ee376256a4c8c2a15415761f1668e02e5bae14d70316cda130dede5
                                • Instruction ID: 328e49b6b5eec606e1347b761770e868d33de847d770ec0a389a3ac5d4a46984
                                • Opcode Fuzzy Hash: ab877bc36ee376256a4c8c2a15415761f1668e02e5bae14d70316cda130dede5
                                • Instruction Fuzzy Hash: C9119EB1A00204ABEB10DE69CC56F9BBBAEDB64324F148629B875D72C1E770DD008A61
                                Function 00483240 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00483277
                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0048329A
                                • __wsplitpath.LIBCMT ref: 004832B1
                                  • Part of subcall function 0045508B: __wsplitpath_helper.LIBCMT ref: 004550CD
                                • PathAddBackslashW.SHLWAPI(?), ref: 004832BD
                                • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004832D7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: BackslashDirectoryInformationPathSystemVolume__wsplitpath__wsplitpath_helper_memset
                                • String ID:
                                • API String ID: 1689572191-0
                                • Opcode ID: 2722dadde5231e78c0d286f39f3dd65ddbc6d3ea9816a338ea9d09ee777a4c26
                                • Instruction ID: fc4c74856658e11cbbe3bb0a7f27a8096cd90a6f71694732b6bea6d2f2d74394
                                • Opcode Fuzzy Hash: 2722dadde5231e78c0d286f39f3dd65ddbc6d3ea9816a338ea9d09ee777a4c26
                                • Instruction Fuzzy Hash: BC119871A9030CABD710DBA4DC4AFED7378AF18700F504559B605A61D0EB706608CB54
                                Function 0044FAFC Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __lock.LIBCMT ref: 0044FB1A
                                  • Part of subcall function 00457DFC: __mtinitlocknum.LIBCMT ref: 00457E12
                                  • Part of subcall function 00457DFC: __amsg_exit.LIBCMT ref: 00457E1E
                                  • Part of subcall function 00457DFC: EnterCriticalSection.KERNEL32(?,?,?,004574AB,0000000D,00544470,00000008,00451FA2,?,00000000), ref: 00457E26
                                • ___sbh_find_block.LIBCMT ref: 0044FB25
                                • ___sbh_free_block.LIBCMT ref: 0044FB34
                                • RtlFreeHeap.NTDLL(00000000,?,00544138,0000000C,004573F1,00000000,?,00457755,?,00000001,?,?,00457D86,00000018,005444D8,0000000C), ref: 0044FB64
                                • GetLastError.KERNEL32(?,00457755,?,00000001,?,?,00457D86,00000018,005444D8,0000000C,00457E17,?,?,?,004574AB,0000000D), ref: 0044FB75
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                • String ID:
                                • API String ID: 2714421763-0
                                • Opcode ID: 6c279857df97adcd3416c356afbc1c3f317e37527fb5748225cca4b9199e88d9
                                • Instruction ID: f78cea26cd6aa1b3e2274e40fd7ff0d3506b0f84db429095f7dfc35530fda498
                                • Opcode Fuzzy Hash: 6c279857df97adcd3416c356afbc1c3f317e37527fb5748225cca4b9199e88d9
                                • Instruction Fuzzy Hash: 5F01D431801301EAEB206BB1DC16B5F3B60EF1172AF50412AF80496192CB3CA98CDA5C
                                Function 004E74E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 119COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004E7470: RegOpenKeyExW.KERNEL32(?,00000104,00000000,00020019,00000104,?,00000104), ref: 004E748C
                                • _wcstok_s.LIBCMT ref: 004E758E
                                • _wcstok_s.LIBCMT ref: 004E763C
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: _wcstok_s$Open
                                • String ID: 8}S$`|S8}S
                                • API String ID: 3879386483-3606869655
                                • Opcode ID: 9728a3ff92e0f71e6a12aea6d5b08f99367a5ec3e5b93e39bb7426e85638d084
                                • Instruction ID: a2f9222925fe8830c8f0cba5c2e6d96b03c4d239ebe84c64fdbbe26eb1bda9d0
                                • Opcode Fuzzy Hash: 9728a3ff92e0f71e6a12aea6d5b08f99367a5ec3e5b93e39bb7426e85638d084
                                • Instruction Fuzzy Hash: 525190B0D04259EBCB20DFA5E889BDEB770AB54325F2041DAE4096B241D738AF85CF59
                                Function 60941110 Relevance: 6.7, Strings: 5, Instructions: 451COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memset
                                • String ID: %s.%s$no such table: %s$no tables specified$sqlite_subquery_%p_$too many columns in result set
                                • API String ID: 2221118986-504292795
                                • Opcode ID: 5d6ebe0e62fec26175fe5d8b6c7fa278a6cf44ba62ba3616f9b5e84043baedb6
                                • Instruction ID: d268eb13787eaec6e33913074c9f6d93d35b8c4bd3fc5ff8993d4e330571a368
                                • Opcode Fuzzy Hash: 5d6ebe0e62fec26175fe5d8b6c7fa278a6cf44ba62ba3616f9b5e84043baedb6
                                • Instruction Fuzzy Hash: C30284B5D002099FDB04CF94C881B9EB7BAFF6A314F148258E924AB391E775DD51CB90
                                Function 60908EEC Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000001,04000102,00000000), ref: 60908F6E
                                • free.MSVCRT(?), ref: 60908FAA
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: CreateFilefree
                                • String ID:
                                • API String ID: 1298414175-0
                                • Opcode ID: 655ab3b94dc804d350f9a8ac7feacf8ea627cd580046fe671daae623f19e835e
                                • Instruction ID: 5b747a63caf79e2d492f0ad608290c7b33f1ecc79ed02f0309582a1151da549e
                                • Opcode Fuzzy Hash: 655ab3b94dc804d350f9a8ac7feacf8ea627cd580046fe671daae623f19e835e
                                • Instruction Fuzzy Hash: CA4194B1E002199BEB148F24CC42BCB767BAB65324F104398BA695B2D0D7B5DE91CB91
                                Function 6091C89C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3(?), ref: 6091C8E0
                                • sqlite3_value_text.SQLITE3(?), ref: 6091C945
                                • sqlite3_mutex_leave.SQLITE3(?), ref: 6091C9A5
                                  • Part of subcall function 60953294: sqlite3_log.SQLITE3(00000015,misuse detected by source line %d,60901481), ref: 609532A7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_logsqlite3_mutex_entersqlite3_mutex_leavesqlite3_value_text
                                • String ID:
                                • API String ID: 3427854435-0
                                • Opcode ID: 7ce9a4c75ade019dd3d7a344a41ac6b23261ae180ae65b833379e80fb5bacc9f
                                • Instruction ID: 8e58a9d724f0070cbeea2dd5c2e3f901cf7fcd0219e67c658b3bab463a907223
                                • Opcode Fuzzy Hash: 7ce9a4c75ade019dd3d7a344a41ac6b23261ae180ae65b833379e80fb5bacc9f
                                • Instruction Fuzzy Hash: 9531AAF1E0860967E7005A68CC8279D77A9AB3233CF1407B4D874923D1EB79D69187D2
                                Function 00495D00 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00495D56
                                • SHGetFolderPathW.SHELL32(00000000,004CC849,00000000,00000000,?,?,?,B211AFF1), ref: 00495D6F
                                • PathAddBackslashW.SHLWAPI(?,?,?,B211AFF1), ref: 00495D93
                                • PathRemoveBackslashW.SHLWAPI(?,?,?,B211AFF1), ref: 00495DA2
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Path$Backslash$FolderRemove_memset
                                • String ID:
                                • API String ID: 3929315810-0
                                • Opcode ID: 96fa1e2120f73fee355aa39e370b13f2663d05828f730e9f0656c7f538837c9d
                                • Instruction ID: 86fe7a635caa72a0efe5caebca3a345e7fb4d4f12f3475407d8bad049a1c2fa8
                                • Opcode Fuzzy Hash: 96fa1e2120f73fee355aa39e370b13f2663d05828f730e9f0656c7f538837c9d
                                • Instruction Fuzzy Hash: 9031BF7094421CABDB14DF60DC59BEEB774FB14310F5082AAF91AA72C1DB78AA44CF54
                                Function 004E7470 Relevance: 6.0, APIs: 4, Instructions: 43registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.KERNEL32(?,00000104,00000000,00020019,00000104,?,00000104), ref: 004E748C
                                • RegQueryValueExW.KERNEL32(?,00000000,00000000,?,?,?), ref: 004E74B0
                                • RegCloseKey.ADVAPI32(?), ref: 004E74BE
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 74fe9954f2e3551657335ec8724b267966786377028bdac5330b8d3bf33c2527
                                • Instruction ID: 76fb4871da12695b8ab536f07709f3c59ad994e195b5bc8f38fb2a09462755e2
                                • Opcode Fuzzy Hash: 74fe9954f2e3551657335ec8724b267966786377028bdac5330b8d3bf33c2527
                                • Instruction Fuzzy Hash: E0012C7560420CFBDB00DFA5D849EEB7B7CAB48701F108549FA1597281D634DA09EBA0
                                Function 00451EC5 Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00451ED8
                                  • Part of subcall function 0045B680: __FindPESection.LIBCMT ref: 0045B6DB
                                • __getptd_noexit.LIBCMT ref: 00451EE8
                                • __freeptd.LIBCMT ref: 00451EF2
                                • ExitThread.KERNEL32 ref: 00451EFB
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                                • String ID:
                                • API String ID: 3182216644-0
                                • Opcode ID: 45c0064a665edcd0f35b4145ff4f6929edeaa6cdf4a60e7216190a0d6abc93e0
                                • Instruction ID: f95b2b2071df862fdbd7455a2c00a2e548bf6b304d09f826b41b5fb9907c16d8
                                • Opcode Fuzzy Hash: 45c0064a665edcd0f35b4145ff4f6929edeaa6cdf4a60e7216190a0d6abc93e0
                                • Instruction Fuzzy Hash: 65D012211402155AD71127A6EC4FB6B3AA9EB50357B044A26BC11815F3DF78C88CD579
                                Function 60921348 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 316COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: ,$statement aborts at %d: [%s] %s
                                • API String ID: 632333372-667596864
                                • Opcode ID: 233f022402cfdb8fb5d661f348a22ba8d3823a272b3b14e53e8441eadf89374e
                                • Instruction ID: 4d8e33bcb96b3de23018b8aea445ff80c2495ae2cf1c8900058c5f7661d6aebc
                                • Opcode Fuzzy Hash: 233f022402cfdb8fb5d661f348a22ba8d3823a272b3b14e53e8441eadf89374e
                                • Instruction Fuzzy Hash: AAE13770D14218CBDB20CB14DC80B99B7BABB26314F1482D9E52CA7295E7359EE5CF51
                                Function 60950838 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 258COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(10C483FC,60908C32,BD74DB85), ref: 60950A91
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: interrupt$unrecognized token: "%T"
                                • API String ID: 632333372-1292477928
                                • Opcode ID: 62c9de0f899d5d880bcafb6991cef8a436ceef7e7ccb392878b20c44ac97c30b
                                • Instruction ID: e07a57114facb3b84ae8778fa5043c6d46b549a4b78acebf1d2262f96c954b48
                                • Opcode Fuzzy Hash: 62c9de0f899d5d880bcafb6991cef8a436ceef7e7ccb392878b20c44ac97c30b
                                • Instruction Fuzzy Hash: 50B1C8B0C042059BEF02CF65CCC5B9977B6AF6132CF188264DC784A2C6E775C694CBA1
                                Function 004D2C30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004D22E0: _memset.LIBCMT ref: 004D23BC
                                  • Part of subcall function 004D22E0: GetPrivateProfileStringW.KERNEL32(toolbar,name,00534670,?,00000040,00000000), ref: 004D23E8
                                • _memset.LIBCMT ref: 004D2CDA
                                • SearchPathW.KERNEL32(00000000,00000000,00000000,00000104,?,00000000,00000000,00000001,?,?,00000000,?,B211AFF1), ref: 004D2D0F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: _memset$PathPrivateProfileSearchString
                                • String ID: J/M
                                • API String ID: 582612538-2554188868
                                • Opcode ID: aab3617bb89f859a1a1f6bf28806560e900c976e55dc487c60a9482f398a8d14
                                • Instruction ID: 4692963f7d416df05ce02a8c07cd532fa1bfbc1300a29e1f714706a3fff324ba
                                • Opcode Fuzzy Hash: aab3617bb89f859a1a1f6bf28806560e900c976e55dc487c60a9482f398a8d14
                                • Instruction Fuzzy Hash: AA519470A00218ABEB14EF55CD65BEE7774EF54308F10416EF50A6B3C1DB78AA84CB99
                                Function 6093C700 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: invalid rootpage
                                • API String ID: 0-1762523506
                                • Opcode ID: e6f01f708893b717ad7d42a95a52d1cb5b3e55b2eb9fe63ae0843049777a3fab
                                • Instruction ID: d7430492be16b66430ec1234c17f3eade970f1296b02586fb19997ca587d9e74
                                • Opcode Fuzzy Hash: e6f01f708893b717ad7d42a95a52d1cb5b3e55b2eb9fe63ae0843049777a3fab
                                • Instruction Fuzzy Hash: F5410BF5904A316BEB154E28CC82B567BAA9F32324F140B54EC75D62E2FB21DA50CF91
                                Function 004809F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0047F670: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 0047F6A8
                                  • Part of subcall function 0047F670: _memset.LIBCMT ref: 0047F6DE
                                  • Part of subcall function 0047F670: _swscanf.LIBCMT ref: 0047F743
                                • std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 00480A49
                                Strings
                                • Software\Microsoft\Internet Explorer\SearchScopes, xrefs: 00480A57
                                • DefaultScope, xrefs: 00480A85
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Iterator_baseIterator_base::_std::_$_memset_swscanf
                                • String ID: DefaultScope$Software\Microsoft\Internet Explorer\SearchScopes
                                • API String ID: 3223989281-3489210924
                                • Opcode ID: 7d39a29610e07a43d30d30f7fe7cfb3e710088228ddb07654b4474d27e19fa46
                                • Instruction ID: 17e2289ef859976aae10e13b6c4c08dc8cc060edc5087ec93107110895859259
                                • Opcode Fuzzy Hash: 7d39a29610e07a43d30d30f7fe7cfb3e710088228ddb07654b4474d27e19fa46
                                • Instruction Fuzzy Hash: 1E31D570904208ABDB14EB55DC46BEEB774EF14314F1002AEE509632D1EB786B88CB59
                                Function 004953B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                • std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 004953D8
                                  • Part of subcall function 0041EEA0: RegOpenKeyExW.KERNEL32(00000001,?,00000000,00000000,00000000,Software\Microsoft\Internet Explorer\,00000001), ref: 0041EECA
                                  • Part of subcall function 00429BB0: RegQueryValueExW.KERNEL32(B211AFF1,00000004,00000000,B211AFF1,?,00000004,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\System), ref: 00429BE0
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 004953F5
                                • EnableLUA, xrefs: 00495416
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Iterator_baseIterator_base::_OpenQueryValuestd::_
                                • String ID: EnableLUA$Software\Microsoft\Windows\CurrentVersion\Policies\System
                                • API String ID: 396298244-2158134279
                                • Opcode ID: 5b6ef61b085b0bc4bc7a83f1575f0a4a76af3890a5a1b122e8dae1958c0d5a78
                                • Instruction ID: 29ad32eb1deafc1a9237aec2643cf2849c09354840a95a285363a7d82d27e06b
                                • Opcode Fuzzy Hash: 5b6ef61b085b0bc4bc7a83f1575f0a4a76af3890a5a1b122e8dae1958c0d5a78
                                • Instruction Fuzzy Hash: CB11D03090064ADBCF01DFA1D902BFFBFB4EB14319F20026EE811622C1EB785A05C796
                                Function 60903B74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                • realloc.MSVCRT ref: 60903B94
                                • sqlite3_log.SQLITE3(00000007,failed memory resize %u to %u bytes,00000000), ref: 60903BC5
                                Strings
                                • failed memory resize %u to %u bytes, xrefs: 60903BBE
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: reallocsqlite3_log
                                • String ID: failed memory resize %u to %u bytes
                                • API String ID: 576635218-2134078882
                                • Opcode ID: 8f6d4caa2889754de30f2367631292d2527324f57b35f23116663362f730015e
                                • Instruction ID: 496fa522508d29df379ed270f28b490d1029171b52e4f3f8fa37d6b537137e48
                                • Opcode Fuzzy Hash: 8f6d4caa2889754de30f2367631292d2527324f57b35f23116663362f730015e
                                • Instruction Fuzzy Hash: 48F02B7290021467D700AA6DCCC2EE7B75DDE2113CF044728FE79672C1E721E91582E1
                                Function 0044F76F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _malloc.LIBCMT ref: 0044F789
                                  • Part of subcall function 0044FBD9: __FF_MSGBANNER.LIBCMT ref: 0044FBFC
                                  • Part of subcall function 0044FBD9: __NMSG_WRITE.LIBCMT ref: 0044FC03
                                  • Part of subcall function 0044FBD9: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00457755,?,00000001,?,?,00457D86,00000018,005444D8,0000000C,00457E17), ref: 0044FC50
                                • std::bad_alloc::bad_alloc.LIBCMT ref: 0044F7AC
                                  • Part of subcall function 0044F754: std::exception::exception.LIBCMT ref: 0044F760
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: AllocateHeap_mallocstd::bad_alloc::bad_allocstd::exception::exception
                                • String ID: Pyr
                                • API String ID: 3447465555-3752401018
                                • Opcode ID: 9798d2fbd8a35ec4791c01fb945c9509123a38e1a08f81124272773985e9c178
                                • Instruction ID: a2ac23eca041f9d271ebf24056ea33b4297bb616494d032b84d1e5c4886cc8d0
                                • Opcode Fuzzy Hash: 9798d2fbd8a35ec4791c01fb945c9509123a38e1a08f81124272773985e9c178
                                • Instruction Fuzzy Hash: D7F0823190120566FB046722EC17A9A3FA89B4535CB10403FFC0595592DE6DBA4D929D
                                Function 60903AB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                Download Yara Rule
                                APIs
                                • malloc.MSVCRT ref: 60903AD0
                                • sqlite3_log.SQLITE3(00000007,failed to allocate %u bytes of memory,?), ref: 60903AF7
                                Strings
                                • failed to allocate %u bytes of memory, xrefs: 60903AF0
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: mallocsqlite3_log
                                • String ID: failed to allocate %u bytes of memory
                                • API String ID: 2785431543-1168259600
                                • Opcode ID: 8f1167f9e321355d4fa7257d5f96707e57438272189537b4023769f3260f76bf
                                • Instruction ID: 19a4bc077595593a1b0bfab31218722fd2a56940640533b8b1c674912728f01a
                                • Opcode Fuzzy Hash: 8f1167f9e321355d4fa7257d5f96707e57438272189537b4023769f3260f76bf
                                • Instruction Fuzzy Hash: 66F0ECF2D4071557D6109A78DC82A86765DDF20274F044318EEB9572C1E335E954C2E5
                                Function 6092DED8 Relevance: 5.1, Strings: 4, Instructions: 53COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: %s: %s$%s: %s.%s$no such table$no such view
                                • API String ID: 0-3140039220
                                • Opcode ID: eb25d8fb3db9ded76a3ee55ac9190a82cd4a2cab011dd819604761cffb22a3f8
                                • Instruction ID: 7cc03d51fff522dbbdb0ec8bdd01af5911c3575e51cd7820bada5d8bf21aaf27
                                • Opcode Fuzzy Hash: eb25d8fb3db9ded76a3ee55ac9190a82cd4a2cab011dd819604761cffb22a3f8
                                • Instruction Fuzzy Hash: 9E012861526145ABEB105929AD45EDB3B6EDF71368F100224FC35A6389E731DE10C2B5
                                Function 60904690 Relevance: 4.6, APIs: 3, Instructions: 121COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_free
                                • String ID:
                                • API String ID: 2313487548-0
                                • Opcode ID: f5f8d5fa98a14417f1cfcbc30d44e3324cecf19b513e3175c947083ed5581bca
                                • Instruction ID: d03ef03d4bbd73d1441b1019a553664019b3508faa0fd7d166a10e4baf09793d
                                • Opcode Fuzzy Hash: f5f8d5fa98a14417f1cfcbc30d44e3324cecf19b513e3175c947083ed5581bca
                                • Instruction Fuzzy Hash: 6C31D9B2D14101A7DB1096FD8C42B593AAB9B77234F14032CB979D62E0FB75CA50DF92
                                Function 609092E8 Relevance: 4.6, APIs: 3, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 609091EC: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 60909215
                                  • Part of subcall function 609091EC: malloc.MSVCRT ref: 60909225
                                  • Part of subcall function 609091EC: GetFullPathNameW.KERNEL32(00000000,00000003,00000000,00000000), ref: 60909238
                                  • Part of subcall function 609091EC: free.MSVCRT(00000000), ref: 60909241
                                  • Part of subcall function 609091EC: free.MSVCRT(00000000), ref: 609092AD
                                  • Part of subcall function 60908290: GetVersionExA.KERNEL32(00000094), ref: 609082B6
                                • GetDiskFreeSpaceW.KERNEL32(00000000,?,?,?,?), ref: 60909386
                                • GetDiskFreeSpaceA.KERNEL32(00000000,?,?,?,?), ref: 609093C6
                                • free.MSVCRT(00000000), ref: 609093D4
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: free$DiskFreeFullNamePathSpace$Versionmalloc
                                • String ID:
                                • API String ID: 259670142-0
                                • Opcode ID: 2ee08938dbebde141e464c2faaf72ffdf55ead1f3d609b9abbc2fa2e99d4f3ba
                                • Instruction ID: c13c1de1ed19f499a6eb1f85fa74c16fdeed82ba04dbd512cc3c4c8dd83cf59e
                                • Opcode Fuzzy Hash: 2ee08938dbebde141e464c2faaf72ffdf55ead1f3d609b9abbc2fa2e99d4f3ba
                                • Instruction Fuzzy Hash: 90213AB180021896EF108A148CC2BE6B7BEDFB6754F04419CE9B7561C5E774CE85CAA1
                                Function 60910828 Relevance: 4.6, APIs: 3, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 6090EB0C: sqlite3_mutex_try.SQLITE3(?), ref: 6090EB2F
                                • sqlite3_free.SQLITE3(?), ref: 609108B8
                                • sqlite3_free.SQLITE3(0C74C085), ref: 609108CD
                                • sqlite3_free.SQLITE3(6091A72E), ref: 609108F3
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_free$sqlite3_mutex_try
                                • String ID:
                                • API String ID: 3233236265-0
                                • Opcode ID: a5a156b957e02e06afe94ef21ce3777b505d7f5d77066e00495279f7cf70133b
                                • Instruction ID: cc93277c806f593a3160b34c7a313b1c247e7cd1c6c25dd1de6fd437e5c51142
                                • Opcode Fuzzy Hash: a5a156b957e02e06afe94ef21ce3777b505d7f5d77066e00495279f7cf70133b
                                • Instruction Fuzzy Hash: E021A6B1E0C50557D7119A29CC8265A76AAAFB1138F1403A8E878922D1FF63E9F1C6D2
                                Function 6093D314 Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3(?), ref: 6093D352
                                • sqlite3_finalize.SQLITE3(?), ref: 6093D390
                                • sqlite3_mutex_leave.SQLITE3(?), ref: 6093D3C7
                                  • Part of subcall function 60953294: sqlite3_log.SQLITE3(00000015,misuse detected by source line %d,60901481), ref: 609532A7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_finalizesqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                • String ID:
                                • API String ID: 2040966590-0
                                • Opcode ID: a91bdeee3206f7191473c6d9ac069113b9570c190ec5d7692993c0e2bccb8e0d
                                • Instruction ID: 63cd1504d8fd3829497c77d45d450729f4156b650d5caf8e597a502662a1aa18
                                • Opcode Fuzzy Hash: a91bdeee3206f7191473c6d9ac069113b9570c190ec5d7692993c0e2bccb8e0d
                                • Instruction Fuzzy Hash: 632154B69045156BDB009E6CDC82D9B77AD9B39138F140314FD78D33D0FB25DA214BA2
                                Function 60909154 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesW.KERNEL32(00000000), ref: 60909191
                                • free.MSVCRT(00000000), ref: 609091AA
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: AttributesFilefree
                                • String ID:
                                • API String ID: 1936811914-0
                                • Opcode ID: 3a6f906823e74196f4369fb82ed36704e9fccd713561e211fe98abb64d5ca903
                                • Instruction ID: 659c47d346f8c4759ea920938fb13339e7caf9788de8a36cb714f4d16a578403
                                • Opcode Fuzzy Hash: 3a6f906823e74196f4369fb82ed36704e9fccd713561e211fe98abb64d5ca903
                                • Instruction Fuzzy Hash: 8401A9B2F0D1069BDB509A688C4658E76ABDB72238F214369DC76532C1FB35DE109291
                                Function 004251B0 Relevance: 4.6, APIs: 3, Instructions: 56libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: FileFindLibraryLoadNamePath_wcscpy
                                • String ID:
                                • API String ID: 138660897-0
                                • Opcode ID: 27f36e94a2a0778c7418ac5df22fa15c45a046c2cd3d214a7575e3742c6b0493
                                • Instruction ID: a037339b6b14c3ba7ad3918af33b6b3a3ac40648552c2881e58c205521017534
                                • Opcode Fuzzy Hash: 27f36e94a2a0778c7418ac5df22fa15c45a046c2cd3d214a7575e3742c6b0493
                                • Instruction Fuzzy Hash: 1C2193B4A4011CCBDB14EF54E888BE9B7B1AF28304F4485DAE40D5B351D7749E84CFA5
                                Function 0049E5B0 Relevance: 4.5, APIs: 3, Instructions: 33fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,004F721A,?,00000000,bab_tmp_web.html,00000000,00000000,00000000,B211AFF1), ref: 0049E5CD
                                • DeleteFileW.KERNEL32(00000000,?,?,004F721A,?,00000000,bab_tmp_web.html,00000000,00000000,00000000,B211AFF1), ref: 0049E5DF
                                • GetLastError.KERNEL32(?,004F721A,?,00000000,bab_tmp_web.html,00000000,00000000,00000000,B211AFF1), ref: 0049E5E9
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: File$AttributesDeleteErrorLast
                                • String ID:
                                • API String ID: 1736513994-0
                                • Opcode ID: c92789c02eee6c880e195e83b484d1ee3f6e110011f4c04e5ce39a863ca8df47
                                • Instruction ID: 6351115cbb09d7aa138f8d0f2ad5c1d28e13df6de63dbdbedb9bb6d0ae47607d
                                • Opcode Fuzzy Hash: c92789c02eee6c880e195e83b484d1ee3f6e110011f4c04e5ce39a863ca8df47
                                • Instruction Fuzzy Hash: 4AF0E930541214BBEF10DFB3C81D2BE7F68AE2231EF40C06AF80257301DA38DA04EA69
                                Function 0045476F Relevance: 4.5, APIs: 3, Instructions: 23COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _flsall.LIBCMT ref: 00454783
                                  • Part of subcall function 00454695: __lock.LIBCMT ref: 004546AB
                                  • Part of subcall function 00454695: __fflush_nolock.LIBCMT ref: 004546FE
                                  • Part of subcall function 00454695: __fflush_nolock.LIBCMT ref: 00454719
                                • __lock_file.LIBCMT ref: 0045478E
                                • __fflush_nolock.LIBCMT ref: 0045479A
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: __fflush_nolock$__lock__lock_file_flsall
                                • String ID:
                                • API String ID: 3191677874-0
                                • Opcode ID: 52c7afea7693b7ed2fc4494ba75b2b917faf4296f78d700552b798d78652eab3
                                • Instruction ID: df69c37a0585eb237e8c77f5074acb39a1f6f7b9e8a8b20465a291b48fc48bb7
                                • Opcode Fuzzy Hash: 52c7afea7693b7ed2fc4494ba75b2b917faf4296f78d700552b798d78652eab3
                                • Instruction Fuzzy Hash: C2E01B31801214E6CF117F66D44154D7B606F4576EB61811FFC145E193C77C45C69A8D
                                Function 00455218 Relevance: 4.5, APIs: 3, Instructions: 21COMMON
                                Download Yara Rule
                                APIs
                                • RemoveDirectoryW.KERNEL32(000000FF,?,0049E5A4,00000000,?,004D65B9,?,000000FF,000000FF,0000005C,000000FF,?,00000000,00000000,B211AFF1), ref: 00455220
                                • GetLastError.KERNEL32(?,0049E5A4,00000000,?,004D65B9,?,000000FF,000000FF,0000005C,000000FF,?,00000000,00000000,B211AFF1), ref: 0045522A
                                • __dosmaperr.LIBCMT ref: 00455239
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: DirectoryErrorLastRemove__dosmaperr
                                • String ID:
                                • API String ID: 4061612599-0
                                • Opcode ID: 4f121293ec929a833d3eeb2b2a184cae1bd3b805ed201971d6b715f4f866c10b
                                • Instruction ID: 3663204bc7aed2f6ba477911cfe8aae5d527464cf46f9ba901a5bb3a8d9226d4
                                • Opcode Fuzzy Hash: 4f121293ec929a833d3eeb2b2a184cae1bd3b805ed201971d6b715f4f866c10b
                                • Instruction Fuzzy Hash: 07D05E31244A05669B001BB6AC1C9373B9C9A8137AB1586A6FC2CC8192EF29C858AE95
                                Function 6091C678 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 152COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000015,attempt to step a halted statement: [%s],8B008B08), ref: 6091C69D
                                  • Part of subcall function 60953294: sqlite3_log.SQLITE3(00000015,misuse detected by source line %d,60901481), ref: 609532A7
                                Strings
                                • attempt to step a halted statement: [%s], xrefs: 6091C696
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: attempt to step a halted statement: [%s]
                                • API String ID: 632333372-2339818827
                                • Opcode ID: 1f2b5daa3b4b14f749fca9c2702807986b288fc7289239ee8985f0dfca12e49d
                                • Instruction ID: bbd9f7189ee84a2b8f80b65ba1661f325a3072ccd405baa39e58a4cb72831c01
                                • Opcode Fuzzy Hash: 1f2b5daa3b4b14f749fca9c2702807986b288fc7289239ee8985f0dfca12e49d
                                • Instruction Fuzzy Hash: F551F6B0E08708DBEB109F64C88679A7BF6EF21314F1049F8D8A5561E0E775D9D4CB42
                                Function 004F78F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138COMMON
                                Download Yara Rule
                                APIs
                                • GetTempPathW.KERNEL32(00000104,?,00000000,?,?,?,?,?,?,?,Babylon\), ref: 004F7A00
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: PathTemp
                                • String ID: Babylon\
                                • API String ID: 2920410445-964554263
                                • Opcode ID: 01e39b693c25781fd295dd812cbe60f750a6679ea871724ac6065dbb077cab3c
                                • Instruction ID: 9b04c22fcb007ae7e9457040daaacfd2f73ff2dc511d6759e3a31cb4679aa1fb
                                • Opcode Fuzzy Hash: 01e39b693c25781fd295dd812cbe60f750a6679ea871724ac6065dbb077cab3c
                                • Instruction Fuzzy Hash: 40516CB190811CABDB14EF64DC85BFEB775EB04304F1046AEE6156A281DBB96B80CF94
                                Function 609226F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                • statement aborts at %d: [%s] %s, xrefs: 60924204
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: statement aborts at %d: [%s] %s
                                • API String ID: 632333372-2689542837
                                • Opcode ID: 7066ce6e1bafcb4085b1a3631bb4308c98ca1b233f14b3e6030a946903ec4c8c
                                • Instruction ID: 9ee7f25955d43d4587585c4810daa5cddbfb558fa9e7a2281e672cc55c545f75
                                • Opcode Fuzzy Hash: 7066ce6e1bafcb4085b1a3631bb4308c98ca1b233f14b3e6030a946903ec4c8c
                                • Instruction Fuzzy Hash: FF51ADB5A082589FDB20CB24CC80BD9BBBAAB25314F1486C5E92D67381D774EED4CF51
                                Function 60921AA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                • statement aborts at %d: [%s] %s, xrefs: 60924204
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: statement aborts at %d: [%s] %s
                                • API String ID: 632333372-2689542837
                                • Opcode ID: 88ae97e6488b8b1641570e77473552d8b4c18afa189f0cf1dc1669e95bb3a582
                                • Instruction ID: 83f3bfb23382df68853f291616bfbaaf759684d33e3bc0a969078b7f617871c5
                                • Opcode Fuzzy Hash: 88ae97e6488b8b1641570e77473552d8b4c18afa189f0cf1dc1669e95bb3a582
                                • Instruction Fuzzy Hash: 57513474A04259CFDB20CF18CC80B99BBB6BB68314F1482CAD5286B391D735AED5CF81
                                Function 60922640 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                • statement aborts at %d: [%s] %s, xrefs: 60924204
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: statement aborts at %d: [%s] %s
                                • API String ID: 632333372-2689542837
                                • Opcode ID: ca49788b52dc906d2cba764578d7bcf5765601c1a01c3320828af99dd9738d3a
                                • Instruction ID: 42ad4650155ff693ba559a8fab728d192a5753cad8323d82b10730113a5fb5f2
                                • Opcode Fuzzy Hash: ca49788b52dc906d2cba764578d7bcf5765601c1a01c3320828af99dd9738d3a
                                • Instruction Fuzzy Hash: B3416775904258DBDB20CF18CC80BD8BBB6BB24314F1482C5D92967391D735AED5CF91
                                Function 609127E0 Relevance: 3.3, APIs: 2, Instructions: 330COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 87f616540f7f44d69780a92439d8f6db8376fe96b592b1834ff7ad522c4d7445
                                • Instruction ID: bf70b904da6f2ca64fee05611fc93cc4ddb01cddf01376ffa40037706adba531
                                • Opcode Fuzzy Hash: 87f616540f7f44d69780a92439d8f6db8376fe96b592b1834ff7ad522c4d7445
                                • Instruction Fuzzy Hash: 1AD1D871E082598BDB10DF58C8807AEB7B6BF56314F1482D9E864AB381E735DDD2CB90
                                Function 6090A984 Relevance: 3.2, APIs: 2, Instructions: 151COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3 ref: 6090A99B
                                • sqlite3_mutex_leave.SQLITE3 ref: 6090AB23
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                • String ID:
                                • API String ID: 1477753154-0
                                • Opcode ID: 11f6b1868a0f8f107017f49a607d618c73ce2223802d71ed98baba292f3839cb
                                • Instruction ID: fd9e6936b827b2d34e02c42f90cdc5be3c22cd5b6dec935e1cc00e3bd1548123
                                • Opcode Fuzzy Hash: 11f6b1868a0f8f107017f49a607d618c73ce2223802d71ed98baba292f3839cb
                                • Instruction Fuzzy Hash: 11518E707146018FDB20DF28C9C0A167BFBBB25324B14862DE8678B291EB71E954CBD1
                                Function 004708C0 Relevance: 3.1, APIs: 2, Instructions: 113COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: _malloc
                                • String ID:
                                • API String ID: 1579825452-0
                                • Opcode ID: 1f4683d2b1306d40b509edc54ac84bcfc5467a5719c2c086f472fc357bee0cee
                                • Instruction ID: df91038d099b1b4b522d305ef8bb70a4a0e57c4531d7ef9d9bfc64abd1436176
                                • Opcode Fuzzy Hash: 1f4683d2b1306d40b509edc54ac84bcfc5467a5719c2c086f472fc357bee0cee
                                • Instruction Fuzzy Hash: AF5125B0A01219DBDB00DB94C5407BEF3B2FF54304F24C5AAE85A9B392E7799D81DB49
                                Function 60908E84 Relevance: 3.1, APIs: 2, Instructions: 90COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_snprintf$sqlite3_randomness
                                • String ID:
                                • API String ID: 798288620-0
                                • Opcode ID: 91170aba16af0ed3a6b3f0ba70bed373e7775fca15d44f4309003493f55d04d3
                                • Instruction ID: f8925964b9f258a0edee308246e7d2fa03528ede57605856a04b0da804077278
                                • Opcode Fuzzy Hash: 91170aba16af0ed3a6b3f0ba70bed373e7775fca15d44f4309003493f55d04d3
                                • Instruction Fuzzy Hash: ED31C771E0011997EB148A28CC42BCB767BAB65364F104298FBA9962C0E7B4DE81CBD1
                                Function 60904904 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 30fec75b9d3ca9c8aa1a3f050604866febd6a03e28acdf344dc616409b3274b0
                                • Instruction ID: 7708292a0572d08909394fb5371f3e64f937b17924dfd63ad490f9a120cf9478
                                • Opcode Fuzzy Hash: 30fec75b9d3ca9c8aa1a3f050604866febd6a03e28acdf344dc616409b3274b0
                                • Instruction Fuzzy Hash: 301104E2D0455167E3115A2C8C42A7F766EAB73A74F15032CFC76D62C1E725CE209BE2
                                Function 00437780 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                Download Yara Rule
                                APIs
                                • SetNamedSecurityInfoW.ADVAPI32(00000000,?,00000004,00000000,00000000,?,00000000), ref: 004377BE
                                • SetSecurityInfo.ADVAPI32(00000000,?,00000004,00000000,00000000,?,00000000), ref: 004377EF
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: InfoSecurity$Named
                                • String ID:
                                • API String ID: 1251317361-0
                                • Opcode ID: 213b4ededc78d369680173a65b288f7f28ba7a2a23b2be0c41c87a29f073bcba
                                • Instruction ID: a2b8ff7ae77a91c2532cae16f9ca67c2c13b1ca59425d14f0ca56bd06f68f9b8
                                • Opcode Fuzzy Hash: 213b4ededc78d369680173a65b288f7f28ba7a2a23b2be0c41c87a29f073bcba
                                • Instruction Fuzzy Hash: 7011E5B4744204EFEB18CB98C995FAA73B5AB4C700F204189F6059F391C775AE41DB98
                                Function 6090A414 Relevance: 3.0, APIs: 2, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_leave.SQLITE3 ref: 6090A45D
                                • sqlite3_mutex_enter.SQLITE3 ref: 6090A479
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                • String ID:
                                • API String ID: 1477753154-0
                                • Opcode ID: 3cd74f2481981113371e3c0ec8c62aad6966592f0605dd200326626c1fb991b8
                                • Instruction ID: f0fabee83f39ba5a1483fb82bfdfca12b1f035ad63bcbb4c01013b876c494000
                                • Opcode Fuzzy Hash: 3cd74f2481981113371e3c0ec8c62aad6966592f0605dd200326626c1fb991b8
                                • Instruction Fuzzy Hash: 62019671A6810157EB0066798C83795395E9732338F40032CB979A62F2FFA1D56091D2
                                Function 004549D5 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: __lock_file_memset
                                • String ID:
                                • API String ID: 26237723-0
                                • Opcode ID: 37ef9b4903a69fa08c2e22f251cd5e38d13e6d41c0040cdc2554639083a2e4eb
                                • Instruction ID: d7dfcb793dc1720f97a4c8db5cdb919cf0c013a247f2a2882a06d8a2a7a3e963
                                • Opcode Fuzzy Hash: 37ef9b4903a69fa08c2e22f251cd5e38d13e6d41c0040cdc2554639083a2e4eb
                                • Instruction Fuzzy Hash: 37018071C41209EBCF61AFA1D8028DE3B70BF5476AF00411AFC1459163D3398AAAEBD9
                                Function 00454569 Relevance: 3.0, APIs: 2, Instructions: 39COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00454477: __getptd_noexit.LIBCMT ref: 00454477
                                  • Part of subcall function 004557A5: __decode_pointer.LIBCMT ref: 004557B0
                                • __lock_file.LIBCMT ref: 004545B9
                                  • Part of subcall function 0045D801: __lock.LIBCMT ref: 0045D826
                                • __fclose_nolock.LIBCMT ref: 004545C3
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
                                • String ID:
                                • API String ID: 717694121-0
                                • Opcode ID: e8809228c1312b64c1facbe8e66023ba57e1e74e3ceb212012b6ea9c4ce00062
                                • Instruction ID: e4cb9d1e5c9697cfff4e0b800dbd3b9f6b75d0fe3744077fef0c531a8bdeec8e
                                • Opcode Fuzzy Hash: e8809228c1312b64c1facbe8e66023ba57e1e74e3ceb212012b6ea9c4ce00062
                                • Instruction Fuzzy Hash: CCF0F470801608A7C720BB6A880165E7AA06F8133EF61820AED759B1C3DA3C458A8B1E
                                Function 609042E8 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3 ref: 6090431A
                                • sqlite3_mutex_leave.SQLITE3 ref: 60904338
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                • String ID:
                                • API String ID: 1477753154-0
                                • Opcode ID: 252a1d84d60d7eff27cebac1937a1fd5219e4195db1709eb5e28d0fa761f7634
                                • Instruction ID: 4664ddc6e3cfcb1b03a9730242c5ad089370ab895e3025d35eb9357e146f4f7f
                                • Opcode Fuzzy Hash: 252a1d84d60d7eff27cebac1937a1fd5219e4195db1709eb5e28d0fa761f7634
                                • Instruction Fuzzy Hash: 44F0A9B0C14105E7DF04DB68CD81A4C7BBA6B76218F100314A435E32E0E730DA549F51
                                Function 00430780 Relevance: 3.0, APIs: 2, Instructions: 33comCOMMON
                                Download Yara Rule
                                APIs
                                • CLSIDFromProgID.OLE32(?,?), ref: 0043079B
                                • CoCreateInstance.OLE32(?,?,?,0053BAB4,?), ref: 004307BF
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: CreateFromInstanceProg
                                • String ID:
                                • API String ID: 2151042543-0
                                • Opcode ID: 7e0bba3c53df1ec42860b8efbe565e56d90593add2c13b2e60587a0061dbd46b
                                • Instruction ID: 7f926c032c0ce3382e766ee1430394ed6aac9b661d987f87943d798780de4828
                                • Opcode Fuzzy Hash: 7e0bba3c53df1ec42860b8efbe565e56d90593add2c13b2e60587a0061dbd46b
                                • Instruction Fuzzy Hash: 87F0F97590120CEFDB44DFA8D845AEEBBB8EB5C300F40855EE915A7240D734AA49DB90
                                Function 60909182 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 60908290: GetVersionExA.KERNEL32(00000094), ref: 609082B6
                                • GetFileAttributesW.KERNEL32(00000000), ref: 60909191
                                • GetFileAttributesA.KERNEL32(00000000), ref: 6090919C
                                • free.MSVCRT(00000000), ref: 609091AA
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: AttributesFile$Versionfree
                                • String ID:
                                • API String ID: 977502171-0
                                • Opcode ID: 1e7fcc74cb6123b25480e928dee09fecaef9bcba324733f4df102794c5a3235f
                                • Instruction ID: 2cd11a68e8e9f63a3bde72d696c9f1fa99f0f0cc9314e914bacfc80ef2b5403a
                                • Opcode Fuzzy Hash: 1e7fcc74cb6123b25480e928dee09fecaef9bcba324733f4df102794c5a3235f
                                • Instruction Fuzzy Hash: F3E06DB2B0C5024AAB508A289C8658A329BDBB2234F254369DC32A3280EB25CD118192
                                Function 6090A452 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_leave.SQLITE3 ref: 6090A45D
                                • sqlite3_mutex_enter.SQLITE3 ref: 6090A479
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                • String ID:
                                • API String ID: 1477753154-0
                                • Opcode ID: 79f78f4807b79732fa2c8e0a11314a4816a84599ac6fd172697665aefa83e0aa
                                • Instruction ID: 78ca347e21e6eadf214ac060c55d4a12156418aa0b34c7e239c16b281502f1d7
                                • Opcode Fuzzy Hash: 79f78f4807b79732fa2c8e0a11314a4816a84599ac6fd172697665aefa83e0aa
                                • Instruction Fuzzy Hash: 2FE012B2D2851257EA0126B98C836A9355E9B3223CF54033DBD7AB22F1FF92C63455D2
                                Function 004EDD10 Relevance: 3.0, APIs: 2, Instructions: 25networkCOMMON
                                Download Yara Rule
                                APIs
                                • InternetCloseHandle.WININET(?), ref: 004EDD27
                                • InternetCloseHandle.WININET ref: 004EDD3B
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: CloseHandleInternet
                                • String ID:
                                • API String ID: 1081599783-0
                                • Opcode ID: 5d7717c1b9295ea8faa2cc6d646949c8e008cc71e97655b22e0b5ad4ad0d7d83
                                • Instruction ID: 954ac52303eef577f79202d418b083c80d2e3be7494a3a46e7203f2e1600ef05
                                • Opcode Fuzzy Hash: 5d7717c1b9295ea8faa2cc6d646949c8e008cc71e97655b22e0b5ad4ad0d7d83
                                • Instruction Fuzzy Hash: 9CF0AC74901208EFDB04CF94DA94F9EB7F5EB49305F2481D9E8055B3A0C776AE41EB94
                                Function 0047E260 Relevance: 3.0, APIs: 2, Instructions: 24COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNEL32(?,?,?,00448F1F), ref: 0047E280
                                • SetCurrentDirectoryW.KERNEL32(-00000010,?,?,00448F1F), ref: 0047E298
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: CurrentDirectoryFreeLibrary
                                • String ID:
                                • API String ID: 2760881011-0
                                • Opcode ID: 1a8e8845a5e88826c0d7ca0f7c29bed599dab35a7882d4ab732225fd88537ee6
                                • Instruction ID: 95b72f1537020e58a1abb4e5efb2c0511cd751ee87724cd1839bd8027f3df4fc
                                • Opcode Fuzzy Hash: 1a8e8845a5e88826c0d7ca0f7c29bed599dab35a7882d4ab732225fd88537ee6
                                • Instruction Fuzzy Hash: BBF01C74904208EBDB04CF99E644A9DB7B9FB48300F2485C8E80897342C7359E11DB54
                                Function 0049E610 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,004D6543,?,00000000,00000000,00000000,B211AFF1), ref: 0049E622
                                • GetLastError.KERNEL32 ref: 0049E637
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: CreateDirectoryErrorLast
                                • String ID:
                                • API String ID: 1375471231-0
                                • Opcode ID: 3b25b2bf652a9b564b26553f7980285f893cc1f46bad78e318f9c7318d09db0f
                                • Instruction ID: 6ed70589b5ef52341549c58a9c58e01730df6f24d26f59066d9767976b0fcf79
                                • Opcode Fuzzy Hash: 3b25b2bf652a9b564b26553f7980285f893cc1f46bad78e318f9c7318d09db0f
                                • Instruction Fuzzy Hash: 38E01A3050120CEFEF04DFA1C81D7AD7BA9EB18319F14C5AAE80657280E7799F94DE55
                                Function 6090A568 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3 ref: 6090A57B
                                • sqlite3_mutex_leave.SQLITE3 ref: 6090A597
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                • String ID:
                                • API String ID: 1477753154-0
                                • Opcode ID: 1bfd09d28fb1b8d5cf40bc3057e947bc352df7186ea343c5f931ec1a8a3d4c98
                                • Instruction ID: 33cc926c7c55071156bf8d34d0ebb8bf13b9fea20a055fc0d1c21cb0bb98bd83
                                • Opcode Fuzzy Hash: 1bfd09d28fb1b8d5cf40bc3057e947bc352df7186ea343c5f931ec1a8a3d4c98
                                • Instruction Fuzzy Hash: 47E0C270A3820627CA00677CCCC3C053AAE272523CF8003346939A32F3FFA1C92086E1
                                Function 00451F02 Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 00451F0E
                                  • Part of subcall function 00457400: __getptd_noexit.LIBCMT ref: 00457403
                                  • Part of subcall function 00457400: __amsg_exit.LIBCMT ref: 00457410
                                  • Part of subcall function 00451EC5: __IsNonwritableInCurrentImage.LIBCMT ref: 00451ED8
                                  • Part of subcall function 00451EC5: __getptd_noexit.LIBCMT ref: 00451EE8
                                  • Part of subcall function 00451EC5: __freeptd.LIBCMT ref: 00451EF2
                                  • Part of subcall function 00451EC5: ExitThread.KERNEL32 ref: 00451EFB
                                • __XcptFilter.LIBCMT ref: 00451F2F
                                  • Part of subcall function 0045B73E: __getptd_noexit.LIBCMT ref: 0045B746
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadXcpt__amsg_exit__freeptd__getptd
                                • String ID:
                                • API String ID: 393088965-0
                                • Opcode ID: 15d05b8fc0f517c78afa5a291257b6dc5f963ba68e1fd513f6f8a81547b156e7
                                • Instruction ID: 2db33640291945a4916f261701f022404c50faab4637c64130de3f2df15c61e3
                                • Opcode Fuzzy Hash: 15d05b8fc0f517c78afa5a291257b6dc5f963ba68e1fd513f6f8a81547b156e7
                                • Instruction Fuzzy Hash: ABE08CB0900A009FD708BBA1C906F3D3B64EF4430AF21048EF8016B2B3CB38A844DE28
                                Function 0045799C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___crtCorExitProcess.LIBCMT ref: 004579A4
                                  • Part of subcall function 00457971: GetModuleHandleW.KERNEL32(mscoree.dll,?,004579A9,?,?,0044FC12,000000FF,0000001E,?,00457755,?,00000001,?,?,00457D86,00000018), ref: 0045797B
                                  • Part of subcall function 00457971: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0045798B
                                • ExitProcess.KERNEL32 ref: 004579AD
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: ExitProcess$AddressHandleModuleProc___crt
                                • String ID:
                                • API String ID: 2427264223-0
                                • Opcode ID: 1af2791227fca424a2fddb2dc790eec8f133d391b39f7d2c30ad27ed7b057826
                                • Instruction ID: 01e986f5e3393614e45b7cf44e6b393859f2d6e220982185113d1069ae569363
                                • Opcode Fuzzy Hash: 1af2791227fca424a2fddb2dc790eec8f133d391b39f7d2c30ad27ed7b057826
                                • Instruction Fuzzy Hash: B5B09B350141087BDB012F12DC0985D3F15DB813517104025F81509031DF719D96D595
                                Function 6093CFA8 Relevance: 2.8, Strings: 2, Instructions: 287COMMON
                                Download Yara Rule
                                Strings
                                • statement too long, xrefs: 6093D07E
                                • database schema is locked: %s, xrefs: 6093D280
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memset
                                • String ID: database schema is locked: %s$statement too long
                                • API String ID: 2221118986-388537643
                                • Opcode ID: 0e6208a49ef4513b33e2f290d3aa3d0690be2508323ae5ce0a78f2faf90e385c
                                • Instruction ID: 8a7643e6743a6aeca392c36fe6c5893070ffdf8816d71400751aa09411932674
                                • Opcode Fuzzy Hash: 0e6208a49ef4513b33e2f290d3aa3d0690be2508323ae5ce0a78f2faf90e385c
                                • Instruction Fuzzy Hash: D3B1C3B5904215ABDB14CFA8CC81B9B7BB6AF25324F108658F8789B390E735DA51CFD0
                                Function 60910BE0 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: @ $SQLite format 3
                                • API String ID: 0-3708268960
                                • Opcode ID: 523aa154a728f0e459f0e9332f297cf9d029075557556b679be7b40a52e60181
                                • Instruction ID: de4f8d0f457666ccc2ad87a5cfb91ec6f12443274e5d3ec3ae52b84091b249d9
                                • Opcode Fuzzy Hash: 523aa154a728f0e459f0e9332f297cf9d029075557556b679be7b40a52e60181
                                • Instruction Fuzzy Hash: FC61D470A04249ABD700CF69CD81699BBB6AF50324F1483A4EC64DB3D1E779EAE5C7D0
                                Function 6092EB34 Relevance: 2.6, Strings: 2, Instructions: 115COMMON
                                Download Yara Rule
                                Strings
                                • duplicate column name: %s, xrefs: 6092EC24
                                • too many columns on %s, xrefs: 6092EB68
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: duplicate column name: %s$too many columns on %s
                                • API String ID: 0-1445880494
                                • Opcode ID: bd6f921abf42e825acdc3e08a1f64166ea64628dc6980b37eba913ff6bbc7bc5
                                • Instruction ID: c0b7bbe5b7005726fa4a6be9902076673f6b47f398d097b96258bde7dc6d5718
                                • Opcode Fuzzy Hash: bd6f921abf42e825acdc3e08a1f64166ea64628dc6980b37eba913ff6bbc7bc5
                                • Instruction Fuzzy Hash: 8A41F775904105AFCB00CF68D8C0A9ABBBBFF65324F144295EC659B386F731DA51CB90
                                Function 6090D78C Relevance: 2.6, APIs: 2, Instructions: 81COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memset
                                • String ID:
                                • API String ID: 2221118986-0
                                • Opcode ID: 8051796f7ac3de1d212ea67caec5693b0a51804c0116b7a2413b8a1f67f597e0
                                • Instruction ID: 383165303c9b2b4fe824b3cf1afd68ca88c8e5ab80efcf365dbb16bd9e061a47
                                • Opcode Fuzzy Hash: 8051796f7ac3de1d212ea67caec5693b0a51804c0116b7a2413b8a1f67f597e0
                                • Instruction Fuzzy Hash: 8E314F75E0060AEFCB04CFA9C881A9ABBF5FF58324F108169E9299B751D331E951CB90
                                Function 60908530 Relevance: 2.5, APIs: 2, Instructions: 32sleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: CloseHandleSleep
                                • String ID:
                                • API String ID: 252777609-0
                                • Opcode ID: 6f7894bd81945af085d08aecd99807de025e5a11664fa1f9b75f952ae4dc8796
                                • Instruction ID: 7921efc226103d26680ffa9fdc1ead8490d1a08c61e2d1904890d8fe13bd5e1a
                                • Opcode Fuzzy Hash: 6f7894bd81945af085d08aecd99807de025e5a11664fa1f9b75f952ae4dc8796
                                • Instruction Fuzzy Hash: E1E0E5A2F046114BEB04167C4C43387726BDB21238F548274EDB6531C0F662E92580C2
                                Function 00413720 Relevance: 1.6, APIs: 1, Instructions: 99COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00413670: allocator.LIBCPMTD ref: 0041367C
                                • allocator.LIBCPMTD ref: 004137C8
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: allocator
                                • String ID:
                                • API String ID: 3447690668-0
                                • Opcode ID: f96662b01b41ad3538c7bd5c2a43dbbf7866d1ec3b2b3d32c53dbbde10010e55
                                • Instruction ID: ac2331b7baad2d9200f08e6fee5847f3f02af193d0b7c6c3e415c4b1f38103c2
                                • Opcode Fuzzy Hash: f96662b01b41ad3538c7bd5c2a43dbbf7866d1ec3b2b3d32c53dbbde10010e55
                                • Instruction Fuzzy Hash: 8C41EEB4E0410A9FCB08DF99D491ABFB7B5FB44315F10811EE525A7381D738AA81CBD8
                                Function 00417CF0 Relevance: 1.6, APIs: 1, Instructions: 99COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00417AF0: allocator.LIBCPMTD ref: 00417AFC
                                • allocator.LIBCPMTD ref: 00417D98
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: allocator
                                • String ID:
                                • API String ID: 3447690668-0
                                • Opcode ID: 49a2f17e9de5e3deacfbff8912cce8294b908f3145b02ac1c15cb8764968bbeb
                                • Instruction ID: 9f44215ad7b48d03794646ec72d63729a886d3fb837e5d513c72074537cc9730
                                • Opcode Fuzzy Hash: 49a2f17e9de5e3deacfbff8912cce8294b908f3145b02ac1c15cb8764968bbeb
                                • Instruction Fuzzy Hash: DB41CAB4E0420A9FCB08DF99D991ABFBBB5FF58314F10811EE515A7381D638A981CBD4
                                Function 004375D0 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                • GetNamedSecurityInfoW.ADVAPI32(00000000,?,00000004,00000000,00000000,-00000008,00000000,-00000004,B211AFF1,00000000,00000000,B211AFF1), ref: 00437692
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: InfoNamedSecurity
                                • String ID:
                                • API String ID: 1443090519-0
                                • Opcode ID: 8b030a624be00a8d02ee3c71d346e5e8053446ba074464b533a3c1a3f5d72c03
                                • Instruction ID: 16d75c49ed210b34b753348bf981610d8927c902eb2e4137dadb3ab82ad046e7
                                • Opcode Fuzzy Hash: 8b030a624be00a8d02ee3c71d346e5e8053446ba074464b533a3c1a3f5d72c03
                                • Instruction Fuzzy Hash: 263114B4A04608EFDB14DF98D891BAEB7B5FF48324F10455AF912AB390CB34A944CB54
                                Function 60951588 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_free
                                • String ID:
                                • API String ID: 2313487548-0
                                • Opcode ID: a7d1bedba0ff57d50ff7e36acd4c53de46d6ebc350ef3f179988b7e30385a835
                                • Instruction ID: 950230d8cc25da8e91962b53e44c34f9ff8f8ca5c2cbbd27063ab93180a1c327
                                • Opcode Fuzzy Hash: a7d1bedba0ff57d50ff7e36acd4c53de46d6ebc350ef3f179988b7e30385a835
                                • Instruction Fuzzy Hash: 8531E8716056429BDB16CE79C8457CAFBA5BB22324F048329E83553280D774D978CBD1
                                Function 0041EDE0 Relevance: 1.6, APIs: 1, Instructions: 68registryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RegQueryValueExW.KERNEL32(00000020,00000001,00000000,00000020,?,00000001,0047F702,svcVersion,00000001,00000020,Software\Microsoft\Internet Explorer\,00000001,B211AFF1), ref: 0041EE1C
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: QueryValue
                                • String ID:
                                • API String ID: 3660427363-0
                                • Opcode ID: eab2924b431d68ee9115c4182a009e1237d85a4e1ed2f57fa7b1bca71f828541
                                • Instruction ID: be990d5a6d9182fce01ba0ffaa6c408bebd698dfed37db20f02eb68458331d30
                                • Opcode Fuzzy Hash: eab2924b431d68ee9115c4182a009e1237d85a4e1ed2f57fa7b1bca71f828541
                                • Instruction Fuzzy Hash: 2D214F78A00209EBDB18CF9AC444BEFB7B6EF98300F10855AEC1597390D7389A81CB95
                                Function 00437410 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 50071c7d2e8a7937953ef7fa28182e5835d50e90929f02bdcf3edf2de05a0c5b
                                • Instruction ID: 0310d3a91ebcd0ea16fb65e7b9520d6e49167809e36a6e62fd6c8818112a55f9
                                • Opcode Fuzzy Hash: 50071c7d2e8a7937953ef7fa28182e5835d50e90929f02bdcf3edf2de05a0c5b
                                • Instruction Fuzzy Hash: C23119B490820DDFDB14CF94C981BEEBBB0FB1C314F20916AE955AB390D7786940CBA5
                                Function 004138A0 Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00413670: allocator.LIBCPMTD ref: 0041367C
                                • std::_String_base::_Xlen.LIBCPMT ref: 004138B6
                                  • Part of subcall function 0044F642: __EH_prolog3.LIBCMT ref: 0044F649
                                  • Part of subcall function 0044F642: __CxxThrowException@8.LIBCMT ref: 0044F674
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Exception@8H_prolog3String_base::_ThrowXlenallocatorstd::_
                                • String ID:
                                • API String ID: 1545032231-0
                                • Opcode ID: 5153c89b2d18f9a4a3b4fd0ab60569df1cf1900c1599dd0d3ad8dd81d27a6009
                                • Instruction ID: 73c1d62af68b4300f6455ebd09d0e065156d1f3a14bc327f9b474afa554a7da7
                                • Opcode Fuzzy Hash: 5153c89b2d18f9a4a3b4fd0ab60569df1cf1900c1599dd0d3ad8dd81d27a6009
                                • Instruction Fuzzy Hash: 4111E674A14108EFCB08EF55C591AEDBBB5AF55301F20809AE8069B385CB74EFC0DB99
                                Function 00417EF0 Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00417AF0: allocator.LIBCPMTD ref: 00417AFC
                                • std::_String_base::_Xlen.LIBCPMT ref: 00417F06
                                  • Part of subcall function 0044F642: __EH_prolog3.LIBCMT ref: 0044F649
                                  • Part of subcall function 0044F642: __CxxThrowException@8.LIBCMT ref: 0044F674
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Exception@8H_prolog3String_base::_ThrowXlenallocatorstd::_
                                • String ID:
                                • API String ID: 1545032231-0
                                • Opcode ID: b351d872caab54e2bc87533cef3b9bcb332e679b0ac9138912381d3723bae793
                                • Instruction ID: 1257a97942bd6a474a275f99747b63b9187432d2ed2201fadfd10380495f765f
                                • Opcode Fuzzy Hash: b351d872caab54e2bc87533cef3b9bcb332e679b0ac9138912381d3723bae793
                                • Instruction Fuzzy Hash: 4211BC34A08108EBCB08DF64D5959EE7BB1BF55340F20819AF8069B355DB34EEC1DB99
                                Function 004F8180 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: _wcscpy
                                • String ID:
                                • API String ID: 3048848545-0
                                • Opcode ID: 166f719fab3ffb0c87b9f11b212d11775efa3a975b7db78ff7e4e65e5a37786c
                                • Instruction ID: 9f85bb52fc9fbc8ed2681f036a1197e0334804cff0233300be372910fdc1c147
                                • Opcode Fuzzy Hash: 166f719fab3ffb0c87b9f11b212d11775efa3a975b7db78ff7e4e65e5a37786c
                                • Instruction Fuzzy Hash: B3112E71904108AFCB04DF95D841FEEB7B8FF08714F00462EF81597291EB346944CB54
                                Function 00422580 Relevance: 1.5, APIs: 1, Instructions: 45registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyExW.KERNEL32(?,?,00000000,?,?,00000000,?,00000000,?), ref: 004225B2
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: da7658d9d66157049bda50bbad2381ad61c0328b49598051536313ee3ed6bc67
                                • Instruction ID: f1e750a2e26c41efd03ff71885b0f68c48a1e76b5339024fafdb6696c1735a02
                                • Opcode Fuzzy Hash: da7658d9d66157049bda50bbad2381ad61c0328b49598051536313ee3ed6bc67
                                • Instruction Fuzzy Hash: 1B11D0B5A00209EFCB04CF98D994AEFBBB8FB48300F108559E915A7340D734AA51CB94
                                Function 6090CD94 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_free.SQLITE3(60910896), ref: 6090CE19
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_free
                                • String ID:
                                • API String ID: 2313487548-0
                                • Opcode ID: c7278fc10f492b2c54b7873a9060f39a1d0b715c5022458f11be1e1cd13ac701
                                • Instruction ID: 34f14641bda2a913f3104d7ca82523f6f3b18d081e11fdb2ac248524dab1be4e
                                • Opcode Fuzzy Hash: c7278fc10f492b2c54b7873a9060f39a1d0b715c5022458f11be1e1cd13ac701
                                • Instruction Fuzzy Hash: 3A0121E1D0460157DB016B38CCC2B093A6A5B3223CF1847A8ADBE592E7FF25C56486A2
                                Function 00452FD1 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __lock_file.LIBCMT ref: 00453018
                                  • Part of subcall function 00454477: __getptd_noexit.LIBCMT ref: 00454477
                                  • Part of subcall function 004557A5: __decode_pointer.LIBCMT ref: 004557B0
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: __decode_pointer__getptd_noexit__lock_file
                                • String ID:
                                • API String ID: 3158947991-0
                                • Opcode ID: d841041d9129e3baa6cdb9b20a08fc68818ccdc3981769f79bb337cf8d1666dd
                                • Instruction ID: 7114db0ef74bda0b40b1dad3ac58b5a0634294677c7383c1fc5591dc8811c183
                                • Opcode Fuzzy Hash: d841041d9129e3baa6cdb9b20a08fc68818ccdc3981769f79bb337cf8d1666dd
                                • Instruction Fuzzy Hash: AAF08130801219DBCF11BFA5CC0249E7A60AF04B57F41841BBC245A197C73D8B65EBA9
                                Function 00424630 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                • IsValidCodePage.KERNEL32(00000000,?,?), ref: 0042465B
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: CodePageValid
                                • String ID:
                                • API String ID: 1911128615-0
                                • Opcode ID: c9f08de8c4f879767d6e2a12e85733756157903cfeeece9dab4b5c17de24084a
                                • Instruction ID: acd3b80e2f9a2ac0ace554b376bf7bf21ec0217d72e302f345e402b3ba2f3122
                                • Opcode Fuzzy Hash: c9f08de8c4f879767d6e2a12e85733756157903cfeeece9dab4b5c17de24084a
                                • Instruction Fuzzy Hash: 0EF09CF4700124778E04DF51F8459BB339C9E92309750415AF80687201D53DDA1966A9
                                Function 0041EEA0 Relevance: 1.5, APIs: 1, Instructions: 36registryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.KERNEL32(00000001,?,00000000,00000000,00000000,Software\Microsoft\Internet Explorer\,00000001), ref: 0041EECA
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Open
                                • String ID:
                                • API String ID: 71445658-0
                                • Opcode ID: 7933fb232ceb25f8994056af9fbb8c987e53069f7ad553ecf10823e6c5af83cf
                                • Instruction ID: e72a7226712429adf47ea8eac5b50b7f1d65c1406d4f5b2af12a8abfb9092063
                                • Opcode Fuzzy Hash: 7933fb232ceb25f8994056af9fbb8c987e53069f7ad553ecf10823e6c5af83cf
                                • Instruction Fuzzy Hash: EC01B679A00208EFCB04DF95D885AEEBBB5EB88300F10C5AAE8159B340D7349A50DB94
                                Function 00429BB0 Relevance: 1.5, APIs: 1, Instructions: 35registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryValueExW.KERNEL32(B211AFF1,00000004,00000000,B211AFF1,?,00000004,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\System), ref: 00429BE0
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: QueryValue
                                • String ID:
                                • API String ID: 3660427363-0
                                • Opcode ID: 1a4580bf5f4484c55dbb0b26d34549cd485e0b3af099ee7def2407f50086bd3c
                                • Instruction ID: f7dae3d87c89e33c9cd46dbbadd7aec66fcca4881972f95749d9c857ab391f74
                                • Opcode Fuzzy Hash: 1a4580bf5f4484c55dbb0b26d34549cd485e0b3af099ee7def2407f50086bd3c
                                • Instruction Fuzzy Hash: 35F04971A00218EBDB04DF99E848BAFB7B4BB48304F40859AE91197390E378AE04CB95
                                Function 004222F0 Relevance: 1.5, APIs: 1, Instructions: 27COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __CxxThrowException@8.LIBCMT ref: 00422325
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Exception@8Throw
                                • String ID:
                                • API String ID: 2005118841-0
                                • Opcode ID: 51adc74b9379154cd41a32ef4eadfa634359d11483bdd6614d585e8f61affed7
                                • Instruction ID: 218380e137a9cda01037389fa399fa7050ee02f79230bbd1205917fc7ec33d19
                                • Opcode Fuzzy Hash: 51adc74b9379154cd41a32ef4eadfa634359d11483bdd6614d585e8f61affed7
                                • Instruction Fuzzy Hash: DDE0E570A0010877EB04EE60D94279D3B28EB10365F80822AEC0A4A0C1EB7CDA888689
                                Function 00416A50 Relevance: 1.5, APIs: 1, Instructions: 25memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(00000000), ref: 00416A6C
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: AllocString
                                • String ID:
                                • API String ID: 2525500382-0
                                • Opcode ID: cd2e3157aedfae8d4ec1c35ac79bc8dd3da163bfe9599e596e78145049c49148
                                • Instruction ID: 4e11b3bf686c8dac04beb14184bf081868b29cf303705d7bf430a457e43ce406
                                • Opcode Fuzzy Hash: cd2e3157aedfae8d4ec1c35ac79bc8dd3da163bfe9599e596e78145049c49148
                                • Instruction Fuzzy Hash: 03F030B4500209EBC700DF91C441B9EB7B4AF05380F21819AE8056B350C739EE80DB98
                                Function 0041EF10 Relevance: 1.5, APIs: 1, Instructions: 21registryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Close
                                • String ID:
                                • API String ID: 3535843008-0
                                • Opcode ID: 91ea06a02c1e2abaa4150cc088f806866b2a54e11f8803adc4cfb31c19173421
                                • Instruction ID: 820672166823583b4fef396b48c4dbdbd765742b514186620d846768b76c89e1
                                • Opcode Fuzzy Hash: 91ea06a02c1e2abaa4150cc088f806866b2a54e11f8803adc4cfb31c19173421
                                • Instruction Fuzzy Hash: ADF0E578900308EFDB00CF98D594B9EBFB4EB49304F1080D9E804AB390C776AE85DB90
                                Function 0041BEF0 Relevance: 1.5, APIs: 1, Instructions: 21COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • std::ios_base::clear.LIBCPMTD ref: 0041BF1A
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: std::ios_base::clear
                                • String ID:
                                • API String ID: 1443086396-0
                                • Opcode ID: 2325b5d6b71185ad4023a2eeba2beaf10933f99d6d3ea6ff054782269e7e8cb5
                                • Instruction ID: ae02523c46e99c435d5c099cb1e3fe5f9fbdd10f5a29947be30c5a7f5bd070aa
                                • Opcode Fuzzy Hash: 2325b5d6b71185ad4023a2eeba2beaf10933f99d6d3ea6ff054782269e7e8cb5
                                • Instruction Fuzzy Hash: 5AE0867050410CFBD708DF89C811BEE7368EB04304F00805EFA0657341CB74AA50DB9A
                                Function 00422F50 Relevance: 1.5, APIs: 1, Instructions: 17registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegDeleteValueW.KERNEL32(00000000,?), ref: 00422F69
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: DeleteValue
                                • String ID:
                                • API String ID: 1108222502-0
                                • Opcode ID: 623dbd52a23a3001517e907731fa794683d2616bae9e7e4ea07a56ac7a586e52
                                • Instruction ID: 466e9685c4020b865daf75248f732fbf60c7d645a2e0b63f6194d1e79d89bd0b
                                • Opcode Fuzzy Hash: 623dbd52a23a3001517e907731fa794683d2616bae9e7e4ea07a56ac7a586e52
                                • Instruction Fuzzy Hash: E7D0A77170420DBB8B28CF95EA44CABB7B8EB5D340740816EF80DC7310E631AD20E69C
                                Function 00443050 Relevance: 1.5, APIs: 1, Instructions: 17comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.OLE32(000000FF,00000000,000000FF,0053D3B4,B211AFF1,?,?,00490443,0051BAFC,00000000,00000017,00000000,00000000,000000FF,00000000,000000FF), ref: 0044306C
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: CreateInstance
                                • String ID:
                                • API String ID: 542301482-0
                                • Opcode ID: e2591718d38672465c40d119d12b6cfdae1246e638e281d2108abddb0f8c5d8b
                                • Instruction ID: d7e829fc0369689cf003dd1b57fd33423f6668e70923e4d6f68ba6fba734b568
                                • Opcode Fuzzy Hash: e2591718d38672465c40d119d12b6cfdae1246e638e281d2108abddb0f8c5d8b
                                • Instruction Fuzzy Hash: 2AD067B660420CBB8B04CFD9EC45CAEB7BCEB5C750B108549B90887300D631AE109BA5
                                Function 00437A90 Relevance: 1.5, APIs: 1, Instructions: 17comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.OLE32(?,?,?,0053CF74,?), ref: 00437AAC
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: CreateInstance
                                • String ID:
                                • API String ID: 542301482-0
                                • Opcode ID: c76a93c8dda563ca09de8436f311000b923d96e04156aac0c2651e21dd266a7f
                                • Instruction ID: f73b2f5284ed43214768cfbef9e89ad460cf6b85a71958eb3d5c5efea98f88b6
                                • Opcode Fuzzy Hash: c76a93c8dda563ca09de8436f311000b923d96e04156aac0c2651e21dd266a7f
                                • Instruction Fuzzy Hash: CFD067B660420CBB8B04CFC9EC45CAABBBDEB5D750B108249B908D7210D631AA109BA4
                                Function 609047F0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_initialize.SQLITE3 ref: 609047F6
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_initialize
                                • String ID:
                                • API String ID: 1587646821-0
                                • Opcode ID: 36b63ac14b60dffc2f132cac53708e7b818b42ca35d0c5f8cda13a58a29b6653
                                • Instruction ID: 5a80e46bbea1b6854053c66244f213c9620a54976c2f013ffa70d705f99e720a
                                • Opcode Fuzzy Hash: 36b63ac14b60dffc2f132cac53708e7b818b42ca35d0c5f8cda13a58a29b6653
                                • Instruction Fuzzy Hash: C7C0805550810463CF022E796C03545359F1E3215CF00C7757D36D05F1FF61C92569D2
                                Function 00454D7B Relevance: 1.5, APIs: 1, Instructions: 12COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: __waccess_s
                                • String ID:
                                • API String ID: 4272103461-0
                                • Opcode ID: 121c4f77d4c72d3789264fc0d0d617dc9724d87233f222cead199be475d85574
                                • Instruction ID: c01e5d1af73e778fe685e865bf1456fca0106d4cf4c4f886beebd409df1a495b
                                • Opcode Fuzzy Hash: 121c4f77d4c72d3789264fc0d0d617dc9724d87233f222cead199be475d85574
                                • Instruction Fuzzy Hash: BBC02B3300400C3F4F091DEAEC00C043F09C6C0334710C116FD0D8C091CD33D4508140
                                Function 00430C60 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadIconW.USER32(00000000,?), ref: 00430C6D
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: IconLoad
                                • String ID:
                                • API String ID: 2457776203-0
                                • Opcode ID: c1faa09f4f785da8416501cfa79b623e6527bea0b98c0640d009af28b8f5a3e0
                                • Instruction ID: 66c64ca7837ccd3f90d8f9c0a6c812c238f115f6fe2ef9b00aef91b11007dafd
                                • Opcode Fuzzy Hash: c1faa09f4f785da8416501cfa79b623e6527bea0b98c0640d009af28b8f5a3e0
                                • Instruction Fuzzy Hash: 72B0927540030CAB8A006BEAE81988A379CAA0C794F449601B508C3101EA38F40046A8
                                Function 60909E7C Relevance: 1.4, APIs: 1, Instructions: 136COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memset
                                • String ID:
                                • API String ID: 2221118986-0
                                • Opcode ID: 76647cd81213faea548130273107bb085240746b16f80304578fe787fd450cd1
                                • Instruction ID: f39993e993573b65b63cd5e1abb0462a8debe00eb81330fcb50bd93ec9898047
                                • Opcode Fuzzy Hash: 76647cd81213faea548130273107bb085240746b16f80304578fe787fd450cd1
                                • Instruction Fuzzy Hash: 54416F71A04613AFE711CF59C981B55B7FAFB24320F004228EA2AC7690E775EDA0CBD1
                                Function 6090DB54 Relevance: 1.4, APIs: 1, Instructions: 126COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID:
                                • API String ID: 632333372-0
                                • Opcode ID: 506b3d15cd17b07dfe4212d09fe8f7bd50b060c6abe962177c3b89115f95baf4
                                • Instruction ID: 1f04bb15884eb2c6b51a010e810bc3bf69d7d6fded97f083e7dffa864ce27243
                                • Opcode Fuzzy Hash: 506b3d15cd17b07dfe4212d09fe8f7bd50b060c6abe962177c3b89115f95baf4
                                • Instruction Fuzzy Hash: 5E413B71A056109BEB019E68CC41B4A77FAAF35324F00061CE9B6973D0EBB1DA90C792
                                Function 60952630 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: :memory:
                                • API String ID: 0-2920599690
                                • Opcode ID: 74aca58e6b1d6ca12c4aa40c2443642e488636fba2830c39f73856c57c2e63d5
                                • Instruction ID: b68c899c896599bf75df46d4fb2cdc118fb8492675fa3b8f9ef040adbcb0e4b3
                                • Opcode Fuzzy Hash: 74aca58e6b1d6ca12c4aa40c2443642e488636fba2830c39f73856c57c2e63d5
                                • Instruction Fuzzy Hash: 371126B2A051066BEB02CD59CC86BDA3BEA9B36264F080211FD34972D0E771DE748791
                                Function 6090D7C2 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memset
                                • String ID:
                                • API String ID: 2221118986-0
                                • Opcode ID: cbce822985c5ce30bcceca0df121638809b8ce102d404281179133b6b77b81fd
                                • Instruction ID: 7fe6444ce52f5a3e57e6ea77c19ad45f0c56640ad6813ebb634d5be834b0a71e
                                • Opcode Fuzzy Hash: cbce822985c5ce30bcceca0df121638809b8ce102d404281179133b6b77b81fd
                                • Instruction Fuzzy Hash: F3115271E0011AABCB14CFD9C881ADEFBF5FF58324F108229E925A7391D371DA549B85
                                Function 6090CC00 Relevance: 1.3, APIs: 1, Instructions: 38COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memset
                                • String ID:
                                • API String ID: 2221118986-0
                                • Opcode ID: 99c06240577e7f89618e3c9052a4a6132dfe366c2d3ba33d9a3186d18a03536c
                                • Instruction ID: b67fe2b34ec3ce884075812e654bb7f2e00c7ecc20ebe368a731d242f4d2e10f
                                • Opcode Fuzzy Hash: 99c06240577e7f89618e3c9052a4a6132dfe366c2d3ba33d9a3186d18a03536c
                                • Instruction Fuzzy Hash: 81F0B472A002247BDB209A6CDC46F97B76CEB98B24F004614FD75AB2C1D270DD1086E1
                                Function 60909006 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 609092E8: GetDiskFreeSpaceW.KERNEL32(00000000,?,?,?,?), ref: 60909386
                                  • Part of subcall function 609092E8: free.MSVCRT(00000000), ref: 609093D4
                                • free.MSVCRT(?), ref: 60909054
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: free$DiskFreeSpace
                                • String ID:
                                • API String ID: 2996754223-0
                                • Opcode ID: 19106ab0e09638a8c90048669181deded9bdd6d109632ff66e9743bbe19775cc
                                • Instruction ID: e707456696089e3c47ac30c7ae25cb4a57e3ae687c7a0c0c053a24bc95dd93fa
                                • Opcode Fuzzy Hash: 19106ab0e09638a8c90048669181deded9bdd6d109632ff66e9743bbe19775cc
                                • Instruction Fuzzy Hash: 42F06DB1A106088BDB24CF28CC416CA77E1BF59324F018698E9259B390D775DA51CF90
                                Function 004EDEB0 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                Download Yara Rule
                                APIs
                                • CoUninitialize.OLE32(?,0041A0C8), ref: 004EDEB3
                                Memory Dump Source
                                • Source File: 00000002.00000002.1889192267.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.1889096592.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889300800.000000000051B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889351222.0000000000561000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889374941.0000000000562000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005BB000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889427306.00000000005C0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 00000002.00000002.1889475016.00000000005C5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_Setup.jbxd
                                Similarity
                                • API ID: Uninitialize
                                • String ID:
                                • API String ID: 3861434553-0
                                • Opcode ID: a5de02cbd1b11b3a82bc3a5a1e72936b420f8548ddea6dfcec47597dc26e73e4
                                • Instruction ID: 2a972c4fab728814f709459dfd4ff36875e05d45aa0f4f1982a65f74532dffed
                                • Opcode Fuzzy Hash: a5de02cbd1b11b3a82bc3a5a1e72936b420f8548ddea6dfcec47597dc26e73e4
                                • Instruction Fuzzy Hash: B490223000020C8B0200238038080E0330C88200323800000E00C000208B0020000080
                                Function 6090D86C Relevance: .2, Instructions: 210COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 10c6c031e01ada9fbce23ae494a0151d238e3a2d69028a0db960ea51c1d23ca1
                                • Instruction ID: cca195df496cadbfec74b38667d25f914082173552cef25895e540f392ef1278
                                • Opcode Fuzzy Hash: 10c6c031e01ada9fbce23ae494a0151d238e3a2d69028a0db960ea51c1d23ca1
                                • Instruction Fuzzy Hash: 1871AAB0D052059BEF018F64CC817997ABEAF31324F144268DD75AA3D6EBB9C984C7A1
                                Function 60910F3C Relevance: .2, Instructions: 164COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_try
                                • String ID:
                                • API String ID: 2915177010-0
                                • Opcode ID: 576288779cdbcb28cebb7c71bce8e3117fa28c7788e4aa5790bd2f7adae34c65
                                • Instruction ID: 1c1bd242ff3c94656fbbb3bad59790669fd54c3a54a9cd87e063ee318d1bcf56
                                • Opcode Fuzzy Hash: 576288779cdbcb28cebb7c71bce8e3117fa28c7788e4aa5790bd2f7adae34c65
                                • Instruction Fuzzy Hash: CC51F871E0C158BBDB128A14C8413957BA6AB76324F1483D5EC745A3D2E3BACDE5CBC2
                                Function 6091C6F2 Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3121e4f45cb81c020cfea2f5501e4bec988f683c3ada6509331f25432a14869c
                                • Instruction ID: e71c05abf224fa6e0517016a2fda071d49b5bc82e8ceb9cee28e9eba8c6bfb72
                                • Opcode Fuzzy Hash: 3121e4f45cb81c020cfea2f5501e4bec988f683c3ada6509331f25432a14869c
                                • Instruction Fuzzy Hash: 6C41E3B0E08608DBEF109F64C88279DBFF6FF20324F1049F9D8A5562A4E7758994CB42
                                Function 6090D634 Relevance: .1, Instructions: 114COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ee050db0c15275d65dbae72c34f4bde039585110bd879508d8f7d8dc7a0dd4c9
                                • Instruction ID: f7ad9b741ebccb015e8defee2d9369f4d9704d53b9999951fcb228789d829261
                                • Opcode Fuzzy Hash: ee050db0c15275d65dbae72c34f4bde039585110bd879508d8f7d8dc7a0dd4c9
                                • Instruction Fuzzy Hash: 12310EB1A40305ABDB115AE4CC82BDE76BEAF34324F10412CF975913D0EB75DA598781
                                Function 609124F0 Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ca08e0ad61761b9424c79293ea20ac270bc6612ed79c7ee16fd89d2cb4d4eed5
                                • Instruction ID: 4bf9aa256c0471d72fc3d8ef32f5b7295a8ce42ba8e076bedbad0a9d91cc918f
                                • Opcode Fuzzy Hash: ca08e0ad61761b9424c79293ea20ac270bc6612ed79c7ee16fd89d2cb4d4eed5
                                • Instruction Fuzzy Hash: E731593150C7448AC3209728C841746BBF7AF33328F180689E4E2472D1E77AEDE5C792
                                Function 60912BD4 Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3690a481ec6906e6c7f95e73c9d36ffe33643bdc6346f71f74d5bb8c7f4d8cae
                                • Instruction ID: 32e9df541f56de6704345b16794c0ae7246b10ca0a56ca99ad8fc4804c9f3478
                                • Opcode Fuzzy Hash: 3690a481ec6906e6c7f95e73c9d36ffe33643bdc6346f71f74d5bb8c7f4d8cae
                                • Instruction Fuzzy Hash: 4D312CA0A0C34996DB116F28CC817567BB6EF23318F1402D5DD614A2D2F77ACDE5C391
                                Function 60910FDA Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 295523faf0fa58cfb3add56211acd883df932ea32c254d5a32660b5bf5ad7b41
                                • Instruction ID: 48fa4e21711329b31f0a82908be2a1d6f6fb14aaf48cb6ef29f2df30e8b1fadb
                                • Opcode Fuzzy Hash: 295523faf0fa58cfb3add56211acd883df932ea32c254d5a32660b5bf5ad7b41
                                • Instruction Fuzzy Hash: 1D312B71E0C198BBDB124A14C8813857AA6AB37334F0547D5DC785A2C2E3BACDE5C7C2
                                Function 6093CD14 Relevance: .1, Instructions: 85COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memset
                                • String ID:
                                • API String ID: 2221118986-0
                                • Opcode ID: c5266ed44abbe6771a914bb9f343e02b6b4a7ad34e50bcf7b2a87baaf2d5c6ce
                                • Instruction ID: f90dbdb5113f7fd9d4bdd98d1109c3d4084f151d0db70136766c0af8af9b0182
                                • Opcode Fuzzy Hash: c5266ed44abbe6771a914bb9f343e02b6b4a7ad34e50bcf7b2a87baaf2d5c6ce
                                • Instruction Fuzzy Hash: 2321B4F6D04A3067DB258A288C81B8A7FA99B61734F0586A0FD746B2C6E771DD408BD1
                                Function 6094FA50 Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 528d9309aac4622fa4e37a142c3ecb8554d85df6dd38aea2398ff24bda40c2ae
                                • Instruction ID: 3a7db9fdd0f55dcf3989603da8bb617f62c6de03d9a4b42971f4f572f387dcd8
                                • Opcode Fuzzy Hash: 528d9309aac4622fa4e37a142c3ecb8554d85df6dd38aea2398ff24bda40c2ae
                                • Instruction Fuzzy Hash: 8521C5B5D40216ABDF108F68CC91B9F7BBEEB65328F048661EC28962C5E334C950C7B1
                                Function 60904228 Relevance: .1, Instructions: 71COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a80b47e8fc981a2fdadc66e47f854636fb0eafedf52868114d3ba7189b22bd4a
                                • Instruction ID: 17b9276fa9ed9b3cd6e141504f800a9a83c03333b9dad2379a6caa785e12bef5
                                • Opcode Fuzzy Hash: a80b47e8fc981a2fdadc66e47f854636fb0eafedf52868114d3ba7189b22bd4a
                                • Instruction Fuzzy Hash: 66118BB2A1851157E70056AC8C83B95399E9B3713CF14032CB979E23E1FFA58A6189D6
                                Function 6090CAF8 Relevance: .1, Instructions: 66COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5918dc3ae3f3564ca23f721bebe7fe377a1b4c7884daa0bf0d992c1ba390020a
                                • Instruction ID: b2e9b3212144ae421dff6bc406479e915b94304dcb95c42300a6360228df0024
                                • Opcode Fuzzy Hash: 5918dc3ae3f3564ca23f721bebe7fe377a1b4c7884daa0bf0d992c1ba390020a
                                • Instruction Fuzzy Hash: CC2171B1904B459BCB11CF24CC4279A77F6EF25324F104A1DECBA46290E734E950C7A1
                                Function 60925108 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e71636db6df44c2ed7c6554bdde3a45f25117f70d8112b0cab5a329c670982df
                                • Instruction ID: 3ad34f25ea075389ffd96aa40a1e7b9c637b89a0689e7ca2e92c593b58beb161
                                • Opcode Fuzzy Hash: e71636db6df44c2ed7c6554bdde3a45f25117f70d8112b0cab5a329c670982df
                                • Instruction Fuzzy Hash: 9D01A2A2E6821177EB00596D6C82767B6AE9B71678F000220ED38D229EF774DD20C2D2
                                Function 60912428 Relevance: .0, Instructions: 50COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID:
                                • API String ID: 632333372-0
                                • Opcode ID: 2170525abea3e9e8b7847accba9fe03867535715f5ec46bd6d87848732109367
                                • Instruction ID: 0310f06ea99aff2047db007d92bbab3fdedab56a2561a87b0d54634f341d0886
                                • Opcode Fuzzy Hash: 2170525abea3e9e8b7847accba9fe03867535715f5ec46bd6d87848732109367
                                • Instruction Fuzzy Hash: 66115931A083089ACB00DF14C881A967BB7FF12328F1482C5DC644B2D6F375DA69C792
                                Function 60912620 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f63f00cf30264f554a6a2cfe55cd055ffdbaae109497850afb8365cf75b57d7
                                • Instruction ID: 213c86760b56c73c1ca134a64488ea214f3333c813c11cdf2aeed4142ec688f6
                                • Opcode Fuzzy Hash: 7f63f00cf30264f554a6a2cfe55cd055ffdbaae109497850afb8365cf75b57d7
                                • Instruction Fuzzy Hash: 5B115C30A085595BCB10DF18C8806B9B7F6FF81319F04429DD850471C2E735EA67C390
                                Function 6090D6FE Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2fd87dea68b10404cef81164794c1bddd2845f7c4a3a5932f5cc59e7ac34d738
                                • Instruction ID: 52509f59475cfaf7de9b48136dc7d3da0b4be69131da1d129c5ff82d721798ec
                                • Opcode Fuzzy Hash: 2fd87dea68b10404cef81164794c1bddd2845f7c4a3a5932f5cc59e7ac34d738
                                • Instruction Fuzzy Hash: 40014071A443019FDB114AE4CC817EEB2B6EB14334F10423DE921512D0DBA595558781
                                Function 60941758 Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 980201951fc7eba53e2f4040efac8c26aefc854686d4f7a7acffd98706ea91a0
                                • Instruction ID: 38672e856b0e856e1f10912c6bb911d6177e7c12386a196386b339eeb0ab9135
                                • Opcode Fuzzy Hash: 980201951fc7eba53e2f4040efac8c26aefc854686d4f7a7acffd98706ea91a0
                                • Instruction Fuzzy Hash: 86F06D72C0A2146BDB215A249C457877F6DAF3227CF180754EE64512C2A775E5E4C2E2
                                Function 609101B0 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 970b0561da0015a17861cdc83cfc08fc13bb76945da0c96a21ac5d14a06b2d07
                                • Instruction ID: 21be004f82dd0839152a8a536d1425ed108f4f8cbea35f27f989b636b73825ac
                                • Opcode Fuzzy Hash: 970b0561da0015a17861cdc83cfc08fc13bb76945da0c96a21ac5d14a06b2d07
                                • Instruction Fuzzy Hash: E9E0A731B4810977EB012D98CC8269A3A999F20274F500564BE7856191F7A7DA7542C1
                                Function 60910110 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2d4742730d6f360d764a7f6c5bbf12eb0594cfbe98baa75a323f27545bfd8629
                                • Instruction ID: 98ee122f9c29e5d7107f3914d6a30f6a314534ebab6c871e928f1a4d99992895
                                • Opcode Fuzzy Hash: 2d4742730d6f360d764a7f6c5bbf12eb0594cfbe98baa75a323f27545bfd8629
                                • Instruction Fuzzy Hash: 9FF0A072A04119BB8F019E65DC41ACF3BADEF19264F000190FD18E7250F731EE20C7A1
                                Function 60912CA2 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c0df1e51da45415925668301ab72901e2a14b7d84a7cb6a90c318d0e0b9c3910
                                • Instruction ID: e405c61a6e7be50b98ce3654b93c026bd5761a41d36a553427d79ea6d13a8167
                                • Opcode Fuzzy Hash: c0df1e51da45415925668301ab72901e2a14b7d84a7cb6a90c318d0e0b9c3910
                                • Instruction Fuzzy Hash: 01F02750A0C21492CB14AB18D8417EDB7B2EB62329F1442D9D8614A1D1E739CCF1C3C0
                                Function 60912738 Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: af65a3d631628823e687def3f6d19015fcdd1f72832fbdba5fe8f1034989c213
                                • Instruction ID: 55b091fb18dd09ece8453ce2d66ae1d44380535aed17b3865139653b050c0290
                                • Opcode Fuzzy Hash: af65a3d631628823e687def3f6d19015fcdd1f72832fbdba5fe8f1034989c213
                                • Instruction Fuzzy Hash: 9DE0867190C20856EF107B188C467867BADDB52278F400180DD64521C6F371EDF481D5
                                Function 6090A508 Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f99d14bf8fbc07732cbc2f39d6a3b1a7dd5df540defcf466aa60da1cbed48f6c
                                • Instruction ID: 26f55ac1c9f498b12feb362d2fd9275342f4697450b047d4618f39501f38cf2f
                                • Opcode Fuzzy Hash: f99d14bf8fbc07732cbc2f39d6a3b1a7dd5df540defcf466aa60da1cbed48f6c
                                • Instruction Fuzzy Hash: ADE086725042059BCB40DA28DCC2B1E3BBD7B65308F408168A916D7293E774D80096F1
                                Function 6093CDE8 Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7991bd63e6e019e094be2c4642b1c759a0f14e573ddcca8f88e8da0271e04cd9
                                • Instruction ID: 0f447ffcab6f1f46753cb52270d8d57128efdff7fd2c6c58bef3e02a4816b2fc
                                • Opcode Fuzzy Hash: 7991bd63e6e019e094be2c4642b1c759a0f14e573ddcca8f88e8da0271e04cd9
                                • Instruction Fuzzy Hash: 40E04FF0A006299BDB00DE25C8C1A227BADAB19254F4085A0DD248A187E360D8418BE0
                                Function 6090358C Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b7296681d4fb2030d459278eb110e836970ce2117611a0d8449795ae48a627e2
                                • Instruction ID: e9296346ef2cfde397e83085042576787077a6b1bc330484072eb11bc25dbbce
                                • Opcode Fuzzy Hash: b7296681d4fb2030d459278eb110e836970ce2117611a0d8449795ae48a627e2
                                • Instruction Fuzzy Hash: D8E0EC7420010AAFCB00DF5CCCC2C9B77A9BB4C258B004250FA19972A2D730ED61CBE1
                                Function 6091255A Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5bf389a3bb93a7727f756f494b8a77f3b6a306dcb07db62fe1412f448f934923
                                • Instruction ID: 2efcd8b2ff37269bb77bd3b0feab30e75bcc736ecd7582b5f3e8873e88ab2d92
                                • Opcode Fuzzy Hash: 5bf389a3bb93a7727f756f494b8a77f3b6a306dcb07db62fe1412f448f934923
                                • Instruction Fuzzy Hash: 53D02B335086144AC721915C6C413D7B7E69B91174F140799DAA282280F77ADD6543C2
                                Function 60903564 Relevance: .0, Instructions: 17COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d2d3653d86dcd7ed673cdbe17e32c615cb71284adc3fec73a11e81f8c69e4fa0
                                • Instruction ID: 678537832fa9bd9733453f21b78d1f123fd125d8d130c81ec16e0ad788c2bad9
                                • Opcode Fuzzy Hash: d2d3653d86dcd7ed673cdbe17e32c615cb71284adc3fec73a11e81f8c69e4fa0
                                • Instruction Fuzzy Hash: F8D05EB06002065BDB00DB6DCCC2F07BBEDBB49218F5483649528DB296E730E80087E2
                                Function 609036E4 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5adb71f7dce9dbd50224646de4a6e692bda88cf6747b2adc1cdebc66ae2413b0
                                • Instruction ID: a5c365fabed6efddaac6ea043c7ad0b47c60b3f8e494f476cfbb6a206df8f5d3
                                • Opcode Fuzzy Hash: 5adb71f7dce9dbd50224646de4a6e692bda88cf6747b2adc1cdebc66ae2413b0
                                • Instruction Fuzzy Hash: 78D05E31504109AFCF01DF58CC42C5A3BA9AB84214F008220BD249B2A4C631E9308BE1
                                Function 60941680 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c9d0e18886a1f05d08d641d67bcc0731a63f75ccd779d3d03fa9ed4a3cd8efaa
                                • Instruction ID: 20e42c29e8f54a3badbc30a4f109453edf17b4d43528fe28a3d934507f2f9dcd
                                • Opcode Fuzzy Hash: c9d0e18886a1f05d08d641d67bcc0731a63f75ccd779d3d03fa9ed4a3cd8efaa
                                • Instruction Fuzzy Hash: 01D05E74C0830DABCF00DFA8CC42ADEBBB9AB15264F448659AC34A7384D7B4D6118BC0
                                Function 6093D484 Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0e0ef087562752eb0958546aa418c1ca12f858d13bde6d7129905fc2aaeb9abf
                                • Instruction ID: 06c4032034fb1017fc80d30e7abadf1ab780deb906e55e30b51f78f31b856b3a
                                • Opcode Fuzzy Hash: 0e0ef087562752eb0958546aa418c1ca12f858d13bde6d7129905fc2aaeb9abf
                                • Instruction Fuzzy Hash: A2D0C97250020ABBCF026EA4AC03F8A3E26AB14758F004210BE24641E0D7B2D675AB92
                                Function 6093D460 Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 348eaf78c4e93ce922fb5afe967b7907324a9c759633b82b08b83e02c87cb1ad
                                • Instruction ID: c148025675a70aa995fd4b127b87ec1a1c68ba2d98bacfe8f1b18997ccc6eee9
                                • Opcode Fuzzy Hash: 348eaf78c4e93ce922fb5afe967b7907324a9c759633b82b08b83e02c87cb1ad
                                • Instruction Fuzzy Hash: 7BD0C97250020ABBCF026EA4AC03F8A3E26AB14658F104210BE24641E0D772D635AB96
                                Function 60912755 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 682bd5ae795c519cb90feb08d281fe8d1157591cd0ce79110fdb14c78bbd2376
                                • Instruction ID: c72946663c9919fc52ffb320e73154feb11a1ef09e10178ef2f3de2833933cc7
                                • Opcode Fuzzy Hash: 682bd5ae795c519cb90feb08d281fe8d1157591cd0ce79110fdb14c78bbd2376
                                • Instruction Fuzzy Hash: F2D012F590C2098ADB206F149C423C5B6AAD73237CF201656C4A1511C0E7BDD5E08681
                                Function 6094D548 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6040ff81fdf73f95b50ae5f34db73daff3dc57411bed2637f0beed1bc72bb58b
                                • Instruction ID: 7225e7657ee54b4b9debc8cf90594290dfc8edf3e42625350d37e780e50304e0
                                • Opcode Fuzzy Hash: 6040ff81fdf73f95b50ae5f34db73daff3dc57411bed2637f0beed1bc72bb58b
                                • Instruction Fuzzy Hash: B3C08C2020060617D600ABBC8C035043A980B426BCF000320A978DB3D0EE60D92186A6
                                Function 60903728 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f699ea95eae2ada239dc19eaf5561db307f46a83147649b4a74509652f298aa
                                • Instruction ID: 665b5f68ac9b0da284eb97f39e2742fc69af7ed4b7e2d9bfe3455b6a2227b8b2
                                • Opcode Fuzzy Hash: 7f699ea95eae2ada239dc19eaf5561db307f46a83147649b4a74509652f298aa
                                • Instruction Fuzzy Hash: E1C00276110109BFCF02EF98DD41C8A3FB9BB48244B404150FA599A161D671E9249BA1
                                Function 60952F4C Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_closesqlite3_errcodesqlite3_freesqlite3_initializesqlite3_mutex_leave
                                • String ID:
                                • API String ID: 3875421754-0
                                • Opcode ID: 93dbe75d5f3e13fc319b6cc954e6d5e781699c86fb8874c51308990a02c00ca1
                                • Instruction ID: b7a79dc9eaadf6696efdc0e9d25b91549dd60428df498832b91b7c89224e6fc3
                                • Opcode Fuzzy Hash: 93dbe75d5f3e13fc319b6cc954e6d5e781699c86fb8874c51308990a02c00ca1
                                • Instruction Fuzzy Hash: D2C0923468020876DE226E659C03F493B7A5B21A8AF008160BE15280E096B2E93996D6

                                Non-executed Functions

                                Function 60924545 Relevance: 32.0, APIs: 6, Strings: 12, Instructions: 497COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3(?), ref: 6092455B
                                • sqlite3_mutex_leave.SQLITE3(?), ref: 60924AE8
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                • String ID: cannot open %s column for writing$cannot open value of type %s$cannot open view: %s$cannot open virtual table: %s$d$foreign key$indexed$integer$no such column: "%s"$no such rowid: %lld$null$real
                                • API String ID: 1477753154-2623903907
                                • Opcode ID: a211128780b5a0bc7e6def5b4bd0a6e8969860220b721e840e3a83650efa980f
                                • Instruction ID: 288e8741b853494c3eb9e862e4282cab4e7c9bf009333fc49f4b9248297a8307
                                • Opcode Fuzzy Hash: a211128780b5a0bc7e6def5b4bd0a6e8969860220b721e840e3a83650efa980f
                                • Instruction Fuzzy Hash: 6702A5B1D00605ABDB10CBA8DC82BAE77B6AF7A324F144314F934A72D5E735DA508BD1
                                Function 609613A0 Relevance: 24.4, APIs: 16, Instructions: 355COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_type.SQLITE3(?), ref: 609613BF
                                • sqlite3_value_int64.SQLITE3(?), ref: 609613FB
                                  • Part of subcall function 6095F100: sqlite3_bind_int64.SQLITE3(?,00000001,?,?), ref: 6095F124
                                  • Part of subcall function 6095F100: sqlite3_step.SQLITE3(?), ref: 6095F132
                                  • Part of subcall function 6095F100: sqlite3_column_int64.SQLITE3(?,00000000), ref: 6095F14A
                                  • Part of subcall function 6095F100: sqlite3_reset.SQLITE3(?), ref: 6095F16B
                                  • Part of subcall function 6095E808: sqlite3_free.SQLITE3(?), ref: 6095E874
                                • sqlite3_step.SQLITE3(?), ref: 60961484
                                • sqlite3_reset.SQLITE3(?), ref: 60961498
                                  • Part of subcall function 60960AA4: sqlite3_bind_int64.SQLITE3(?,00000001,?,?), ref: 60960B04
                                  • Part of subcall function 60960AA4: sqlite3_step.SQLITE3(?), ref: 60960B12
                                  • Part of subcall function 60960AA4: sqlite3_reset.SQLITE3(?), ref: 60960B23
                                  • Part of subcall function 60960AA4: sqlite3_bind_int64.SQLITE3(?,00000001,?,?), ref: 60960B3F
                                  • Part of subcall function 60960AA4: sqlite3_step.SQLITE3(?), ref: 60960B4D
                                  • Part of subcall function 60960AA4: sqlite3_reset.SQLITE3(?), ref: 60960B5E
                                • sqlite3_bind_int64.SQLITE3(?,00000001,00000000), ref: 60961473
                                  • Part of subcall function 6091D348: sqlite3_mutex_leave.SQLITE3(?), ref: 6091D394
                                • sqlite3_value_double.SQLITE3(00000001), ref: 609615FE
                                • sqlite3_value_double.SQLITE3(?), ref: 60961613
                                • sqlite3_value_type.SQLITE3(?), ref: 609616C3
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_int64sqlite3_resetsqlite3_step$sqlite3_value_doublesqlite3_value_type$sqlite3_column_int64sqlite3_freesqlite3_mutex_leavesqlite3_value_int64
                                • String ID:
                                • API String ID: 2198192541-0
                                • Opcode ID: ca2ac1325ad114ded5124611d4d6fd61f1b2eff2f1e60bbf3c8f7872038540b4
                                • Instruction ID: 50d796a3af2edb026b8829a697f0fa05c828bc03faa13e19f428334039af4ab2
                                • Opcode Fuzzy Hash: ca2ac1325ad114ded5124611d4d6fd61f1b2eff2f1e60bbf3c8f7872038540b4
                                • Instruction Fuzzy Hash: B0D1D5B1A10204ABDB15DFA8CCC1ADD7776AF65324F184724FD288B390EB76D991CB81
                                Function 6095C4F4 Relevance: 18.2, APIs: 12, Instructions: 163COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_malloc.SQLITE3(?), ref: 6095C51D
                                  • Part of subcall function 60904358: sqlite3_initialize.SQLITE3(609038B0,0000000A), ref: 6090435E
                                • sqlite3_free.SQLITE3(00000000), ref: 6095C567
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_freesqlite3_initializesqlite3_malloc
                                • String ID:
                                • API String ID: 1320878182-0
                                • Opcode ID: 06f5f321e12a7a5411d0db65e1ef02a6679a52dfc6c2e00488dae84890a34a86
                                • Instruction ID: f537d48951d6ffb18d7dc389c96d06f878cce14c9b4b0784449054186bf24532
                                • Opcode Fuzzy Hash: 06f5f321e12a7a5411d0db65e1ef02a6679a52dfc6c2e00488dae84890a34a86
                                • Instruction Fuzzy Hash: 7A51D7B1904105AFDB12CF59CC82BAD77B6EF31324F100664F974963C0EB35EAA58B91
                                Function 60908DA0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32 ref: 60908DA9
                                  • Part of subcall function 60908290: GetVersionExA.KERNEL32(00000094), ref: 609082B6
                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 60908DD5
                                  • Part of subcall function 60908354: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,609084D5,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,609084D5,00000000), ref: 60908372
                                  • Part of subcall function 60908354: malloc.MSVCRT ref: 6090837D
                                • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,00000000,00000000,00000000), ref: 60908E14
                                • sqlite3_win32_mbcs_to_utf8.SQLITE3(00000000), ref: 60908E28
                                • LocalFree.KERNEL32(00000000), ref: 60908E35
                                • sqlite3_snprintf.SQLITE3(00000000,?,OsError 0x%x (%u),00000000,00000000), ref: 60908E53
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidemallocsqlite3_snprintfsqlite3_win32_mbcs_to_utf8
                                • String ID: OsError 0x%x (%u)
                                • API String ID: 1501714734-2664311388
                                • Opcode ID: 0c2a347a689688869c3f28d403843cb7e213cfaa44d6820fa83455f655723283
                                • Instruction ID: b5aa35bf4b0b461325f15b8c7a0c3faaa87d47d6f622d850bd815f5aef4a6e9b
                                • Opcode Fuzzy Hash: 0c2a347a689688869c3f28d403843cb7e213cfaa44d6820fa83455f655723283
                                • Instruction Fuzzy Hash: BC21DD71E4060477EB1055B4CC47F8F3AAD4B71774F140324B975EA2D1EBB5DA108291
                                Function 6095A7E4 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_malloc.SQLITE3(-00000048), ref: 6095A832
                                Strings
                                • SELECT block FROM %Q.'%q_segments' WHERE blockid BETWEEN ? AND ? ORDER BY blockid, xrefs: 6095A8B1
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_malloc
                                • String ID: SELECT block FROM %Q.'%q_segments' WHERE blockid BETWEEN ? AND ? ORDER BY blockid
                                • API String ID: 121933993-3221364531
                                • Opcode ID: 66a205694cfe5f4be6c09baa0ebdc6445f4fb7cd87ca12561e7fbfc45bb02cd9
                                • Instruction ID: 7303231d9ce5fadd19ad6124d13ff0ab14ba40d804fb0220a497121479c8b43a
                                • Opcode Fuzzy Hash: 66a205694cfe5f4be6c09baa0ebdc6445f4fb7cd87ca12561e7fbfc45bb02cd9
                                • Instruction Fuzzy Hash: 86518FB49002059FDB05CF59C881B9A7BB6FF58324F1482A5ED289B381E735DE62CBD0
                                Function 6095ADF4 Relevance: 12.1, APIs: 8, Instructions: 74COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 60959B1C: sqlite3_malloc.SQLITE3(?), ref: 60959B6E
                                • sqlite3_bind_int.SQLITE3(?,00000001,?), ref: 6095AE40
                                  • Part of subcall function 6091D32C: sqlite3_bind_int64.SQLITE3(?,?,?), ref: 6091D33E
                                • sqlite3_bind_int.SQLITE3(?,00000002,?), ref: 6095AE50
                                • sqlite3_bind_int64.SQLITE3(?,00000003,00000000,00000000), ref: 6095AE5F
                                  • Part of subcall function 6091D348: sqlite3_mutex_leave.SQLITE3(?), ref: 6091D394
                                • sqlite3_bind_int64.SQLITE3(?,00000004,?,?,?,00000003,00000000,00000000), ref: 6095AE71
                                • sqlite3_bind_int64.SQLITE3(?,00000005,?,?), ref: 6095AE86
                                • sqlite3_bind_blob.SQLITE3(?,00000006,?,?,00000000), ref: 6095AE9B
                                • sqlite3_step.SQLITE3(?), ref: 6095AEA9
                                • sqlite3_reset.SQLITE3(?), ref: 6095AEB4
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_int64$sqlite3_bind_int$sqlite3_bind_blobsqlite3_mallocsqlite3_mutex_leavesqlite3_resetsqlite3_step
                                • String ID:
                                • API String ID: 3007788792-0
                                • Opcode ID: d13099b5b3f65ce5e4281709483a43e08a0110ee5e12d01615c1253b9f02b91a
                                • Instruction ID: 60e11105e751ff288c7732dc39923f6e810fd07160cdaabe41fae13789c60a4b
                                • Opcode Fuzzy Hash: d13099b5b3f65ce5e4281709483a43e08a0110ee5e12d01615c1253b9f02b91a
                                • Instruction Fuzzy Hash: FF210CB5E04109BBDF11DE94DD43F9E7B76EB68328F104250B924722A0E7719F609B91
                                Function 6095BE5C Relevance: 10.7, APIs: 7, Instructions: 233COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_malloc.SQLITE3(00000000), ref: 6095BF48
                                • sqlite3_free.SQLITE3(00000000), ref: 6095C0EE
                                • sqlite3_reset.SQLITE3(00000000), ref: 6095C10B
                                  • Part of subcall function 6095AA00: sqlite3_realloc.SQLITE3(00000000,-00000010), ref: 6095AA96
                                  • Part of subcall function 6095AA00: qsort.MSVCRT ref: 6095AAC5
                                  • Part of subcall function 6095AA00: sqlite3_malloc.SQLITE3 ref: 6095AB11
                                  • Part of subcall function 6095AA00: sqlite3_free.SQLITE3(00000000), ref: 6095AB80
                                  • Part of subcall function 6095B85C: sqlite3_step.SQLITE3(?), ref: 6095B87F
                                  • Part of subcall function 6095B85C: sqlite3_column_int.SQLITE3(?,00000000), ref: 6095B894
                                  • Part of subcall function 6095B85C: sqlite3_column_int.SQLITE3(?,00000001), ref: 6095B8A8
                                  • Part of subcall function 6095B85C: sqlite3_reset.SQLITE3(?), ref: 6095B8BD
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_column_intsqlite3_freesqlite3_mallocsqlite3_reset$qsortsqlite3_reallocsqlite3_step
                                • String ID:
                                • API String ID: 2532341188-0
                                • Opcode ID: 090c160e6ce26447b37157017dfce034efbce6d878f0e18cf9bd591a37ebe27c
                                • Instruction ID: 0c2989394a8ba47125dbbcbe41f8459f2de18ccb577ef5eb01b010f89a896ebd
                                • Opcode Fuzzy Hash: 090c160e6ce26447b37157017dfce034efbce6d878f0e18cf9bd591a37ebe27c
                                • Instruction Fuzzy Hash: 2D81AAB1D001099BDF01DEE9CC81BDE77BAAF28324F148524F934A72C0E775CA598B91
                                Function 6095E48C Relevance: 10.6, APIs: 7, Instructions: 120COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_malloc.SQLITE3(?), ref: 6095E4EE
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_malloc
                                • String ID:
                                • API String ID: 121933993-0
                                • Opcode ID: 0dcd32e436c4ae470ad154e7c4952943bfddfb2ae979e38d744f867a6f13b1f6
                                • Instruction ID: 713f0e628a07bbef0f90d1d76d0ff8752ba923e7e8f1156962779e7ae399a7cf
                                • Opcode Fuzzy Hash: 0dcd32e436c4ae470ad154e7c4952943bfddfb2ae979e38d744f867a6f13b1f6
                                • Instruction Fuzzy Hash: 6941B3B19042059BDF05DF68CC8279A7BA6AB25324F1443A0FC249A391F736DA75CBD2
                                Function 6095B8C4 Relevance: 10.6, APIs: 7, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 60959B1C: sqlite3_malloc.SQLITE3(?), ref: 60959B6E
                                • sqlite3_bind_int64.SQLITE3(00000000,00000001,?,?,?,00000000,-00000004,00000001,?,?,6095C08F,00000000,00000000,00000000,00000000), ref: 6095B90F
                                  • Part of subcall function 6091D348: sqlite3_mutex_leave.SQLITE3(?), ref: 6091D394
                                • sqlite3_bind_int64.SQLITE3(00000000,00000002,?,?,00000000,00000001,?,?,?,00000000,-00000004,00000001,?,?,6095C08F,00000000), ref: 6095B921
                                • sqlite3_step.SQLITE3(?), ref: 6095B92F
                                • sqlite3_reset.SQLITE3(?), ref: 6095B93A
                                • sqlite3_bind_int.SQLITE3(?,00000001,?), ref: 6095B986
                                • sqlite3_step.SQLITE3(?), ref: 6095B991
                                • sqlite3_reset.SQLITE3(?), ref: 6095B99F
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_int64sqlite3_resetsqlite3_step$sqlite3_bind_intsqlite3_mallocsqlite3_mutex_leave
                                • String ID:
                                • API String ID: 3755738686-0
                                • Opcode ID: 71ec00779959060ece9d2ca6a13240a247b25f7f4f27143d5960dcae141d7163
                                • Instruction ID: 49b0f3f0852d17735fdf4a8d58d37a6509c02d2896cb3f052110f4469ad0f13b
                                • Opcode Fuzzy Hash: 71ec00779959060ece9d2ca6a13240a247b25f7f4f27143d5960dcae141d7163
                                • Instruction Fuzzy Hash: 7A31C471D04108BBDF11CF95CC82BDE777AEF64318F104190FA24AA291E771DEA49B91
                                Function 6095A290 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 60959B1C: sqlite3_malloc.SQLITE3(?), ref: 60959B6E
                                • sqlite3_value_type.SQLITE3(?), ref: 6095A2C6
                                • sqlite3_value_type.SQLITE3(?), ref: 6095A2D8
                                • sqlite3_value_type.SQLITE3(?), ref: 6095A2EB
                                • sqlite3_bind_value.SQLITE3(?,00000001,?), ref: 6095A30F
                                • sqlite3_step.SQLITE3(?), ref: 6095A323
                                • sqlite3_reset.SQLITE3(?), ref: 6095A32E
                                • sqlite3_last_insert_rowid.SQLITE3(?), ref: 6095A33E
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_value_type$sqlite3_bind_valuesqlite3_last_insert_rowidsqlite3_mallocsqlite3_resetsqlite3_step
                                • String ID:
                                • API String ID: 3081080716-0
                                • Opcode ID: cbcebad3393e97b19b710bc0be01abb8d3e8f02c836506ffefc0029b06d31efc
                                • Instruction ID: 19dc5eb9c47ba157bff07f3ef2ea4b8b27d5f99baef30516364e9dc06c1f1a75
                                • Opcode Fuzzy Hash: cbcebad3393e97b19b710bc0be01abb8d3e8f02c836506ffefc0029b06d31efc
                                • Instruction Fuzzy Hash: F92126B1E04504A7CB129A6DDC8298977B6EB35338F144770F978923E1FB32EA748691
                                Function 60959B1C Relevance: 9.1, APIs: 6, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_malloc.SQLITE3(?), ref: 60959B6E
                                  • Part of subcall function 60904358: sqlite3_initialize.SQLITE3(609038B0,0000000A), ref: 6090435E
                                • sqlite3_mprintf.SQLITE3(?,?,?), ref: 60959BDB
                                • sqlite3_prepare_v2.SQLITE3(?,00000000,000000FF,?,00000000), ref: 60959C02
                                • sqlite3_free.SQLITE3(00000000), ref: 60959C10
                                • sqlite3_bind_parameter_count.SQLITE3(?), ref: 60959C2D
                                • sqlite3_bind_value.SQLITE3(?,00000001,00000000), ref: 60959C54
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_parameter_countsqlite3_bind_valuesqlite3_freesqlite3_initializesqlite3_mallocsqlite3_mprintfsqlite3_prepare_v2
                                • String ID:
                                • API String ID: 3278180815-0
                                • Opcode ID: 18692898372de74cbf23a0b0f2bb44dd9cf6d86e37d546d412ce138dcd4b4f4a
                                • Instruction ID: b4a09aef58b8cddcabb9f7151a1b60f96c5eda274e24b509bc50419e000d90c3
                                • Opcode Fuzzy Hash: 18692898372de74cbf23a0b0f2bb44dd9cf6d86e37d546d412ce138dcd4b4f4a
                                • Instruction Fuzzy Hash: BC41E8B19042059BEB12CF6DCC80B8977B6EB25324F244264EC689B392E736DD65CB81
                                Function 60960AA4 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 6095E808: sqlite3_free.SQLITE3(?), ref: 6095E874
                                • sqlite3_bind_int64.SQLITE3(?,00000001,?,?), ref: 60960B04
                                  • Part of subcall function 6091D348: sqlite3_mutex_leave.SQLITE3(?), ref: 6091D394
                                • sqlite3_step.SQLITE3(?), ref: 60960B12
                                • sqlite3_reset.SQLITE3(?), ref: 60960B23
                                • sqlite3_bind_int64.SQLITE3(?,00000001,?,?), ref: 60960B3F
                                • sqlite3_step.SQLITE3(?), ref: 60960B4D
                                  • Part of subcall function 6091C89C: sqlite3_mutex_enter.SQLITE3(?), ref: 6091C8E0
                                  • Part of subcall function 6091C89C: sqlite3_value_text.SQLITE3(?), ref: 6091C945
                                  • Part of subcall function 6091C89C: sqlite3_mutex_leave.SQLITE3(?), ref: 6091C9A5
                                • sqlite3_reset.SQLITE3(?), ref: 60960B5E
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_int64sqlite3_mutex_leavesqlite3_resetsqlite3_step$sqlite3_freesqlite3_mutex_entersqlite3_value_text
                                • String ID:
                                • API String ID: 1750425793-0
                                • Opcode ID: 2ad1d4c2bccb3a29a6f0b2ce8919a52d0b189a5e1b7e18f7c42da1f3a33191f8
                                • Instruction ID: 4f68ccd179a380efd5659d1471bfe83fe293ef3ed0ea822ba068165c08208973
                                • Opcode Fuzzy Hash: 2ad1d4c2bccb3a29a6f0b2ce8919a52d0b189a5e1b7e18f7c42da1f3a33191f8
                                • Instruction Fuzzy Hash: D521F8B19042016BDB109F25CCC2F5777AADFB5328F148A74FD788A291FB31D9608B90
                                Function 6095C428 Relevance: 9.1, APIs: 6, Instructions: 74COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_malloc.SQLITE3(?), ref: 6095C44C
                                  • Part of subcall function 60904358: sqlite3_initialize.SQLITE3(609038B0,0000000A), ref: 6090435E
                                • sqlite3_free.SQLITE3(00000000), ref: 6095C493
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_freesqlite3_initializesqlite3_malloc
                                • String ID:
                                • API String ID: 1320878182-0
                                • Opcode ID: f1f57ee46a17e401ebef0e0a15fc602783291e74db996be995f0096b36c92ae9
                                • Instruction ID: e267160085c5aa0db600db62f476984198a6b1a231cf8f4f6f45d6c3fc9f14e4
                                • Opcode Fuzzy Hash: f1f57ee46a17e401ebef0e0a15fc602783291e74db996be995f0096b36c92ae9
                                • Instruction Fuzzy Hash: 4A2198B1A04109BFDB129F55CC42FDE7B7AEF25324F000260F924962A1EB35DAA5CBD1
                                Function 60959CC8 Relevance: 9.1, APIs: 6, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 60959B1C: sqlite3_malloc.SQLITE3(?), ref: 60959B6E
                                • sqlite3_reset.SQLITE3(?), ref: 60959CFB
                                • sqlite3_bind_int64.SQLITE3(?,00000001,?,?), ref: 60959D0E
                                  • Part of subcall function 6091D348: sqlite3_mutex_leave.SQLITE3(?), ref: 6091D394
                                • sqlite3_step.SQLITE3(?), ref: 60959D19
                                • sqlite3_column_bytes.SQLITE3(?,00000000), ref: 60959D40
                                • sqlite3_column_blob.SQLITE3(?,00000000), ref: 60959D54
                                • sqlite3_column_type.SQLITE3(?,00000000), ref: 60959D66
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_int64sqlite3_column_blobsqlite3_column_bytessqlite3_column_typesqlite3_mallocsqlite3_mutex_leavesqlite3_resetsqlite3_step
                                • String ID:
                                • API String ID: 746729927-0
                                • Opcode ID: bc3e5dd34e5b2b1bf8b3d212e32a3ee096edb89f3c4a28867eb09959805632c4
                                • Instruction ID: 018e4c1faf0fa03bd5f8dad7a255f9b8b5acee94e2b5d49133b893e63729d4ba
                                • Opcode Fuzzy Hash: bc3e5dd34e5b2b1bf8b3d212e32a3ee096edb89f3c4a28867eb09959805632c4
                                • Instruction Fuzzy Hash: F611A2B1A44108A7EF129A598C42B8E3A77DB32224F200670F934A62E0EB35DE609691
                                Function 6095E758 Relevance: 9.1, APIs: 6, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_bind_int64.SQLITE3(?,00000001,?,?), ref: 6095E78C
                                  • Part of subcall function 6091D348: sqlite3_mutex_leave.SQLITE3(?), ref: 6091D394
                                • sqlite3_bind_null.SQLITE3(?,00000001), ref: 6095E79A
                                • sqlite3_bind_blob.SQLITE3(?,00000002,?,?,00000000), ref: 6095E7B0
                                • sqlite3_step.SQLITE3(?), ref: 6095E7BC
                                • sqlite3_reset.SQLITE3(?), ref: 6095E7CC
                                • sqlite3_last_insert_rowid.SQLITE3(?), ref: 6095E7E8
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_blobsqlite3_bind_int64sqlite3_bind_nullsqlite3_last_insert_rowidsqlite3_mutex_leavesqlite3_resetsqlite3_step
                                • String ID:
                                • API String ID: 354848345-0
                                • Opcode ID: f5b77c1a73baf2739320bff967a1d151d1c77805fb865dcb1ba4192247eae9fd
                                • Instruction ID: 0c2d437f9e3f9f98a96f86f3f260c3a3121a6007b163579027d8b11bea45e42b
                                • Opcode Fuzzy Hash: f5b77c1a73baf2739320bff967a1d151d1c77805fb865dcb1ba4192247eae9fd
                                • Instruction Fuzzy Hash: 3E1106B1A047016BD721DB25CCC2F4777AAAF24338F008B24B5B9962D1F736F6648791
                                Function 6095C284 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 60959B1C: sqlite3_malloc.SQLITE3(?), ref: 60959B6E
                                • sqlite3_bind_int64.SQLITE3(?,00000001,?,?), ref: 6095C2B8
                                  • Part of subcall function 6091D348: sqlite3_mutex_leave.SQLITE3(?), ref: 6091D394
                                • sqlite3_step.SQLITE3(?), ref: 6095C2C3
                                • sqlite3_column_bytes.SQLITE3(?,00000000), ref: 6095C2D8
                                  • Part of subcall function 6091CCF8: sqlite3_value_bytes.SQLITE3(00000000,?,?), ref: 6091CD13
                                • sqlite3_column_blob.SQLITE3(?,00000000), ref: 6095C2E7
                                  • Part of subcall function 6091CCC0: sqlite3_value_blob.SQLITE3(00000000,?,?), ref: 6091CCDB
                                • sqlite3_reset.SQLITE3(?), ref: 6095C331
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_int64sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mutex_leavesqlite3_resetsqlite3_stepsqlite3_value_blobsqlite3_value_bytes
                                • String ID:
                                • API String ID: 2574604662-0
                                • Opcode ID: c653b27fa5cd2c5eb28f0fe1b6c0ff1655b6c5d82dfe9308996d0c6115caad44
                                • Instruction ID: b955d170703aef97caf704bdf583754a0112be76118eed472aa7993fa1ace0f1
                                • Opcode Fuzzy Hash: c653b27fa5cd2c5eb28f0fe1b6c0ff1655b6c5d82dfe9308996d0c6115caad44
                                • Instruction Fuzzy Hash: 102107B1E04508ABDF11DE65CC82B9E73B7DB75324F208AA0E820A62D0E731DA658791
                                Function 6091D424 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_bind_int64.SQLITE3(?,?,?,?), ref: 6091D45D
                                • sqlite3_bind_double.SQLITE3(?,?,?,?), ref: 6091D46C
                                • sqlite3_bind_null.SQLITE3(?,?), ref: 6091D4BD
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_doublesqlite3_bind_int64sqlite3_bind_null
                                • String ID:
                                • API String ID: 792878655-0
                                • Opcode ID: 69b718870c3b6a1ffdda79aa7bdab6fc9edce9916a9277524c8793248152e225
                                • Instruction ID: 05a6d0f9adeea99c2db1d4b0121fb2a1dba562c6c35bad629c0f189a2849f9e0
                                • Opcode Fuzzy Hash: 69b718870c3b6a1ffdda79aa7bdab6fc9edce9916a9277524c8793248152e225
                                • Instruction Fuzzy Hash: 8E11E9B130D6087ADA210A148C82D677B6FDB362247204B85B9BA513F1D779F9D09762
                                Function 6095F100 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_bind_int64.SQLITE3(?,00000001,?,?), ref: 6095F124
                                  • Part of subcall function 6091D348: sqlite3_mutex_leave.SQLITE3(?), ref: 6091D394
                                • sqlite3_step.SQLITE3(?), ref: 6095F132
                                • sqlite3_column_int64.SQLITE3(?,00000000), ref: 6095F14A
                                  • Part of subcall function 6091CDD8: sqlite3_value_int64.SQLITE3(00000000,?,?), ref: 6091CDF4
                                • sqlite3_reset.SQLITE3(?), ref: 6095F16B
                                • sqlite3_reset.SQLITE3(?), ref: 6095F17D
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_reset$sqlite3_bind_int64sqlite3_column_int64sqlite3_mutex_leavesqlite3_stepsqlite3_value_int64
                                • String ID:
                                • API String ID: 2212143358-0
                                • Opcode ID: b491a88e6c7f55ac0bed8fb85d459823000f8a43fd962af49359cd5d92c4c438
                                • Instruction ID: 50324988bfa327c4ea0df039561ae8b0859f5dda1edacd68d85bd50e74288a15
                                • Opcode Fuzzy Hash: b491a88e6c7f55ac0bed8fb85d459823000f8a43fd962af49359cd5d92c4c438
                                • Instruction Fuzzy Hash: D40188B1A486047BDB115A24CCC2B9A769AEB25338F100770FE7C572E1EB72AD604592
                                Function 60961330 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_bind_null.SQLITE3(?,00000001), ref: 6096134A
                                  • Part of subcall function 6091D3A4: sqlite3_mutex_leave.SQLITE3(?), ref: 6091D3CC
                                • sqlite3_bind_null.SQLITE3(?,00000002), ref: 6096135A
                                • sqlite3_step.SQLITE3(?), ref: 6096136B
                                • sqlite3_reset.SQLITE3(?), ref: 60961379
                                • sqlite3_last_insert_rowid.SQLITE3(?), ref: 60961389
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_null$sqlite3_last_insert_rowidsqlite3_mutex_leavesqlite3_resetsqlite3_step
                                • String ID:
                                • API String ID: 4196445595-0
                                • Opcode ID: ead7cca60139fd430577834740b535810d5f5069597d77bf7e13f6d531f61621
                                • Instruction ID: 8258e713c5b68c92f407ea916273b1e3b6539d6c847dad9446445a2f5db0fbd5
                                • Opcode Fuzzy Hash: ead7cca60139fd430577834740b535810d5f5069597d77bf7e13f6d531f61621
                                • Instruction Fuzzy Hash: 03F06271A0410567DF106F29DC87BC57BA2DF65238F184370BD7C9A2E6FB3299608691
                                Function 609609FC Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_bind_int64.SQLITE3(?,00000001,00000001,?), ref: 60960A2E
                                • sqlite3_step.SQLITE3(?), ref: 60960A3C
                                • sqlite3_column_int64.SQLITE3(?,00000000), ref: 60960A54
                                • sqlite3_reset.SQLITE3(?), ref: 60960A7E
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_step
                                • String ID:
                                • API String ID: 1817037124-0
                                • Opcode ID: 055c04869d044c56ffb2bbd0a1014f31377350f6f2da4d3264a0b7f21d503016
                                • Instruction ID: ff5a1a777c7f71b7ce0d1a8eaf6a54765f9f02042ba1307acc6b60576bdd4c1f
                                • Opcode Fuzzy Hash: 055c04869d044c56ffb2bbd0a1014f31377350f6f2da4d3264a0b7f21d503016
                                • Instruction Fuzzy Hash: 2011EB71B15701ABEB110A68CCC6B5B776ADBB1334F208734F978551D0F772D850C691
                                Function 60909490 Relevance: 6.1, APIs: 4, Instructions: 58timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 609094AD
                                • GetCurrentProcessId.KERNEL32 ref: 609094DA
                                • GetTickCount.KERNEL32 ref: 609094EE
                                • QueryPerformanceCounter.KERNEL32(?), ref: 60909507
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                • String ID:
                                • API String ID: 4122616988-0
                                • Opcode ID: 0d8807cf133ca34c0590faa52a20bb4a946ea3e1baf3347509e82ffbd8b8defe
                                • Instruction ID: e83e1061c32c6d68c11a11f5badfbde7ca9453bd94f3ee7f7d3b505adf0df2f2
                                • Opcode Fuzzy Hash: 0d8807cf133ca34c0590faa52a20bb4a946ea3e1baf3347509e82ffbd8b8defe
                                • Instruction Fuzzy Hash: DC114CB5E0061A9BCB00DFA8C8C198EFBF8EB69224B544639EC59D7744E731E9518B90
                                Function 6095A488 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 60959B1C: sqlite3_malloc.SQLITE3(?), ref: 60959B6E
                                • sqlite3_bind_int.SQLITE3(?,00000001,6095A1C5), ref: 6095A4B7
                                  • Part of subcall function 6091D32C: sqlite3_bind_int64.SQLITE3(?,?,?), ref: 6091D33E
                                • sqlite3_step.SQLITE3(?), ref: 6095A4C2
                                • sqlite3_column_int.SQLITE3(?,00000000), ref: 6095A4D7
                                  • Part of subcall function 6091CDA0: sqlite3_value_int.SQLITE3(00000000,?,?), ref: 6091CDBB
                                • sqlite3_reset.SQLITE3(?), ref: 6095A4E7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_intsqlite3_bind_int64sqlite3_column_intsqlite3_mallocsqlite3_resetsqlite3_stepsqlite3_value_int
                                • String ID:
                                • API String ID: 1797153026-0
                                • Opcode ID: 357dabf6e5330758bf3ed65cec7ddd3e063e06d7703c77d7b03521f18a1a219d
                                • Instruction ID: 8adf627a174992309f8c6f3f0d181ca519b32e006447acca6d6919b71a22e0ec
                                • Opcode Fuzzy Hash: 357dabf6e5330758bf3ed65cec7ddd3e063e06d7703c77d7b03521f18a1a219d
                                • Instruction Fuzzy Hash: E611E9B1E0410467DB119E558C43B9E7A7ADB31238F140260FD74A52D1FB31DA6596A2
                                Function 609546A0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_bind_int64.SQLITE3(?,00000001,?,?), ref: 609546C6
                                  • Part of subcall function 6091D348: sqlite3_mutex_leave.SQLITE3(?), ref: 6091D394
                                • sqlite3_step.SQLITE3(?), ref: 609546D1
                                • sqlite3_reset.SQLITE3(?), ref: 609546E4
                                • sqlite3_result_error_code.SQLITE3(?,00000000), ref: 60954704
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_int64sqlite3_mutex_leavesqlite3_resetsqlite3_result_error_codesqlite3_step
                                • String ID:
                                • API String ID: 1929101947-0
                                • Opcode ID: 24af0c594f014682146b284eaeb8a38e4cf5e7a00290d50283afad675a9f332c
                                • Instruction ID: d16b6f8e922bd0a3facdeb67b14bf534021ae2ccf19ad54dc79f1a18286379e4
                                • Opcode Fuzzy Hash: 24af0c594f014682146b284eaeb8a38e4cf5e7a00290d50283afad675a9f332c
                                • Instruction Fuzzy Hash: 180140B150470057D7118519CC817537BDA9B7632CF004A74F9B5536D0E761FC658791
                                Function 6095AD8C Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 60959B1C: sqlite3_malloc.SQLITE3(?), ref: 60959B6E
                                • sqlite3_bind_int64.SQLITE3(?,00000001,?,?,?,?,00000000,?,?,?,6095B6C3,00000000,?,?,?,?), ref: 6095ADB8
                                  • Part of subcall function 6091D348: sqlite3_mutex_leave.SQLITE3(?), ref: 6091D394
                                • sqlite3_bind_blob.SQLITE3(?,00000002,?,?,00000000), ref: 6095ADCD
                                • sqlite3_step.SQLITE3(?), ref: 6095ADDB
                                • sqlite3_reset.SQLITE3(?), ref: 6095ADE6
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_blobsqlite3_bind_int64sqlite3_mallocsqlite3_mutex_leavesqlite3_resetsqlite3_step
                                • String ID:
                                • API String ID: 1556768040-0
                                • Opcode ID: 1fa2f1d67d2321b01e1b7b8d342df18df283e9c1537107c0c99b4eaa15e45829
                                • Instruction ID: 2dcade289e2730344e4cfb4d3d01a937bb78ad86a5d630655d86e9999ad75f1f
                                • Opcode Fuzzy Hash: 1fa2f1d67d2321b01e1b7b8d342df18df283e9c1537107c0c99b4eaa15e45829
                                • Instruction Fuzzy Hash: 3AF08172904108BBEF019A50CD43FCD7A3AEB24328F100290BE34611E0F7729B709691
                                Function 6095B7F8 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 60959B1C: sqlite3_malloc.SQLITE3(?), ref: 60959B6E
                                • sqlite3_bind_int.SQLITE3(?,00000001,?), ref: 6095B820
                                  • Part of subcall function 6091D32C: sqlite3_bind_int64.SQLITE3(?,?,?), ref: 6091D33E
                                • sqlite3_step.SQLITE3(?), ref: 6095B82B
                                • sqlite3_column_int.SQLITE3(?,00000000), ref: 6095B840
                                  • Part of subcall function 6091CDA0: sqlite3_value_int.SQLITE3(00000000,?,?), ref: 6091CDBB
                                • sqlite3_reset.SQLITE3(?), ref: 6095B855
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_intsqlite3_bind_int64sqlite3_column_intsqlite3_mallocsqlite3_resetsqlite3_stepsqlite3_value_int
                                • String ID:
                                • API String ID: 1797153026-0
                                • Opcode ID: 9e9a2417a86a4a04d5e6c2afd21028acc00adfd1786dca6d432f8cbe81d247f6
                                • Instruction ID: eda4d4f03312f5cd34cc505da97b6ae8cd221964c2643543a6fda2f05fd56828
                                • Opcode Fuzzy Hash: 9e9a2417a86a4a04d5e6c2afd21028acc00adfd1786dca6d432f8cbe81d247f6
                                • Instruction Fuzzy Hash: C9F04FB1E44108BBDB019A64DD43B4C367A9B31228F2006B0F934A42E1FB72CB646681
                                Function 6095FCE0 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_bind_int64.SQLITE3(?,00000001,?,?), ref: 6095FD02
                                  • Part of subcall function 6091D348: sqlite3_mutex_leave.SQLITE3(?), ref: 6091D394
                                • sqlite3_bind_int64.SQLITE3(?,00000002,?,?,?,00000001,?,?), ref: 6095FD11
                                • sqlite3_step.SQLITE3(?), ref: 6095FD22
                                • sqlite3_reset.SQLITE3(?), ref: 6095FD30
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_int64$sqlite3_mutex_leavesqlite3_resetsqlite3_step
                                • String ID:
                                • API String ID: 4226619112-0
                                • Opcode ID: 04d3a4baf99ebde84703f0b0a9889fbcf939f006d89ce1ef488630bb46022191
                                • Instruction ID: 72dac7a81ce90723afc41d12ede387265c6d42e275d81342a478d37617b0f78e
                                • Opcode Fuzzy Hash: 04d3a4baf99ebde84703f0b0a9889fbcf939f006d89ce1ef488630bb46022191
                                • Instruction Fuzzy Hash: 0DF054B560450A7BDF10AE24DC87FDBBB2AFB65378F000260BD3862290D731AD7186E1
                                Function 6095FD40 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_bind_int64.SQLITE3(?,00000001,?,?), ref: 6095FD62
                                  • Part of subcall function 6091D348: sqlite3_mutex_leave.SQLITE3(?), ref: 6091D394
                                • sqlite3_bind_int64.SQLITE3(?,00000002,?,?,?,00000001,?,?), ref: 6095FD71
                                • sqlite3_step.SQLITE3(?), ref: 6095FD82
                                • sqlite3_reset.SQLITE3(?), ref: 6095FD90
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_int64$sqlite3_mutex_leavesqlite3_resetsqlite3_step
                                • String ID:
                                • API String ID: 4226619112-0
                                • Opcode ID: 5d2157e91c5523a91c0a795223e739a6197da324f2703b94006e7b830d12b7f0
                                • Instruction ID: 09bcfb3e0b5ccdae23ebbb1ca15bbc7e0b570b0f56bab5629151bfbcf47a2135
                                • Opcode Fuzzy Hash: 5d2157e91c5523a91c0a795223e739a6197da324f2703b94006e7b830d12b7f0
                                • Instruction Fuzzy Hash: 58F054B56045097BDF109E24DC86EDBBB2AFBA5379F000260BD3862290D731AD7186E1
                                Function 6091C208 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3(?), ref: 6091C220
                                • sqlite3_mutex_leave.SQLITE3(?), ref: 6091C275
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                • String ID:
                                • API String ID: 1477753154-0
                                • Opcode ID: fa0756c9dd785077d6694c2c38112ec3b9a6c64de06dd4e54fbbf2b766e404ef
                                • Instruction ID: 63727f02082706953a06c8c69608c316028b4bc28427548d3b1de16a2eab92b0
                                • Opcode Fuzzy Hash: fa0756c9dd785077d6694c2c38112ec3b9a6c64de06dd4e54fbbf2b766e404ef
                                • Instruction Fuzzy Hash: 3301F9B1E0410497DB10EEACC8C6B8637ED9B24228F5406E0EC24C72D6E374D9C1C7D1
                                Function 6091D348 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_leave.SQLITE3(?), ref: 6091D394
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_leave
                                • String ID:
                                • API String ID: 2496040974-0
                                • Opcode ID: 5a3efa7f4f93e96fbf159b2f7df319a9c71791bc655526debf70265ac5198bad
                                • Instruction ID: 0445f83f5c7504b1b56684886e665b483c62dc7e0f5e44c92bcfba1b18f7b5f6
                                • Opcode Fuzzy Hash: 5a3efa7f4f93e96fbf159b2f7df319a9c71791bc655526debf70265ac5198bad
                                • Instruction Fuzzy Hash: B9F01D75A0410AABCF00DE68CC81CCABBBDEF59278B144655FD2897391E731EA51CBA1
                                Function 6091D2D4 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_leave.SQLITE3(?), ref: 6091D31D
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_leave
                                • String ID:
                                • API String ID: 2496040974-0
                                • Opcode ID: 260e0a8c5e6c01aaf7a957ab4010c4331f12062f51e4ec0b906c188a73edd527
                                • Instruction ID: 669036f8b4185a99ea80b3937fe5108c16314fba7d532f3df335efa87e9ce537
                                • Opcode Fuzzy Hash: 260e0a8c5e6c01aaf7a957ab4010c4331f12062f51e4ec0b906c188a73edd527
                                • Instruction Fuzzy Hash: C3F0C23690050DABCF109E9CCC81CCEBBB9EF59234F140290E96493291EB31EA65C791
                                Function 6091D4CC Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_leave.SQLITE3(?), ref: 6091D50C
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_leave
                                • String ID:
                                • API String ID: 2496040974-0
                                • Opcode ID: ba3d38e9f5baa384b5f131003f4bf5dca066d1916bcace09203928d5ecc5cf5a
                                • Instruction ID: 765b101f11f1fb54b32ca3eb75ddd1acfe00110fe6e469ac4a006dbefab77ded
                                • Opcode Fuzzy Hash: ba3d38e9f5baa384b5f131003f4bf5dca066d1916bcace09203928d5ecc5cf5a
                                • Instruction Fuzzy Hash: D9F090319041095BCF109A5CCC82CCA77A9EB55234B140351FD7497291FB31EA6187D1
                                Function 6091D3A4 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_leave.SQLITE3(?), ref: 6091D3CC
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_leave
                                • String ID:
                                • API String ID: 2496040974-0
                                • Opcode ID: 268e5a7d05ca1edf5e1947078cc26ada47dcc1d2173c70380459bfbf33c2378e
                                • Instruction ID: 6431f4fcbf7f6099b9408a568419db9215b966225110a535e9d67b051e46e557
                                • Opcode Fuzzy Hash: 268e5a7d05ca1edf5e1947078cc26ada47dcc1d2173c70380459bfbf33c2378e
                                • Instruction Fuzzy Hash: 1CE02631A0450867CF002AAC8C839C97BADDF24138F400360FE38972D1F762EA618AC6
                                Function 6091D32C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_bind_int64.SQLITE3(?,?,?), ref: 6091D33E
                                  • Part of subcall function 6091D348: sqlite3_mutex_leave.SQLITE3(?), ref: 6091D394
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_int64sqlite3_mutex_leave
                                • String ID:
                                • API String ID: 3064317574-0
                                • Opcode ID: fa60ab600e04b81aab5bcf32d39b5d5dfc8c460a05fd0c137406482af70415ff
                                • Instruction ID: f8c18d0f869808912b15363c5d25d2a2916a616013801bffa42f91afc986f78d
                                • Opcode Fuzzy Hash: fa60ab600e04b81aab5bcf32d39b5d5dfc8c460a05fd0c137406482af70415ff
                                • Instruction Fuzzy Hash: 2CC04C7510424CBB9F016E58DC02CAA3B6EAB9065CB408450BD1455160D775D96697A1
                                Function 6091D590 Relevance: .0, Instructions: 26COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c35633c0a30240a56829ee5cd7494e201f2f0cb3c837f1e9cbf3aeecef284b4a
                                • Instruction ID: 41641340c36704c7675321ba6f3f6361c1c4f933bfe4b0737bb34d42f861480f
                                • Opcode Fuzzy Hash: c35633c0a30240a56829ee5cd7494e201f2f0cb3c837f1e9cbf3aeecef284b4a
                                • Instruction Fuzzy Hash: A8E09B31B09229679B105E2888C159A379FAF1466CF400190FD2557349E730ED8186D0
                                Function 6091D6D4 Relevance: .0, Instructions: 26COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e402c64303e2df6de23da40833c2ebabd8227f9764b1243e774202073aab73b1
                                • Instruction ID: 4f9469fbe2ed685998da273f7e54a595d7bc337adf91da9cf6760780eab76c59
                                • Opcode Fuzzy Hash: e402c64303e2df6de23da40833c2ebabd8227f9764b1243e774202073aab73b1
                                • Instruction Fuzzy Hash: DEF082B060D28999FB01A624C405BA17FBA6B2230CF5442D9D4640E3C2D3BAC8C6C7E1
                                Function 6091D63C Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 716e8f66d1ceb65bfc044de61ef7eb7ee5bb92d1d7638d627a50f90f58aaef0a
                                • Instruction ID: 874d4b04c7bd8c603a3029efe07e3bf3add4f68fa40603304677ecca75b61ec2
                                • Opcode Fuzzy Hash: 716e8f66d1ceb65bfc044de61ef7eb7ee5bb92d1d7638d627a50f90f58aaef0a
                                • Instruction Fuzzy Hash: ADD05EB19051187BDA0066299C83AEB7B1CDA1507CF444350BD79A32C2EB31AA6484EA
                                Function 6091D2B0 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_leave
                                • String ID:
                                • API String ID: 2496040974-0
                                • Opcode ID: 1416175d70cf97954087716fc2ca43874c8a5fe11537532d5aed988ce17b6562
                                • Instruction ID: 279c48ddc8b4a948af640939af752c9a8c919fdfe93f09f11f3dc6b2644fc356
                                • Opcode Fuzzy Hash: 1416175d70cf97954087716fc2ca43874c8a5fe11537532d5aed988ce17b6562
                                • Instruction Fuzzy Hash: 42D0C97250410DBBCF025E949C02B893E26AB24254F004210BE24141E0D772D575ABD5
                                Function 6091D3DC Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_leave
                                • String ID:
                                • API String ID: 2496040974-0
                                • Opcode ID: c90f82e41dfefc68215f76517ded13b642d282b324fd6d3783f1728bea0493b3
                                • Instruction ID: 59abbf154b81b4e47e45510af54c78703ccd70e8cf2d7265b06f7b69a382c515
                                • Opcode Fuzzy Hash: c90f82e41dfefc68215f76517ded13b642d282b324fd6d3783f1728bea0493b3
                                • Instruction Fuzzy Hash: 3AD0C97250410DBBCF025E949C02A893E27AB24254F004210BE24141E0D7B2D575ABD1
                                Function 6091D400 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_leave
                                • String ID:
                                • API String ID: 2496040974-0
                                • Opcode ID: 7a691b470b1346c3cbaeb44b99f3337c69daa017f68fc54336173f74a7c2a826
                                • Instruction ID: 43cbd08940d58d003a7d558dc7b0de105e90a2602168b2dab10c9a3432a9c733
                                • Opcode Fuzzy Hash: 7a691b470b1346c3cbaeb44b99f3337c69daa017f68fc54336173f74a7c2a826
                                • Instruction Fuzzy Hash: A8D0C97250410DBBCF025E949C03E893E26AB24254F004210BE24141E0D772D575ABD1
                                Function 6091D51C Relevance: .0, Instructions: 9COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4db2ce3c33ddcc9ccb74af008b2b8e3e4421422683c57770e2c21e6ed567369e
                                • Instruction ID: b90c64b786c788bbc260af542d38ad875328c51853e8212ca3c2fd7e703bfb90
                                • Opcode Fuzzy Hash: 4db2ce3c33ddcc9ccb74af008b2b8e3e4421422683c57770e2c21e6ed567369e
                                • Instruction Fuzzy Hash: 4CB0921031860F829B008B69A44147777EFAB9894C79490A068008A20AEA70E98286C8
                                Function 60961F94 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 223COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mprintf.SQLITE3(Function_00008C32,?), ref: 60961FF8
                                • sqlite3_malloc.SQLITE3(?), ref: 6096204C
                                • memset.MSVCRT ref: 6096206B
                                • memcpy.MSVCRT ref: 609620C1
                                • memcpy.MSVCRT ref: 609620D9
                                  • Part of subcall function 60961E2C: sqlite3_mprintf.SQLITE3(PRAGMA %Q.page_size,9000656C), ref: 60961E4C
                                  • Part of subcall function 60961E2C: sqlite3_free.SQLITE3(00000000), ref: 60961EB8
                                  • Part of subcall function 60961C1C: sqlite3_mprintf.SQLITE3(CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zerobl,60961F10,00000000,60961F10,00000000,60961F10,00000000,60961F10,00000000,?), ref: 60961C50
                                • sqlite3_errmsg.SQLITE3(60961F10), ref: 60962129
                                • sqlite3_mprintf.SQLITE3(Function_00008C32,00000000,60961F10), ref: 60962134
                                  • Part of subcall function 60905F80: sqlite3_initialize.SQLITE3 ref: 60905F86
                                  • Part of subcall function 60905F80: sqlite3_vmprintf.SQLITE3(?,?), ref: 60905F99
                                • sqlite3_mprintf.SQLITE3(CREATE TABLE x(%s,?), ref: 60962156
                                • sqlite3_mprintf.SQLITE3(%s);,00000000), ref: 609621B1
                                • sqlite3_free.SQLITE3(00000000), ref: 609621BC
                                • sqlite3_free.SQLITE3(00000000), ref: 6096220C
                                Strings
                                • Too many columns for an rtree table, xrefs: 60961FB2
                                • Wrong number of columns for an rtree table, xrefs: 60961FA4
                                • %s, %s, xrefs: 6096217B
                                • Too few columns for an rtree table, xrefs: 60961FAB
                                • %s);, xrefs: 609621AC
                                • CREATE TABLE x(%s, xrefs: 60962151
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mprintf$sqlite3_free$memcpy$memsetsqlite3_errmsgsqlite3_initializesqlite3_mallocsqlite3_vmprintf
                                • String ID: %s);$%s, %s$CREATE TABLE x(%s$Too few columns for an rtree table$Too many columns for an rtree table$Wrong number of columns for an rtree table
                                • API String ID: 597632794-1416142182
                                • Opcode ID: 2cbfd863d93ec157a870de60b1a16b338c54f28cc902dc91733346ef3e2f6fd2
                                • Instruction ID: 50a02cd8d30e8f7b2acce3ff338f602005eda4f04c7ba7b2ef0ff8c212d5c429
                                • Opcode Fuzzy Hash: 2cbfd863d93ec157a870de60b1a16b338c54f28cc902dc91733346ef3e2f6fd2
                                • Instruction Fuzzy Hash: 5781E5B19105059BE710CFA8CC82A9B77B7AB66324F244318FD34873C0EB35DA52CB91
                                Function 60919D84 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 181COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_snprintf.SQLITE3(6091A3B1,00000000,keyinfo(%d,?,6091A3B1,00000000,program), ref: 60919E01
                                • sqlite3_snprintf.SQLITE3(6091A3B1,00000000,%lld,?,00000000), ref: 60919F49
                                • sqlite3_snprintf.SQLITE3(6091A3B1,00000000,%.16g,?,00000000), ref: 60919F96
                                • sqlite3_snprintf.SQLITE3(6091A3B1,00000000,intarray), ref: 60919FAD
                                • sqlite3_snprintf.SQLITE3(6091A3B1,00000000,program), ref: 60919FC1
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_snprintf
                                • String ID: %.16g$%lld$%s(%d)$(blob)$,...$,nil$collseq(%.20s)$intarray$keyinfo(%d$program$vtab:%p:%p
                                • API String ID: 949980604-1571949679
                                • Opcode ID: e0e49564be2b625dfd6c73181e8cbdc6dbe49ce5745d9f03e4b132da529aa702
                                • Instruction ID: d1cc596df1c1657cf71842dddb0a187eaf0af7043dd390bd16937a78aa7a50f7
                                • Opcode Fuzzy Hash: e0e49564be2b625dfd6c73181e8cbdc6dbe49ce5745d9f03e4b132da529aa702
                                • Instruction Fuzzy Hash: 94619270A08209AFCB04CF58C881A9ABBA7FF66214F1446C9F8649B3D2D735DD91D792
                                Function 60956AE8 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 133COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_malloc.SQLITE3(00000014), ref: 60956B24
                                  • Part of subcall function 60904358: sqlite3_initialize.SQLITE3(609038B0,0000000A), ref: 6090435E
                                • sqlite3_overload_function.SQLITE3(60952E95,snippet,000000FF), ref: 60956BAE
                                • sqlite3_overload_function.SQLITE3(60952E95,offsets,00000001), ref: 60956BCB
                                • sqlite3_overload_function.SQLITE3(60952E95,matchinfo,000000FF), ref: 60956BE4
                                • sqlite3_overload_function.SQLITE3(60952E95,optimize,00000001), ref: 60956BFD
                                • sqlite3_create_module_v2.SQLITE3(60952E95,fts3,60956A50,00000000,60956AA0), ref: 60956C1F
                                • sqlite3_create_module_v2.SQLITE3(60952E95,fts4,60956A50,00000000,00000000), ref: 60956C3E
                                • sqlite3_free.SQLITE3(00000000), ref: 60956C59
                                  • Part of subcall function 609045DC: sqlite3_mutex_enter.SQLITE3 ref: 609045FC
                                  • Part of subcall function 609045DC: sqlite3_mutex_leave.SQLITE3 ref: 6090462E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_overload_function$sqlite3_create_module_v2$sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_mutex_entersqlite3_mutex_leave
                                • String ID: fts3$fts3_tokenizer$fts4$matchinfo$offsets$optimize$porter$simple$snippet
                                • API String ID: 1131944426-536992394
                                • Opcode ID: 5ee4641dff9882d849ea66257479a6681495ceda240d3194a0d07f7822beb2a9
                                • Instruction ID: f474e67ea908fb56f65f6a52831263e3c6439b5edc4f76d786941874f96936b8
                                • Opcode Fuzzy Hash: 5ee4641dff9882d849ea66257479a6681495ceda240d3194a0d07f7822beb2a9
                                • Instruction Fuzzy Hash: 9831ABA1E0521132D713E5A75C82B9A366A8B7623CF540324FEB4B72D1FF65CA3D8192
                                Function 60902D60 Relevance: 26.6, APIs: 9, Strings: 6, Instructions: 344COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_text.SQLITE3(?), ref: 60902D74
                                  • Part of subcall function 609029F8: sqlite3_value_text.SQLITE3(?), ref: 60902AC2
                                • sqlite3_context_db_handle.SQLITE3(?), ref: 60902DB8
                                • sqlite3_result_text.SQLITE3(?,?,000000FF,Function_00004648), ref: 60903481
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_value_text$sqlite3_context_db_handlesqlite3_result_text
                                • String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld
                                • API String ID: 1879233184-866662573
                                • Opcode ID: 839af49c55e431a6770be8b7640e0c0af13033eaff4690d6e9616d638b811299
                                • Instruction ID: 6277fbc268bca1d7a48cdbe033224fe4d892d322ace1135f98765ad37f132e0a
                                • Opcode Fuzzy Hash: 839af49c55e431a6770be8b7640e0c0af13033eaff4690d6e9616d638b811299
                                • Instruction Fuzzy Hash: 2BD12671D042599BEB20CB28CC81FEDB77AAF25314F5086D9EA1A77281E7359E818F50
                                Function 60943180 Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 325COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: "$AFTER$BEFORE$cannot create %s trigger on view: %S$cannot create INSTEAD OF trigger on table: %S$cannot create trigger on system table$cannot create triggers on virtual tables$sqlite_$sqlite_master$sqlite_temp_master$temporary trigger may not have qualified name$trigger$trigger %T already exists
                                • API String ID: 0-330273338
                                • Opcode ID: f1c572394f7e2c3a3eb2fb3d95ec097d00740448318e9a959dc2c5975a89408b
                                • Instruction ID: b04811cdde8a7a5b11dbf4c913925cc23f59eb0139b0fa7a02552c662abc9c75
                                • Opcode Fuzzy Hash: f1c572394f7e2c3a3eb2fb3d95ec097d00740448318e9a959dc2c5975a89408b
                                • Instruction Fuzzy Hash: CBC191B1900605ABDB11CE78CC81BDA7BBAAF69328F148314F938972D1E735D991CBD1
                                Function 60958CBC Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_user_data.SQLITE3(?), ref: 60958CD9
                                • sqlite3_value_text.SQLITE3(?), ref: 60958CE6
                                • sqlite3_value_bytes.SQLITE3(?), ref: 60958CF5
                                • sqlite3_value_bytes.SQLITE3(00000000), ref: 60958D0C
                                • sqlite3_value_blob.SQLITE3(00000000), ref: 60958D2E
                                • sqlite3_result_error.SQLITE3(?,out of memory,000000FF), ref: 60958D5D
                                • sqlite3_mprintf.SQLITE3(unknown tokenizer: %s,00000000), ref: 60958D88
                                • sqlite3_result_error.SQLITE3(?,00000000,000000FF), ref: 60958D99
                                • sqlite3_free.SQLITE3(00000000), ref: 60958DA5
                                • sqlite3_result_blob.SQLITE3(?,00000000,00000004,000000FF), ref: 60958DB8
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_errorsqlite3_value_bytes$sqlite3_freesqlite3_mprintfsqlite3_result_blobsqlite3_user_datasqlite3_value_blobsqlite3_value_text
                                • String ID: argument type mismatch$out of memory$unknown tokenizer: %s
                                • API String ID: 4245722333-3202424646
                                • Opcode ID: c70ccb7e7fbd65044920d82ee871781f32ef0165fcfa41d84b858ed296adc883
                                • Instruction ID: c7946be57a2110863756a623cda21862d5ad410f96eb1f165367ea8087844559
                                • Opcode Fuzzy Hash: c70ccb7e7fbd65044920d82ee871781f32ef0165fcfa41d84b858ed296adc883
                                • Instruction Fuzzy Hash: 4B31B2B1D08109BBCB01DAA9CC4299E76BAAB35238F244760F934E33D0EB75D6608791
                                Function 60960D24 Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 376COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_malloc.SQLITE3(00000001), ref: 60960D68
                                  • Part of subcall function 60904358: sqlite3_initialize.SQLITE3(609038B0,0000000A), ref: 6090435E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_initializesqlite3_malloc
                                • String ID: 0$0$0$0$0$0$0$0$VUUU$VUUU
                                • API String ID: 257566192-1730588337
                                • Opcode ID: b79fb67ba994518633df33dc18d13656779cbdf00c16bb3d3e8eeab00998e129
                                • Instruction ID: 8b89bf1aeb19ce92215802b0fb969babecad105b4781c45d0be4631527290692
                                • Opcode Fuzzy Hash: b79fb67ba994518633df33dc18d13656779cbdf00c16bb3d3e8eeab00998e129
                                • Instruction Fuzzy Hash: AEF15975D00218DFDB14CF98C880A9EBBB6FF95314F258259E918AB244D770EE96CF80
                                Function 6092CC70 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 315COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_context_db_handle.SQLITE3(00000000), ref: 6092CC8A
                                • sqlite3_value_text.SQLITE3(?), ref: 6092CC9E
                                • sqlite3_value_text.SQLITE3(00000000), ref: 6092CCAF
                                • sqlite3_result_error.SQLITE3(00000007,00000000,000000FF), ref: 6092D00F
                                • sqlite3_result_error_code.SQLITE3(00000000,00000000), ref: 6092D037
                                Strings
                                • database is already attached, xrefs: 6092CE0C
                                • too many attached databases - max %d, xrefs: 6092CCE8
                                • cannot ATTACH database within transaction, xrefs: 6092CD04
                                • unable to open database: %s, xrefs: 6092CFE9
                                • out of memory, xrefs: 6092CFB1
                                • database %s is already in use, xrefs: 6092CFCF
                                • attached databases must use the same text encoding as main database, xrefs: 6092CE6E
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_value_text$sqlite3_context_db_handlesqlite3_result_errorsqlite3_result_error_code
                                • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                • API String ID: 4246710758-2001300268
                                • Opcode ID: e14f32f10162636a85808858b8ca49135c574a2cfcd41e0dfbe8d172c795cc8a
                                • Instruction ID: 5ac66fc38f1817e8d40e079f8a4b63da70c3cfa0884a380e9004e67dd4997b1e
                                • Opcode Fuzzy Hash: e14f32f10162636a85808858b8ca49135c574a2cfcd41e0dfbe8d172c795cc8a
                                • Instruction Fuzzy Hash: A4C1A3F1D10105ABDB00CBA4CC81B9EBBB6AF25324F248754E878AB3D1E775DA51CB91
                                Function 60955868 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 258COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_malloc.SQLITE3(00000040), ref: 60955892
                                  • Part of subcall function 60904358: sqlite3_initialize.SQLITE3(609038B0,0000000A), ref: 6090435E
                                • sqlite3_step.SQLITE3(00000000), ref: 60955A2B
                                • sqlite3_reset.SQLITE3(00000000), ref: 60955AFC
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_initializesqlite3_mallocsqlite3_resetsqlite3_step
                                • String ID: d$e
                                • API String ID: 1067067592-2091896479
                                • Opcode ID: 3d4cc120f7d62643a5a30e0b813c56c27cce7fda514106d3582a7a53cc0c2b5c
                                • Instruction ID: d76f3d36beb24918f834bdfa5f72b5c708c6d4208f153e2e28973a977348577c
                                • Opcode Fuzzy Hash: 3d4cc120f7d62643a5a30e0b813c56c27cce7fda514106d3582a7a53cc0c2b5c
                                • Instruction Fuzzy Hash: 8791B6B1E00109ABDB01CE95CC82BDE77BAAF68324F144224F924A73D1E775DD65CB91
                                Function 60934A10 Relevance: 21.2, APIs: 14, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_text.SQLITE3(?), ref: 60934A21
                                • sqlite3_value_bytes.SQLITE3(?), ref: 60934A39
                                • sqlite3_value_text.SQLITE3(?), ref: 60934A47
                                • sqlite3_result_value.SQLITE3(?,?), ref: 60934A68
                                • sqlite3_value_bytes.SQLITE3(?), ref: 60934A92
                                • sqlite3_value_text.SQLITE3(?), ref: 60934AA0
                                • sqlite3_value_bytes.SQLITE3(?), ref: 60934AB9
                                • memcpy.MSVCRT ref: 60934C17
                                • sqlite3_result_text.SQLITE3(?,?,00000000,?,00000000,00000000,00000000), ref: 60934C34
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_value_bytessqlite3_value_text$memcpysqlite3_result_textsqlite3_result_value
                                • String ID:
                                • API String ID: 3542216350-0
                                • Opcode ID: 75a3514ce17748c185a353fa0f67ae7f57a726d0bcf25383c8b27d29d093b2d3
                                • Instruction ID: c14106b4b657478d1312c4c118ce2192f02f9c54e4923836f295f8c75e9a1652
                                • Opcode Fuzzy Hash: 75a3514ce17748c185a353fa0f67ae7f57a726d0bcf25383c8b27d29d093b2d3
                                • Instruction Fuzzy Hash: 29715EB1D042199BCF04CFA8CC81ADEBBB6AF55224F144764E824A7391E736EA51CF91
                                Function 60950C34 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 177COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: create$end$explain$temp$temporary$trigger
                                • API String ID: 0-841675879
                                • Opcode ID: 1d7da4529864f687d04431678373e8fe28465e75ada4d06a54cfad2d8b4046b6
                                • Instruction ID: fbb9ac625d4564087eaf7e2f1918f782665722e63130e6cb1c0165d85b386177
                                • Opcode Fuzzy Hash: 1d7da4529864f687d04431678373e8fe28465e75ada4d06a54cfad2d8b4046b6
                                • Instruction Fuzzy Hash: 3951E450C4C2E155EB23DE3758C13A57FAB4B7335CF180986D9E4AA1C3E66AC9ED8242
                                Function 609564E8 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 100COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_result_error.SQLITE3(60956490,wrong number of arguments to function snippet(),00000006), ref: 60956529
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_error
                                • String ID: </b>$<b>$<b>...</b>$snippet$wrong number of arguments to function snippet()
                                • API String ID: 497837271-1945378564
                                • Opcode ID: d5ac0b27888895fd1cb16f1fa1c58394ed0e30a2fcf8a53621bb760accf0a853
                                • Instruction ID: 244983e56d89e341f00aec46ec57099dc5a23dc358867857e702b87e0b61be47
                                • Opcode Fuzzy Hash: d5ac0b27888895fd1cb16f1fa1c58394ed0e30a2fcf8a53621bb760accf0a853
                                • Instruction Fuzzy Hash: 8A31B3B1D04104ABDF11DEA9DC4199D3BBAAB21238F1447A0F934972E5E731CA75CB91
                                Function 609091EC Relevance: 19.6, APIs: 13, Instructions: 96COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 60908290: GetVersionExA.KERNEL32(00000094), ref: 609082B6
                                • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 60909215
                                • malloc.MSVCRT ref: 60909225
                                • GetFullPathNameW.KERNEL32(00000000,00000003,00000000,00000000), ref: 60909238
                                • free.MSVCRT(00000000), ref: 60909241
                                  • Part of subcall function 60908354: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,609084D5,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,609084D5,00000000), ref: 60908372
                                  • Part of subcall function 60908354: malloc.MSVCRT ref: 6090837D
                                • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6090925B
                                • malloc.MSVCRT ref: 60909267
                                • free.MSVCRT(00000000), ref: 60909279
                                • free.MSVCRT(00000000), ref: 609092AD
                                • sqlite3_snprintf.SQLITE3(?,?,Function_00008C32,00000000), ref: 609092CF
                                • free.MSVCRT(00000000), ref: 609092D8
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: free$FullNamePathmalloc$ByteCharMultiVersionWidesqlite3_snprintf
                                • String ID:
                                • API String ID: 3560540073-0
                                • Opcode ID: b7605b9a9455c9453152170a4a55271a6a38f729910fa4c8bae4c4391d87bcf8
                                • Instruction ID: 74324f075a626bbdcdb504aee7600d349973172ea213c9b6f0543d88fdfb940f
                                • Opcode Fuzzy Hash: b7605b9a9455c9453152170a4a55271a6a38f729910fa4c8bae4c4391d87bcf8
                                • Instruction Fuzzy Hash: AD21D3A1E5565136F610227C8C83F8B355E8F3223CF144324FA75A92E1FFA9EA1540E6
                                Function 609300FC Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 308COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_strnicmp.SQLITE3(?,sqlite_,00000007), ref: 60930268
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_strnicmp
                                • String ID: DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'$DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q$DELETE FROM %s.sqlite_sequence WHERE name=%Q$sqlite_$sqlite_master$sqlite_stat1$sqlite_temp_master$table %s may not be dropped$use DROP TABLE to delete table %s$use DROP VIEW to delete view %s
                                • API String ID: 1961171630-3961206475
                                • Opcode ID: 13d06f124d5b553d4ee54a35ba9362953f77f484cfd11869953ec5f42fdfcf90
                                • Instruction ID: e7a7cf42c608e35153ebd3998591b2449bd2d6daf3307e108a84e14da9f9f65c
                                • Opcode Fuzzy Hash: 13d06f124d5b553d4ee54a35ba9362953f77f484cfd11869953ec5f42fdfcf90
                                • Instruction Fuzzy Hash: 4EB115B5D04218ABDB188A94CC41F9B77BAAFA9318F104718FE78972D1F731DA50CB81
                                Function 6095DC88 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 297COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_result_text.SQLITE3(00000000,Function_00004CBA,00000000,00000000), ref: 6095DCD5
                                • sqlite3_malloc.SQLITE3(?), ref: 6095DD21
                                • sqlite3_column_text.SQLITE3(?,00000001), ref: 6095DD9D
                                • sqlite3_column_bytes.SQLITE3(?,00000001), ref: 6095DDB1
                                • sqlite3_column_type.SQLITE3(?,00000001), ref: 6095DDC9
                                • sqlite3_free.SQLITE3(?), ref: 6095E016
                                • sqlite3_result_error_code.SQLITE3(00000000,00000000), ref: 6095E02A
                                • sqlite3_free.SQLITE3(00000000), ref: 6095E035
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_free$sqlite3_column_bytessqlite3_column_textsqlite3_column_typesqlite3_mallocsqlite3_result_error_codesqlite3_result_text
                                • String ID: %d %d %d %d
                                • API String ID: 1832002867-2566208650
                                • Opcode ID: 516c80358bbe6b3296fdc7effbc50c5f6aa15746c0f346c9f84f64f65419b403
                                • Instruction ID: 6575b16625a51575308ce0e6dda582c11d1dab06bde6150c22e7c1a7003ed6f5
                                • Opcode Fuzzy Hash: 516c80358bbe6b3296fdc7effbc50c5f6aa15746c0f346c9f84f64f65419b403
                                • Instruction Fuzzy Hash: 71C19471D002189FDB21CF69CC81B9AB7B6FB69310F108294E928A7391E771DE95CF91
                                Function 6092B6BA Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 286COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_strnicmp.SQLITE3(?,sqlite_), ref: 6092B6C8
                                Strings
                                • sqlite_master, xrefs: 6092B86C, 6092B8B2
                                • UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;, xrefs: 6092B932
                                • sqlite_temp_master, xrefs: 6092B877, 6092B87C, 6092B8BD, 6092B8C2
                                • UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;, xrefs: 6092B881
                                • UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q, xrefs: 6092B8C7
                                • table %s may not be altered, xrefs: 6092B6DA
                                • sqlite_, xrefs: 6092B6C0
                                • sqlite_sequence, xrefs: 6092B8DF
                                • view %s may not be altered, xrefs: 6092B717
                                • UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q, xrefs: 6092B902
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_strnicmp
                                • String ID: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;$UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q$UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q$UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;$sqlite_$sqlite_master$sqlite_sequence$sqlite_temp_master$table %s may not be altered$view %s may not be altered
                                • API String ID: 1961171630-831526388
                                • Opcode ID: f8272d50f607c42de1f9fbc6676ac06c8a90b6cb450795722c95622037bae124
                                • Instruction ID: 2d89577a80bb592207cefd73a831d54b21aec9e3efc68ede97df9363d948b636
                                • Opcode Fuzzy Hash: f8272d50f607c42de1f9fbc6676ac06c8a90b6cb450795722c95622037bae124
                                • Instruction Fuzzy Hash: AB91A6BAE14104ABDB00CAA8DC81FAE77BA9F75324F148714FA38973D5E731DA508791
                                Function 60939890 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mprintf.SQLITE3(not authorized), ref: 609398CE
                                Strings
                                • unable to open shared library [%s], xrefs: 60939927
                                • no entry point [%s] in shared library [%s], xrefs: 609399B6
                                • error during initialization: %s, xrefs: 60939A30
                                • not authorized, xrefs: 609398C9
                                • sqlite3_extension_init, xrefs: 609398E0
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mprintf
                                • String ID: error during initialization: %s$no entry point [%s] in shared library [%s]$not authorized$sqlite3_extension_init$unable to open shared library [%s]
                                • API String ID: 4246442610-3409965631
                                • Opcode ID: fc64f668c8028e9960176747c22abcab019698dd1e335024b2c5eac9fea38f87
                                • Instruction ID: e378b22035bac129519a0f4667bf2c2842e4b5bdb1c4a5c470ff16cc671bfc42
                                • Opcode Fuzzy Hash: fc64f668c8028e9960176747c22abcab019698dd1e335024b2c5eac9fea38f87
                                • Instruction Fuzzy Hash: ED51B9B5D00511BBDB049AA88C42B9E76BAEF76324F104714FA75E62C1FF35CB109B91
                                Function 60962244 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 134COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_int.SQLITE3(?), ref: 60962297
                                • sqlite3_value_blob.SQLITE3(?), ref: 609622B5
                                  • Part of subcall function 6091C284: sqlite3_value_text.SQLITE3(?), ref: 6091C298
                                • sqlite3_snprintf.SQLITE3(00000200,?,60919D5E,?,?), ref: 60962313
                                • sqlite3_mprintf.SQLITE3(%s {%s},00000000,?), ref: 60962398
                                • sqlite3_free.SQLITE3(00000000), ref: 609623A9
                                • sqlite3_result_text.SQLITE3(?,00000000,000000FF,?), ref: 6096240E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_freesqlite3_mprintfsqlite3_result_textsqlite3_snprintfsqlite3_value_blobsqlite3_value_intsqlite3_value_text
                                • String ID: %f$%s {%s}${%s}
                                • API String ID: 2269826091-3658622590
                                • Opcode ID: 858e3c971233a6133fe7752bd90005e302646362f5137a854d5c558c054cc075
                                • Instruction ID: 9d7401a3801d7c9c4e5f52f532956d4ddc374fb1626ae0b2cea2f5c164f1ebef
                                • Opcode Fuzzy Hash: 858e3c971233a6133fe7752bd90005e302646362f5137a854d5c558c054cc075
                                • Instruction Fuzzy Hash: FB41CFB18011189FEB60CB68CC81F99B7BABB54224F1002E8E62C932D1EB35DF948F55
                                Function 60934768 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 154COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_type.SQLITE3(?), ref: 60934779
                                • sqlite3_result_value.SQLITE3(?,?), ref: 609347AA
                                • sqlite3_value_blob.SQLITE3(?), ref: 609347B9
                                • sqlite3_value_bytes.SQLITE3(?), ref: 609347C5
                                • sqlite3_result_text.SQLITE3(?,00000000,000000FF,000000FF), ref: 60934843
                                • sqlite3_free.SQLITE3(00000000), ref: 6093484C
                                • sqlite3_value_text.SQLITE3(?), ref: 6093485D
                                • sqlite3_result_text.SQLITE3(?,00000000,00000002,?), ref: 609348F1
                                • sqlite3_result_text.SQLITE3(?,NULL,00000004,00000000), ref: 60934905
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_text$sqlite3_freesqlite3_result_valuesqlite3_value_blobsqlite3_value_bytessqlite3_value_textsqlite3_value_type
                                • String ID: NULL
                                • API String ID: 1474189475-324932091
                                • Opcode ID: e700ab1dae7ad3e4e6c84c8206f0737f4de53c313838124de356f8a5cf821771
                                • Instruction ID: b54950f43fa7b1f9c94cd38cbf01d86139dc8f26591a959ee3400f2bba818edb
                                • Opcode Fuzzy Hash: e700ab1dae7ad3e4e6c84c8206f0737f4de53c313838124de356f8a5cf821771
                                • Instruction Fuzzy Hash: 3B5190A190C1E15BEB154E7C8C817553F8B9B33328F1947E8E4749A3D3E72AD8458F91
                                Function 60954010 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 95COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mprintf.SQLITE3(docid INTEGER PRIMARY KEY), ref: 6095403A
                                  • Part of subcall function 60905F80: sqlite3_initialize.SQLITE3 ref: 60905F86
                                  • Part of subcall function 60905F80: sqlite3_vmprintf.SQLITE3(?,?), ref: 60905F99
                                • sqlite3_mprintf.SQLITE3(%z, 'c%d%q',00000000,?,?), ref: 60954055
                                • sqlite3_free.SQLITE3(00000000), ref: 60954097
                                Strings
                                • CREATE TABLE %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);, xrefs: 60954105
                                • docid INTEGER PRIMARY KEY, xrefs: 60954035
                                • CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);, xrefs: 609540A8
                                • CREATE TABLE %Q.'%q_content'(%s), xrefs: 6095407E
                                • CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));, xrefs: 609540C6
                                • %z, 'c%d%q', xrefs: 60954050
                                • CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);, xrefs: 609540EA
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mprintf$sqlite3_freesqlite3_initializesqlite3_vmprintf
                                • String ID: %z, 'c%d%q'$CREATE TABLE %Q.'%q_content'(%s)$CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);$CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));$CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);$CREATE TABLE %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);$docid INTEGER PRIMARY KEY
                                • API String ID: 4043693179-2710439789
                                • Opcode ID: 08791632cd0c62b0e2e63fd1664a97011708882902582d4096391484a6f710a4
                                • Instruction ID: 9faecd77a5fc43e786cbbe75fe313ddc9a963c8cc8aab282614c615e9d53825c
                                • Opcode Fuzzy Hash: 08791632cd0c62b0e2e63fd1664a97011708882902582d4096391484a6f710a4
                                • Instruction Fuzzy Hash: 5B319B72D006047BDB22CAF6CC81E9BB7BEAB3421CF140644F67552191E731D67C9BA1
                                Function 60934580 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_context_db_handle.SQLITE3(?), ref: 6093459A
                                • sqlite3_value_text.SQLITE3(?), ref: 609345A6
                                • sqlite3_value_text.SQLITE3(?), ref: 609345B7
                                • sqlite3_value_bytes.SQLITE3(?), ref: 609345C4
                                • sqlite3_value_text.SQLITE3(?), ref: 609345EC
                                • sqlite3_result_error.SQLITE3(?,ESCAPE expression must be a single character,000000FF), ref: 60934619
                                • sqlite3_user_data.SQLITE3(?), ref: 60934645
                                • sqlite3_result_int.SQLITE3(?,00000000,00000000,00000000,00000000,00000000), ref: 60934661
                                Strings
                                • ESCAPE expression must be a single character, xrefs: 60934613
                                • LIKE or GLOB pattern too complex, xrefs: 609345D6
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_value_text$sqlite3_context_db_handlesqlite3_result_errorsqlite3_result_intsqlite3_user_datasqlite3_value_bytes
                                • String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
                                • API String ID: 3494745622-264706735
                                • Opcode ID: 41f6165a5ce83a8605cda9b2195f6849b10df90d1c08ab91829772177bf26051
                                • Instruction ID: 34f1c5a612cd4973c247d1e5cebc5aacee793d453d3471eb8a212f6590fbdb86
                                • Opcode Fuzzy Hash: 41f6165a5ce83a8605cda9b2195f6849b10df90d1c08ab91829772177bf26051
                                • Instruction Fuzzy Hash: EE21A9B1C08115A7CF009AA8DC42AAD767A9B72338F144764F834A52E1FB36D691DE92
                                Function 60933A88 Relevance: 16.7, APIs: 11, Instructions: 223COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_type.SQLITE3(?), ref: 60933AA4
                                • sqlite3_value_type.SQLITE3(?), ref: 60933AC0
                                • sqlite3_value_type.SQLITE3(?), ref: 60933AD6
                                • sqlite3_value_int.SQLITE3(?), ref: 60933AE4
                                • sqlite3_value_bytes.SQLITE3(?), ref: 60933B00
                                • sqlite3_value_blob.SQLITE3(?), ref: 60933B0D
                                • sqlite3_value_int.SQLITE3(00000000), ref: 60933B78
                                • sqlite3_result_text.SQLITE3(00000000,?,?,000000FF), ref: 60933CAC
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_value_type$sqlite3_value_int$sqlite3_result_textsqlite3_value_blobsqlite3_value_bytes
                                • String ID:
                                • API String ID: 3306098233-0
                                • Opcode ID: f224f644443725fb64a2eb3408ec5b5c0945acdb61654484cd247ddf90b22b00
                                • Instruction ID: b01c762388af1529ef12bfada03e56d5d966ba116a12fd7f829122389d27af67
                                • Opcode Fuzzy Hash: f224f644443725fb64a2eb3408ec5b5c0945acdb61654484cd247ddf90b22b00
                                • Instruction Fuzzy Hash: 9D818E71C881299BDB05CAB8C8413EEBBB7AB25324F249355D8B47B2D0D3359E81DF91
                                Function 60933D18 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 131COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_type.SQLITE3(?), ref: 60933D35
                                • sqlite3_value_int.SQLITE3(?), ref: 60933D4C
                                • sqlite3_value_type.SQLITE3(?), ref: 60933D6B
                                • sqlite3_value_double.SQLITE3(?), ref: 60933D81
                                • sqlite3_result_double.SQLITE3(?,?,?), ref: 60933E8F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_value_type$sqlite3_result_doublesqlite3_value_doublesqlite3_value_int
                                • String ID: %.*f
                                • API String ID: 2077543569-1338106815
                                • Opcode ID: 205f41fa2cdc3f43c2808ee31bdf083f54a5a70a0258949102f42846c88373f3
                                • Instruction ID: 4ad4358c38e7ad5eea03f0cb5d40162b1db5ed94826bd841d4e194b3de96d4a2
                                • Opcode Fuzzy Hash: 205f41fa2cdc3f43c2808ee31bdf083f54a5a70a0258949102f42846c88373f3
                                • Instruction Fuzzy Hash: F74117B1C4451AA7DF145FA4CD812DF7B7AFF24324F108660D974612D0EB398AA19F81
                                Function 60953D5C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mprintf.SQLITE3(%Q, ,?), ref: 60953D75
                                  • Part of subcall function 60905F80: sqlite3_initialize.SQLITE3 ref: 60905F86
                                  • Part of subcall function 60905F80: sqlite3_vmprintf.SQLITE3(?,?), ref: 60905F99
                                • sqlite3_mprintf.SQLITE3(%z%Q, ,00000000,?), ref: 60953D97
                                • sqlite3_mprintf.SQLITE3(CREATE TABLE x(%s %Q HIDDEN, docid HIDDEN),00000000,?), ref: 60953DB7
                                • sqlite3_declare_vtab.SQLITE3(?,00000000), ref: 60953DD7
                                • sqlite3_free.SQLITE3(00000000), ref: 60953DE5
                                • sqlite3_free.SQLITE3(00000000), ref: 60953DEE
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mprintf$sqlite3_free$sqlite3_declare_vtabsqlite3_initializesqlite3_vmprintf
                                • String ID: %Q, $%z%Q, $CREATE TABLE x(%s %Q HIDDEN, docid HIDDEN)
                                • API String ID: 2413513836-701601310
                                • Opcode ID: 5e9829ed9dd70ccac2ff0ed11d1218604541008a8be9d82020c2e88f75692f32
                                • Instruction ID: 0b266d95b04ae81a6f375becd7680517b1cd1873f073a3f7614768926bae10d0
                                • Opcode Fuzzy Hash: 5e9829ed9dd70ccac2ff0ed11d1218604541008a8be9d82020c2e88f75692f32
                                • Instruction Fuzzy Hash: 2B1102B2D004066BD6125ABE8C42B963B7A9B31238F544320FD38932D1FB25D97586D2
                                Function 6095B2E4 Relevance: 15.3, APIs: 10, Instructions: 321COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_malloc.SQLITE3(00000038), ref: 6095B302
                                  • Part of subcall function 60904358: sqlite3_initialize.SQLITE3(609038B0,0000000A), ref: 6090435E
                                • sqlite3_malloc.SQLITE3(?), ref: 6095B337
                                  • Part of subcall function 60959B1C: sqlite3_malloc.SQLITE3(?), ref: 60959B6E
                                • sqlite3_step.SQLITE3(?), ref: 6095B37B
                                • sqlite3_column_int64.SQLITE3(?,00000000), ref: 6095B390
                                  • Part of subcall function 6091CDD8: sqlite3_value_int64.SQLITE3(00000000,?,?), ref: 6091CDF4
                                • sqlite3_reset.SQLITE3(?), ref: 6095B3B0
                                • sqlite3_realloc.SQLITE3(?,?), ref: 6095B52E
                                • memcpy.MSVCRT ref: 6095B5AF
                                • memcpy.MSVCRT ref: 6095B5F3
                                • sqlite3_realloc.SQLITE3(?,?), ref: 6095B61C
                                  • Part of subcall function 609047F0: sqlite3_initialize.SQLITE3 ref: 609047F6
                                • memcpy.MSVCRT ref: 6095B64D
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memcpysqlite3_malloc$sqlite3_initializesqlite3_realloc$sqlite3_column_int64sqlite3_resetsqlite3_stepsqlite3_value_int64
                                • String ID:
                                • API String ID: 1157956937-0
                                • Opcode ID: ceb8e23b025e5618fe259fd474a1ab636b9e75218822a51e28e9d415463c474c
                                • Instruction ID: 4c71ac64dfe41fa4c84c7727cfeab293ee424b1cae166416ef09b65264b6c822
                                • Opcode Fuzzy Hash: ceb8e23b025e5618fe259fd474a1ab636b9e75218822a51e28e9d415463c474c
                                • Instruction Fuzzy Hash: 0BC11FB1E001099BDB05CFA9CC81ADEB7F6BF59324F648254E924A7391E731ED61CB90
                                Function 60942D54 Relevance: 15.1, APIs: 10, Instructions: 129COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_malloc.SQLITE3(00000050), ref: 60942DBE
                                • sqlite3_exec.SQLITE3(00000000,00000001,60942C14,?,?), ref: 60942DEB
                                • sqlite3_free_table.SQLITE3(?), ref: 60942E0C
                                • sqlite3_free.SQLITE3(?), ref: 60942E23
                                • sqlite3_mprintf.SQLITE3(60908C32,00000000), ref: 60942E33
                                • sqlite3_free.SQLITE3(00000000), ref: 60942E43
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_free$sqlite3_execsqlite3_free_tablesqlite3_mallocsqlite3_mprintf
                                • String ID:
                                • API String ID: 2208743831-0
                                • Opcode ID: bca60ae3e7a899bbef8fa1a1a131d68270b01fe13b4efea1d5a6c6771069cb00
                                • Instruction ID: dd70cc963f142fe585b3c317967351f685958f130303cce9f986d4a2701b370e
                                • Opcode Fuzzy Hash: bca60ae3e7a899bbef8fa1a1a131d68270b01fe13b4efea1d5a6c6771069cb00
                                • Instruction Fuzzy Hash: 6741F9B5D0020A9BEB01DF98CC4179EBBB6BF25328F544214E864AB390E779D951CBA1
                                Function 6095E998 Relevance: 15.0, APIs: 10, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_finalize.SQLITE3(5D8B0875), ref: 6095E9C3
                                • sqlite3_finalize.SQLITE3(F4C48310), ref: 6095E9D1
                                • sqlite3_finalize.SQLITE3(20E833FF), ref: 6095E9E2
                                • sqlite3_finalize.SQLITE3(83FFFB9F), ref: 6095E9F0
                                • sqlite3_finalize.SQLITE3(F88310C4), ref: 6095EA01
                                • sqlite3_finalize.SQLITE3(83127504), ref: 6095EA0F
                                • sqlite3_finalize.SQLITE3(33FFF4C4), ref: 6095EA20
                                • sqlite3_finalize.SQLITE3(FB9E42E8), ref: 6095EA2E
                                • sqlite3_finalize.SQLITE3(10C483FF), ref: 6095EA3F
                                • sqlite3_free.SQLITE3(60962229), ref: 6095EA48
                                  • Part of subcall function 609045DC: sqlite3_mutex_enter.SQLITE3 ref: 609045FC
                                  • Part of subcall function 609045DC: sqlite3_mutex_leave.SQLITE3 ref: 6090462E
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_finalize$sqlite3_freesqlite3_mutex_entersqlite3_mutex_leave
                                • String ID:
                                • API String ID: 2345481680-0
                                • Opcode ID: 32c3a2e3faab57487dc69f8d3117fe3cfa756354877af1d7fc00358d9f816053
                                • Instruction ID: bc82f20be401a652c951766765e0dad6478929d6752be147cc57dcad858a8e5b
                                • Opcode Fuzzy Hash: 32c3a2e3faab57487dc69f8d3117fe3cfa756354877af1d7fc00358d9f816053
                                • Instruction Fuzzy Hash: 651178F6D4D50677DF015A64DCC7A443616AB3523CF2807B0BC7C592F6FF2286A09691
                                Function 6091E070 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 309COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: abort at %d in [%s]: %s$constraint failed at %d in [%s]$e$out of memory$statement aborts at %d: [%s] %s
                                • API String ID: 632333372-1755297854
                                • Opcode ID: 7b4aab015a3ab37b063b0604c22c89604611c61c41243eabb571833797c8ef40
                                • Instruction ID: 73166312bb140f27e957473d9150931d628ee08b0cba26eecf5b6e93113ce958
                                • Opcode Fuzzy Hash: 7b4aab015a3ab37b063b0604c22c89604611c61c41243eabb571833797c8ef40
                                • Instruction Fuzzy Hash: 6EE16974904259CBDB20CF18C880B99BBB6BB28314F1485D9E92D6B381E775EED5CF90
                                Function 60954208 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 254COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_malloc.SQLITE3(?), ref: 6095430D
                                  • Part of subcall function 60958F38: sqlite3_mprintf.SQLITE3(simple), ref: 60958F50
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mallocsqlite3_mprintf
                                • String ID: _content$_docsize$content
                                • API String ID: 2705754628-3088079872
                                • Opcode ID: 91cc865cadd184e6f203cf0bf0debf237b0725ade0b988b24adcae2974a04de7
                                • Instruction ID: a1db4fc504366280ddf4e1786750643298371979d5ec697e30ab4787b592d0e5
                                • Opcode Fuzzy Hash: 91cc865cadd184e6f203cf0bf0debf237b0725ade0b988b24adcae2974a04de7
                                • Instruction Fuzzy Hash: 81A190B5900609ABDB01CFA5CC81BEEB7B5BF25328F144214E834A7390D775EA65CF91
                                Function 60956E08 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 221COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 60956EDD
                                • memcpy.MSVCRT ref: 60956F0F
                                • memcpy.MSVCRT ref: 60956FDB
                                • sqlite3_free.SQLITE3(00000000), ref: 6095702C
                                  • Part of subcall function 60956DD4: sqlite3_realloc.SQLITE3(00000000,60956FB7), ref: 60956DE6
                                  • Part of subcall function 60956DD4: sqlite3_free.SQLITE3(00000000), ref: 60956DF8
                                • sqlite3_free.SQLITE3(00000000), ref: 6095706D
                                • sqlite3_free.SQLITE3(00000000), ref: 60957076
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_free$memcpy$memsetsqlite3_realloc
                                • String ID: P
                                • API String ID: 4204143239-3110715001
                                • Opcode ID: 0208ab93b7de12675692d4faf6fc2bed513d7c4357327bf19574e9a2133fce98
                                • Instruction ID: 1ce8c337a2a7dd01005fda31ad154aff03f572c5102d6a5f92de6680be977ac6
                                • Opcode Fuzzy Hash: 0208ab93b7de12675692d4faf6fc2bed513d7c4357327bf19574e9a2133fce98
                                • Instruction Fuzzy Hash: 3B817CB1D006189FCB11CF99DD81B9EB7F9BF19324F144258E824AB381E735EA15CBA1
                                Function 6092F3F8 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 155COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: $, $1$CREATE TABLE
                                • API String ID: 0-2306048735
                                • Opcode ID: 27e6c221c9344b142068764001853a717b81bf0d0563af092ffaf2fc097128d7
                                • Instruction ID: 2ca07a563dbbe07bb0805ba953bfbf21281b18577f9a738170e7d0070ef9843f
                                • Opcode Fuzzy Hash: 27e6c221c9344b142068764001853a717b81bf0d0563af092ffaf2fc097128d7
                                • Instruction Fuzzy Hash: 5D514EB5D00109AFCB00CF98D881A9EB7B6FF55328F248254E824A7355D775EB518B91
                                Function 6092AD7C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 137COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_context_db_handle.SQLITE3(?), ref: 6092AD8F
                                • sqlite3_value_text.SQLITE3(?), ref: 6092ADA3
                                • sqlite3_value_text.SQLITE3(?), ref: 6092ADB3
                                • sqlite3_value_text.SQLITE3(?), ref: 6092ADC1
                                • sqlite3_result_text.SQLITE3(?,00000000,000000FF,Function_00004648,?,%s%s,00000000,00000000), ref: 6092AED9
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_value_text$sqlite3_context_db_handlesqlite3_result_text
                                • String ID: %s%.*s"%w"$%s%s$f
                                • API String ID: 1879233184-2626843092
                                • Opcode ID: d6b80da183fa315e6ca0bc4f9fb961e3c33527f3ae081b8692b1d5edb90496bc
                                • Instruction ID: 381743cc0fd8918ca4a0a587f170ba0712fa7e96d926d7c5e850a71d4500e541
                                • Opcode Fuzzy Hash: d6b80da183fa315e6ca0bc4f9fb961e3c33527f3ae081b8692b1d5edb90496bc
                                • Instruction Fuzzy Hash: A841C2B2D001056BDF00DAF9DC82A9E7BBEAF35224F140654F874E72C1E735DA518BA1
                                Function 6092D0D0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 100COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_text.SQLITE3(?), ref: 6092D0E4
                                • sqlite3_context_db_handle.SQLITE3(?), ref: 6092D0F2
                                • sqlite3_snprintf.SQLITE3(00000080,?,no such database: %s,00000000), ref: 6092D1BB
                                • sqlite3_result_error.SQLITE3(?,?,000000FF), ref: 6092D201
                                Strings
                                • no such database: %s, xrefs: 6092D158
                                • cannot detach database %s, xrefs: 6092D166
                                • database %s is locked, xrefs: 6092D1AD
                                • cannot DETACH database within transaction, xrefs: 6092D17F
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_context_db_handlesqlite3_result_errorsqlite3_snprintfsqlite3_value_text
                                • String ID: cannot DETACH database within transaction$cannot detach database %s$database %s is locked$no such database: %s
                                • API String ID: 2922975145-3374617522
                                • Opcode ID: 88eb5045e6abea08d3fa560921d219f77e70d41bfc5169a38203ba42199962d7
                                • Instruction ID: b014529f7a7e9a4c295f28beb96fed79cea99763ddb9de8fa360842a3cd8a46f
                                • Opcode Fuzzy Hash: 88eb5045e6abea08d3fa560921d219f77e70d41bfc5169a38203ba42199962d7
                                • Instruction Fuzzy Hash: 08312A71D191149BDF108A18EC82B497B67AF31338F148290F97C963E6EB35C9A4CB91
                                Function 609339D4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_type.SQLITE3(?), ref: 609339E8
                                • sqlite3_value_int64.SQLITE3(?), ref: 60933A01
                                • sqlite3_result_error.SQLITE3(?,integer overflow,000000FF), ref: 60933A2C
                                • sqlite3_result_null.SQLITE3(?), ref: 60933A4C
                                • sqlite3_value_double.SQLITE3(?), ref: 60933A59
                                • sqlite3_result_double.SQLITE3(?), ref: 60933A78
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_doublesqlite3_result_errorsqlite3_result_nullsqlite3_value_doublesqlite3_value_int64sqlite3_value_type
                                • String ID: integer overflow
                                • API String ID: 3172738990-1678498654
                                • Opcode ID: 5f65b31fabc4392cc8f2a496b385d6ab5cf9b67f1d626f730909ddf26de6b6a2
                                • Instruction ID: d9dee663af6fc9cddefd5da9f17c554d4d8cc378b9455df19f670a13202dcbfc
                                • Opcode Fuzzy Hash: 5f65b31fabc4392cc8f2a496b385d6ab5cf9b67f1d626f730909ddf26de6b6a2
                                • Instruction Fuzzy Hash: E81104A1E4C42463CB05253C8CC27AE355B9773238F648770E8B8E23E5EB16C9664AD3
                                Function 609624E4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_create_function.SQLITE3(60952EAD,rtreenode,00000002,00000001,00000000,60962244,00000000,00000000,00000000,?,?,?,60952EAD,00100800), ref: 60962503
                                  • Part of subcall function 60952364: sqlite3_mutex_enter.SQLITE3(?), ref: 6095237F
                                  • Part of subcall function 60952364: sqlite3_mutex_leave.SQLITE3(?), ref: 609523BD
                                • sqlite3_create_function.SQLITE3(60952EAD,rtreedepth,00000001,00000001,00000000,60962454,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 60962524
                                • sqlite3_create_module_v2.SQLITE3(60952EAD,rtree,60964B80,00000000,00000000), ref: 60962542
                                • sqlite3_create_module_v2.SQLITE3(60952EAD,rtree_i32,60964B80,00000001,00000000), ref: 60962560
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_create_functionsqlite3_create_module_v2$sqlite3_mutex_entersqlite3_mutex_leave
                                • String ID: rtree$rtree_i32$rtreedepth$rtreenode
                                • API String ID: 1443125932-2533030724
                                • Opcode ID: 0bcad24fe3f1889e99d0555e54764379d9af726615d874c4b13b8a68f1ddae59
                                • Instruction ID: bc19f031dacab74e8001ad1163f26627138d265fba67b592f37b9b9c3ce33ccf
                                • Opcode Fuzzy Hash: 0bcad24fe3f1889e99d0555e54764379d9af726615d874c4b13b8a68f1ddae59
                                • Instruction Fuzzy Hash: B4F0F9B0BA4B0231F63452675DD3F96221F0775B5CF1045207B66781E2F9F5FD50019A
                                Function 609088C0 Relevance: 13.6, APIs: 9, Instructions: 143fileCOMMON
                                Download Yara Rule
                                APIs
                                • LockFile.KERNEL32(?,00000000,00000001,00000000), ref: 6090892E
                                • GetLastError.KERNEL32(?,?,00000000), ref: 60908942
                                • LockFile.KERNEL32(?,40000001,00000000,00000001,00000000), ref: 60908995
                                • LockFile.KERNEL32(00000003,3FFFFFFE,00000000,000001FE,00000000), ref: 609089EC
                                • UnlockFile.KERNEL32(?,00000000,00000001,00000000), ref: 60908A34
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: File$Lock$ErrorLastUnlock
                                • String ID:
                                • API String ID: 49849229-0
                                • Opcode ID: d8d8b30f8c90c89b8d8090c22d6cc405ad556006571dd2196636b95731b5cb41
                                • Instruction ID: 325502d3b69b07f50a3442f948df90fa56bc25fd5e89fb60bce587e4d78c58e3
                                • Opcode Fuzzy Hash: d8d8b30f8c90c89b8d8090c22d6cc405ad556006571dd2196636b95731b5cb41
                                • Instruction Fuzzy Hash: BA411870B14311ABFF045EE48C8276B7BAB5B31724F10823CE9B5662C1D7F5C9549B82
                                Function 60909068 Relevance: 13.6, APIs: 9, Instructions: 83sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNEL32(00000000), ref: 609090A8
                                • GetFileAttributesW.KERNEL32(00000000), ref: 609090B4
                                • GetLastError.KERNEL32 ref: 609090C3
                                • Sleep.KERNEL32(00000064), ref: 609090DB
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: File$AttributesDeleteErrorLastSleep
                                • String ID:
                                • API String ID: 2316142864-0
                                • Opcode ID: a091c97259aef5c56c956239ced7414f7e86aff7450ca1a57599fe13d09331f1
                                • Instruction ID: 4dd33ea13e3eb5b978bbf488bd765b3ba2b1a9ddf9197d2969a4167e39673b9f
                                • Opcode Fuzzy Hash: a091c97259aef5c56c956239ced7414f7e86aff7450ca1a57599fe13d09331f1
                                • Instruction Fuzzy Hash: 3421F672E1851252EB0166788C4778D726BDF3323CF244364EE76922D0FF26CA6551D3
                                Function 6092F6A8 Relevance: 12.8, Strings: 10, Instructions: 290COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: CREATE %s %.*s$CREATE TABLE %Q.sqlite_sequence(name,seq)$TABLE$UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d$VIEW$sqlite_master$sqlite_temp_master$table$tbl_name='%q'$view
                                • API String ID: 0-2854042851
                                • Opcode ID: 28119c2078382b556411bd6acc96d7d9b4e51106d1acb6039bf459f8d65fe1b7
                                • Instruction ID: 2a6c0b8a798abdddb3ada45839b080620fdb136beaab1903ed4bbbe9d4e02b29
                                • Opcode Fuzzy Hash: 28119c2078382b556411bd6acc96d7d9b4e51106d1acb6039bf459f8d65fe1b7
                                • Instruction Fuzzy Hash: E3B1A4719102059BDB10CF68DC81B9A77B6FB25328F0486A4F9689B3D5EB31DA90CF91
                                Function 6093139E Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 178COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_free
                                • String ID: UNIQUE$CREATE%s INDEX %.*s$INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);$name='%q'$sqlite_master$sqlite_temp_master
                                • API String ID: 2313487548-3842641978
                                • Opcode ID: 62f05deb229c6072463a5fdf3cd50f3ba5fa9c9a9546005b29fc7b5723363747
                                • Instruction ID: 28d6bc57eff74358b6715aef35953750357377dcbf50479dc434960d38b30fe2
                                • Opcode Fuzzy Hash: 62f05deb229c6072463a5fdf3cd50f3ba5fa9c9a9546005b29fc7b5723363747
                                • Instruction Fuzzy Hash: 335161B5E00114ABDB14CFA8DC81B9E77B6AB6A324F144318F924A73E0E731D991CF91
                                Function 60922D14 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid$out of memory$sqlite_master$sqlite_temp_master$statement aborts at %d: [%s] %s
                                • API String ID: 632333372-3835016454
                                • Opcode ID: 8d3b2b84283b973d7706922e93e538bdf91628f8898fc59172166dde865dfcaa
                                • Instruction ID: a7daa9bb945af44569f646fe50cace89af8ab515735c95f43f0d1eb44ed2a7c1
                                • Opcode Fuzzy Hash: 8d3b2b84283b973d7706922e93e538bdf91628f8898fc59172166dde865dfcaa
                                • Instruction Fuzzy Hash: 2A517D71D042689BDB20CB14CC80B8CB7B6AB25228F1486D5E92D77381EB35DED5CF92
                                Function 60942C14 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_realloc.SQLITE3(?,?), ref: 60942C4C
                                • sqlite3_mprintf.SQLITE3(60908C32,?), ref: 60942C7E
                                Strings
                                • sqlite3_get_table() called with two or more incompatible queries, xrefs: 60942CBA
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mprintfsqlite3_realloc
                                • String ID: sqlite3_get_table() called with two or more incompatible queries
                                • API String ID: 3595145723-4279182443
                                • Opcode ID: 1b4e15195aaac028a76df4d11592d49a1d6170fae7a4ca0cca2e071c0b9b1f3d
                                • Instruction ID: d988cfdbd93c5ad69cdc3d8c004911d6de23ec66ba5f03fd3ca811a72f35b0ec
                                • Opcode Fuzzy Hash: 1b4e15195aaac028a76df4d11592d49a1d6170fae7a4ca0cca2e071c0b9b1f3d
                                • Instruction Fuzzy Hash: 2C41BD719006069FD720CF68CC81A4B77FAFB65325F908A28E8B5C7291E774ED91CB91
                                Function 60961C1C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_exec.SQLITE3(?,00000000,00000000,00000000,00000000), ref: 60961C76
                                • sqlite3_free.SQLITE3(00000000), ref: 60961C84
                                • sqlite3_mprintf.SQLITE3(CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zerobl,60961F10,00000000,60961F10,00000000,60961F10,00000000,60961F10,00000000,?), ref: 60961C50
                                  • Part of subcall function 60905F80: sqlite3_initialize.SQLITE3 ref: 60905F86
                                  • Part of subcall function 60905F80: sqlite3_vmprintf.SQLITE3(?,?), ref: 60905F99
                                • sqlite3_mprintf.SQLITE3(60961AD0,60961F10,00000000), ref: 60961D05
                                • sqlite3_prepare_v2.SQLITE3(?,00000000,000000FF,?,00000000), ref: 60961D23
                                • sqlite3_free.SQLITE3(00000000), ref: 60961D39
                                Strings
                                • CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zerobl, xrefs: 60961C4B
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_freesqlite3_mprintf$sqlite3_execsqlite3_initializesqlite3_prepare_v2sqlite3_vmprintf
                                • String ID: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zerobl
                                • API String ID: 3446174692-2844199145
                                • Opcode ID: 3b2bd11a99484c436f0443096a037b865d1a88ebb9e564679a74db1db3798d39
                                • Instruction ID: 51227fe79a3464a666915bd495d943230074296279a62cfc4d23df9aa9a5ae7f
                                • Opcode Fuzzy Hash: 3b2bd11a99484c436f0443096a037b865d1a88ebb9e564679a74db1db3798d39
                                • Instruction Fuzzy Hash: 294176B69107055BE710CEA8CC81BDB77FAEB95224F144619FD79A7380E774EA108B90
                                Function 60917798 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3(?), ref: 609177AD
                                • sqlite3_mutex_enter.SQLITE3(?), ref: 609177B8
                                • sqlite3_malloc.SQLITE3(00000030), ref: 609177E1
                                • sqlite3_free.SQLITE3(00000000), ref: 60917859
                                • sqlite3_mutex_leave.SQLITE3(?), ref: 60917873
                                • sqlite3_mutex_leave.SQLITE3(?), ref: 60917881
                                Strings
                                • source and destination must be distinct, xrefs: 609177C8
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_freesqlite3_malloc
                                • String ID: source and destination must be distinct
                                • API String ID: 3822358297-3299598958
                                • Opcode ID: e504ba4ef8974ee1a7d55d08caca604cf509a5e615cd122e62f1f59c98971d89
                                • Instruction ID: d65db66cfef7cb070a7cefedfb7169361cd44b321c548b5e719b900c2ef1bb30
                                • Opcode Fuzzy Hash: e504ba4ef8974ee1a7d55d08caca604cf509a5e615cd122e62f1f59c98971d89
                                • Instruction Fuzzy Hash: 21319CB1A046465BDB119F68CCC2B577ABAAF31238F1403A8FD34962D1EB71D660C7D1
                                Function 6095C99C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_exec.SQLITE3(?,SAVEPOINT fts3,00000000,00000000,00000000), ref: 6095C9B8
                                • sqlite3_exec.SQLITE3(?,RELEASE fts3,00000000,00000000,00000000), ref: 6095C9EB
                                  • Part of subcall function 6095A1E0: sqlite3_free.SQLITE3(?), ref: 6095A1FE
                                • sqlite3_exec.SQLITE3(?,ROLLBACK TO fts3,00000000,00000000,00000000), ref: 6095CA15
                                • sqlite3_exec.SQLITE3(?,RELEASE fts3,00000000,00000000,00000000), ref: 6095CA2E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_exec$sqlite3_free
                                • String ID: RELEASE fts3$ROLLBACK TO fts3$SAVEPOINT fts3
                                • API String ID: 2746575038-3733817512
                                • Opcode ID: 085d33c4f9db536240ed34d953f8924586aed9380b3d00604b240b2f5eec99ad
                                • Instruction ID: b42296e4c8d73bea9a1ceee6475c82bc3e10a821eb7a3de2fa32c37b70af20bb
                                • Opcode Fuzzy Hash: 085d33c4f9db536240ed34d953f8924586aed9380b3d00604b240b2f5eec99ad
                                • Instruction Fuzzy Hash: B411A1B1A887023AE62251AA5CC3F8539564B32B38F240B20FB38752D0FFD1A53505C9
                                Function 60956410 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_type.SQLITE3(?), ref: 6095641E
                                • sqlite3_value_bytes.SQLITE3(?), ref: 6095642F
                                • sqlite3_mprintf.SQLITE3(illegal first argument to %s,?), ref: 60956447
                                • sqlite3_result_error.SQLITE3(?,00000000,000000FF), ref: 60956457
                                • sqlite3_free.SQLITE3(00000000), ref: 60956463
                                • sqlite3_value_blob.SQLITE3(?), ref: 60956474
                                Strings
                                • illegal first argument to %s, xrefs: 60956442
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_freesqlite3_mprintfsqlite3_result_errorsqlite3_value_blobsqlite3_value_bytessqlite3_value_type
                                • String ID: illegal first argument to %s
                                • API String ID: 206411678-2929609328
                                • Opcode ID: 9c4cd8e0082e86f446fff1d5e5cc6d22103342b8873c3ba53102b0941c5f0d85
                                • Instruction ID: 44410e1066a417d661977f1a6a7a21a4b3e42304a30a9f515a634a5ca57a6615
                                • Opcode Fuzzy Hash: 9c4cd8e0082e86f446fff1d5e5cc6d22103342b8873c3ba53102b0941c5f0d85
                                • Instruction Fuzzy Hash: 12F086E1A0810567D7019A799C8295A325A5B3613CF140B70F975A23E2FF36D56486A2
                                Function 609338CC Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_type.SQLITE3(?), ref: 609338DA
                                • sqlite3_result_text.SQLITE3(?,real,000000FF,00000000), ref: 60933929
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_textsqlite3_value_type
                                • String ID: blob$integer$null$real$text
                                • API String ID: 3694111197-3212050693
                                • Opcode ID: 7e94d81de09ed9c53573494723247992f194ea8856e893b78bcad1c83446b962
                                • Instruction ID: 8ac9c86c1027a2d0846ef7d9c235a5e16ddb7384e7696ebf59d0221fb2f587a4
                                • Opcode Fuzzy Hash: 7e94d81de09ed9c53573494723247992f194ea8856e893b78bcad1c83446b962
                                • Instruction Fuzzy Hash: A6F08C646CC628D6CA2C2A7C6C03B29395BA732314F20C622F970EE2F0C695CD605E52
                                Function 60960110 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 356COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_malloc.SQLITE3(?), ref: 60960134
                                  • Part of subcall function 60904358: sqlite3_initialize.SQLITE3(609038B0,0000000A), ref: 6090435E
                                • memset.MSVCRT ref: 6096016A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memsetsqlite3_initializesqlite3_malloc
                                • String ID: VUUU$VUUU$VUUU
                                • API String ID: 86058729-2901221855
                                • Opcode ID: e8303d2231ea9cd41202a95d3d835033f65b73b88a4f1b8d3e9954950e59f53d
                                • Instruction ID: 81f290def4d7f8881f0e3e889840dadf9267b7622f0af19a44da7ffc24c126f1
                                • Opcode Fuzzy Hash: e8303d2231ea9cd41202a95d3d835033f65b73b88a4f1b8d3e9954950e59f53d
                                • Instruction Fuzzy Hash: 7BE14F75A002199FDF14CF58C8C0A9EB7B6FF99324F144255E928AB391D730EA96CF90
                                Function 60916A3E Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 263COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_snprintf.SQLITE3(00000064,?,On tree page %d cell %d: ,?,00000000), ref: 60916A59
                                • sqlite3_snprintf.SQLITE3(00000064,?,On page %d at right child: ,?,?), ref: 60916CF1
                                Strings
                                • On tree page %d cell %d: , xrefs: 60916A48
                                • Child page depth differs, xrefs: 60916C82
                                • On page %d at right child: , xrefs: 60916CE6
                                • Rowid %lld out of order (max larger than parent min of %lld), xrefs: 60916DB4
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_snprintf
                                • String ID: Child page depth differs$On page %d at right child: $On tree page %d cell %d: $Rowid %lld out of order (max larger than parent min of %lld)
                                • API String ID: 949980604-4134122342
                                • Opcode ID: 20d7f7d7757299181766ff7afc5a2a02ea1c8127933832c0bb9537e3208dac01
                                • Instruction ID: 4068aecb4e3e61b0c4ea894430670f16700f780f4f90a2a75bf798e1c6467e1b
                                • Opcode Fuzzy Hash: 20d7f7d7757299181766ff7afc5a2a02ea1c8127933832c0bb9537e3208dac01
                                • Instruction Fuzzy Hash: CEA1B3B5E041189FEB14CB68CC81FA9B7BABB55214F0483D8F96897281E735DEC1CB90
                                Function 60934C48 Relevance: 10.7, APIs: 7, Instructions: 216COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_type.SQLITE3(?), ref: 60934C59
                                • sqlite3_value_text.SQLITE3(?), ref: 60934C6F
                                • sqlite3_value_bytes.SQLITE3(?), ref: 60934C87
                                • sqlite3_value_text.SQLITE3(?), ref: 60934CC2
                                • sqlite3_user_data.SQLITE3(?), ref: 60934D93
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_value_text$sqlite3_user_datasqlite3_value_bytessqlite3_value_type
                                • String ID:
                                • API String ID: 3825726222-0
                                • Opcode ID: 3b13f5bf5cad872338ded5380f2141dcc3fa01ac7530e419d8183fefffea53a1
                                • Instruction ID: 8c94bc6fa69f1c32f7803784df35a10bc4476635f73ff19bb37b83534ad33a28
                                • Opcode Fuzzy Hash: 3b13f5bf5cad872338ded5380f2141dcc3fa01ac7530e419d8183fefffea53a1
                                • Instruction Fuzzy Hash: AF81AB70D002299FDF19CFA8C8817ADBBB6BF66314F214194D96067281D336AE82CF91
                                Function 6091F118 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_text.SQLITE3(?), ref: 6091F2C3
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_value_text
                                • String ID: ($out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                • API String ID: 348685305-2493244710
                                • Opcode ID: 9e90c4c650fcd4cf9d2f318a07cc936a3978757e08ecaa43791e0beffe7a1a0d
                                • Instruction ID: 2d83a9c63dfb5770a0e395688d0d3a0bba7231ec596317c28355b0f4125a85d8
                                • Opcode Fuzzy Hash: 9e90c4c650fcd4cf9d2f318a07cc936a3978757e08ecaa43791e0beffe7a1a0d
                                • Instruction Fuzzy Hash: 6A91ADB1D042599BDB20CF28CC41B8DB7B6AF25328F1486D9E92CA7391E7359AD4CF41
                                Function 6091726F Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 197COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Main freelist: , xrefs: 609172E4
                                • List of tree roots: , xrefs: 60917356
                                • Pointer map page %d is referenced, xrefs: 609173D5
                                • Page %d is never used, xrefs: 609173A1
                                • Outstanding page count goes from %d to %d during this analysis, xrefs: 6091741E
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_free
                                • String ID: List of tree roots: $Main freelist: $Outstanding page count goes from %d to %d during this analysis$Page %d is never used$Pointer map page %d is referenced
                                • API String ID: 2313487548-2954299767
                                • Opcode ID: 185d5299f76fbc2dcb70d43a24b6cdcf5934dfb9b7d3731bdfeda59184b34c26
                                • Instruction ID: e11563e37c6bdc874f56b111ae6ed4ad1b6774249c27241db143ecebbe35c47b
                                • Opcode Fuzzy Hash: 185d5299f76fbc2dcb70d43a24b6cdcf5934dfb9b7d3731bdfeda59184b34c26
                                • Instruction Fuzzy Hash: 4D6128B1E08209AFDB11CA68CCC2B9DB77BAB35328F1406D4F970962D1E732DA91C751
                                Function 6095C734 Relevance: 10.7, APIs: 7, Instructions: 193COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_malloc.SQLITE3(?), ref: 6095C76D
                                  • Part of subcall function 60904358: sqlite3_initialize.SQLITE3(609038B0,0000000A), ref: 6090435E
                                • memset.MSVCRT ref: 6095C79B
                                • sqlite3_value_type.SQLITE3(?), ref: 6095C7A8
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memsetsqlite3_initializesqlite3_mallocsqlite3_value_type
                                • String ID:
                                • API String ID: 293180606-0
                                • Opcode ID: c0761b53353161806ea37d67f3e8b40c1aa0054e2bec1d4d62582526222d6028
                                • Instruction ID: a5de9d9f3c37771bf79ceedb74bfb722f84598bde74e2edb65a0a86ba79e0694
                                • Opcode Fuzzy Hash: c0761b53353161806ea37d67f3e8b40c1aa0054e2bec1d4d62582526222d6028
                                • Instruction Fuzzy Hash: 906193F1C00209AFDB11CE69CC41BAF7BBAEF65324F144614F93496290E735DA65CBA1
                                Function 6095D928 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 182COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_result_text.SQLITE3(00000000,Function_00004CBA,00000000,00000000,?,<b>,</b>), ref: 6095D974
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_text
                                • String ID: </b>$<b>
                                • API String ID: 2505598765-1091782795
                                • Opcode ID: cd6ba89521b90a620581d353cdd7b55a2943c96c8d91c041482a5e97b241b677
                                • Instruction ID: 5b038ac86eb4338336cceeceffca44f809c95c36de5af1aaf5e6985aac943202
                                • Opcode Fuzzy Hash: cd6ba89521b90a620581d353cdd7b55a2943c96c8d91c041482a5e97b241b677
                                • Instruction Fuzzy Hash: D3813471A06228DFDB21CF55CC80B9AB3B6BB55314F1082D9E95CA7280D734AED9CF91
                                Function 60951174 Relevance: 10.6, APIs: 7, Instructions: 110COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3(00000000), ref: 609511AF
                                • sqlite3_mutex_leave.SQLITE3(00000000), ref: 6095121A
                                • sqlite3_mutex_enter.SQLITE3 ref: 60951233
                                • sqlite3_mutex_leave.SQLITE3 ref: 609512D2
                                • sqlite3_mutex_enter.SQLITE3(00000000), ref: 609512DB
                                • sqlite3_mutex_free.SQLITE3 ref: 609512FB
                                • sqlite3_mutex_leave.SQLITE3(00000000), ref: 60951311
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_free
                                • String ID:
                                • API String ID: 2316980049-0
                                • Opcode ID: 4b1b55e9938c004e05a4299f7a6b04f998e24be796f86ec199a4b51538cefa8a
                                • Instruction ID: 370e0953b30060cf7edd4139f7e33451606e24332c0a5530816167f3b00ee1f3
                                • Opcode Fuzzy Hash: 4b1b55e9938c004e05a4299f7a6b04f998e24be796f86ec199a4b51538cefa8a
                                • Instruction Fuzzy Hash: FB4194B197C6119AFB025BE5CC527153DAB6733328F00432CDA34622E1EBF5C5689E92
                                Function 60935260 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_type.SQLITE3(?), ref: 60935274
                                • sqlite3_aggregate_context.SQLITE3(?,0000001C), ref: 6093528B
                                • sqlite3_context_db_handle.SQLITE3(?), ref: 609352A1
                                • sqlite3_value_text.SQLITE3(?), ref: 609352CB
                                • sqlite3_value_bytes.SQLITE3(?), ref: 609352D8
                                • sqlite3_value_text.SQLITE3(?), ref: 60935301
                                • sqlite3_value_bytes.SQLITE3(?), ref: 6093530D
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_aggregate_contextsqlite3_context_db_handlesqlite3_value_type
                                • String ID:
                                • API String ID: 3615405203-0
                                • Opcode ID: c16987dfea2a5d198b045a5e1eeb69397709b7aba189eafc106cf3ea498b41e8
                                • Instruction ID: bd2b40feeb28d195d48017d529f1465cb9348c8b8cbf5987d9f1b03d1a5bc308
                                • Opcode Fuzzy Hash: c16987dfea2a5d198b045a5e1eeb69397709b7aba189eafc106cf3ea498b41e8
                                • Instruction Fuzzy Hash: 7F1127B2D0811167EB101A389C4368B3A5B9F3227CF580770EC74A22D2FF26CA70C6D2
                                Function 60961E2C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mprintf.SQLITE3(PRAGMA %Q.page_size,9000656C), ref: 60961E4C
                                  • Part of subcall function 60905F80: sqlite3_initialize.SQLITE3 ref: 60905F86
                                  • Part of subcall function 60905F80: sqlite3_vmprintf.SQLITE3(?,?), ref: 60905F99
                                  • Part of subcall function 60961D5C: sqlite3_prepare_v2.SQLITE3(00000000,00000000,000000FF,00000000,00000000), ref: 60961D84
                                  • Part of subcall function 60961D5C: sqlite3_step.SQLITE3(00000000), ref: 60961D96
                                  • Part of subcall function 60961D5C: sqlite3_column_int.SQLITE3(00000000,00000000), ref: 60961DAB
                                  • Part of subcall function 60961D5C: sqlite3_finalize.SQLITE3(00000000), ref: 60961DC0
                                • sqlite3_mprintf.SQLITE3(SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1,9000656C,90909090), ref: 60961E9A
                                • sqlite3_free.SQLITE3(00000000), ref: 60961EB8
                                Strings
                                • for an rtree table, xrefs: 60961EA7
                                • SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1, xrefs: 60961E95
                                • PRAGMA %Q.page_size, xrefs: 60961E47
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mprintf$sqlite3_column_intsqlite3_finalizesqlite3_freesqlite3_initializesqlite3_prepare_v2sqlite3_stepsqlite3_vmprintf
                                • String ID: PRAGMA %Q.page_size$SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1$for an rtree table
                                • API String ID: 2406089623-1706390342
                                • Opcode ID: 52dca72a759ff0a7e08b07c3824fe7d92742b4a68a8a0b773bf045e61733b709
                                • Instruction ID: e081b05180225440f9d20e99162a72341713afce8c7e26fed3475a0cc88d110b
                                • Opcode Fuzzy Hash: 52dca72a759ff0a7e08b07c3824fe7d92742b4a68a8a0b773bf045e61733b709
                                • Instruction Fuzzy Hash: 4D1104315006016BD7209AA8CC81ED777FAAB6A238B080728F976C32D1FB75EA55C7D0
                                Function 60962454 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_type.SQLITE3(?), ref: 60962467
                                • sqlite3_value_bytes.SQLITE3(?), ref: 60962479
                                • sqlite3_result_error.SQLITE3(?,Invalid argument to rtreedepth(),000000FF), ref: 60962491
                                • sqlite3_value_blob.SQLITE3(?), ref: 6096249D
                                • sqlite3_result_int.SQLITE3(?,00000000,00000000), ref: 609624B0
                                Strings
                                • Invalid argument to rtreedepth(), xrefs: 6096248B
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_errorsqlite3_result_intsqlite3_value_blobsqlite3_value_bytessqlite3_value_type
                                • String ID: Invalid argument to rtreedepth()
                                • API String ID: 3029329179-2843521569
                                • Opcode ID: 54a60f047ab1c26e9f3e15ec07f9ce4a466a2fe1205bb4b09b4608fab08188db
                                • Instruction ID: ad089245d91ce3b04ca177ad09f472765eddafde26b80e9124570ce988e61ccb
                                • Opcode Fuzzy Hash: 54a60f047ab1c26e9f3e15ec07f9ce4a466a2fe1205bb4b09b4608fab08188db
                                • Instruction Fuzzy Hash: 98F068F2D1C415579E01277C9C83599361AAA3217CB540B60FC74A12F1FF36DA6040E7
                                Function 6092BC20 Relevance: 10.2, Strings: 8, Instructions: 195COMMON
                                Download Yara Rule
                                Strings
                                • sqlite_master, xrefs: 6092BDDA
                                • sqlite_temp_master, xrefs: 6092BDE5, 6092BDEA
                                • Cannot add a NOT NULL column with default value NULL, xrefs: 6092BD1D
                                • Cannot add a REFERENCES column with non-NULL default value, xrefs: 6092BD06
                                • Cannot add a column with non-constant default, xrefs: 6092BD66
                                • Cannot add a UNIQUE column, xrefs: 6092BCE9
                                • Cannot add a PRIMARY KEY column, xrefs: 6092BCD8
                                • UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q, xrefs: 6092BDEF
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: Cannot add a NOT NULL column with default value NULL$Cannot add a PRIMARY KEY column$Cannot add a REFERENCES column with non-NULL default value$Cannot add a UNIQUE column$Cannot add a column with non-constant default$UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q$sqlite_master$sqlite_temp_master
                                • API String ID: 0-2453307425
                                • Opcode ID: 015474e21a7ff9645ad6e682211ab58a5830e013582e6ac73b24fd0963afcd3b
                                • Instruction ID: 0bcd1627802d0cd537fc3e5af9412f8000fe4a04d65c8605c5e48ad93b5e136c
                                • Opcode Fuzzy Hash: 015474e21a7ff9645ad6e682211ab58a5830e013582e6ac73b24fd0963afcd3b
                                • Instruction Fuzzy Hash: AC6106B1D14605ABDB10CA58D881BDA7BFAAF65314F148344EA78973D9E731DA80CBC0
                                Function 6092ECA4 Relevance: 10.1, Strings: 8, Instructions: 56COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: aolf$bolb$bolc$buod$laer$rahc$tni$txet
                                • API String ID: 0-2685204555
                                • Opcode ID: e0f2c55cfbaa20f5559131be9e0da733ae95ce283b9d031aa958e1c92ef3c189
                                • Instruction ID: 9bf880d6dfec27626bbd312d82f96bfbd14471ee9a53fda736a6bf14d7f85227
                                • Opcode Fuzzy Hash: e0f2c55cfbaa20f5559131be9e0da733ae95ce283b9d031aa958e1c92ef3c189
                                • Instruction Fuzzy Hash: 8601DB08B385E406DB124935E4E13AA3EEF47F3315F68C123D5A1891CFE129CD908283
                                Function 60909A6C Relevance: 9.2, APIs: 6, Instructions: 213COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_malloc$memset
                                • String ID:
                                • API String ID: 1825485718-0
                                • Opcode ID: 3f329256038152c1ec0e7559b888d06cf1b4f827a7d6e26cf6c6af91d594c409
                                • Instruction ID: 5faa24b8a9748cd91a8eb28793ee17bfd9f351da6075e981537d868d06f3b9d4
                                • Opcode Fuzzy Hash: 3f329256038152c1ec0e7559b888d06cf1b4f827a7d6e26cf6c6af91d594c409
                                • Instruction Fuzzy Hash: 9771B2B1E00205ABDB00CBA8CC82B9D77B6EB65224F144358F97ADB3D0EB35DA41C791
                                Function 6095AA00 Relevance: 9.1, APIs: 6, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_realloc.SQLITE3(00000000,-00000010), ref: 6095AA96
                                • qsort.MSVCRT ref: 6095AAC5
                                • sqlite3_malloc.SQLITE3 ref: 6095AB11
                                • sqlite3_free.SQLITE3(00000000), ref: 6095AB80
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: qsortsqlite3_freesqlite3_mallocsqlite3_realloc
                                • String ID:
                                • API String ID: 694323161-0
                                • Opcode ID: 245771c90ced9bc7e377d3f0fe2b24ca080b9951c77593d763e6197932234dbb
                                • Instruction ID: 5d231aa8c4fc82bd4cb3f63703b3492445ffe81825d23d4d0dd1cfa721d25be9
                                • Opcode Fuzzy Hash: 245771c90ced9bc7e377d3f0fe2b24ca080b9951c77593d763e6197932234dbb
                                • Instruction Fuzzy Hash: 245150B0D0020AEBDF01CF99CD81B9EB7BAFF55318F144654E924A7280E374DA65CBA5
                                Function 60904F92 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 308COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: -$0123456789ABCDEF0123456789abcdef$NaN$thstndrd
                                • API String ID: 0-2392734905
                                • Opcode ID: 38af36d21ffb0bf20f8b5417af45a07f3ca2f45f219983bb909f3d4d8d653070
                                • Instruction ID: 64876efd5c6d91a91185e68b27c3a108111be558620fb384f1fbca436f69eab8
                                • Opcode Fuzzy Hash: 38af36d21ffb0bf20f8b5417af45a07f3ca2f45f219983bb909f3d4d8d653070
                                • Instruction Fuzzy Hash: 0DD1AFB0E092698FEB218A28CC557CEBBB6AF66304F1441DDD899A7281D374CEC5CF41
                                Function 60934EA8 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_text.SQLITE3(?), ref: 60934EB9
                                • sqlite3_context_db_handle.SQLITE3(?), ref: 60934EC7
                                • sqlite3_value_text.SQLITE3(00000000), ref: 60934EE4
                                • sqlite3_load_extension.SQLITE3(00000000,00000000,00000000,00000000), ref: 60934EFD
                                • sqlite3_result_error.SQLITE3(?,00000000,000000FF), ref: 60934F15
                                • sqlite3_free.SQLITE3(00000000), ref: 60934F20
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_value_text$sqlite3_context_db_handlesqlite3_freesqlite3_load_extensionsqlite3_result_error
                                • String ID:
                                • API String ID: 2806608225-0
                                • Opcode ID: 43fe114faedc3be11b5daf14e92e58d089675017f97d0a7bac92153bee78ab16
                                • Instruction ID: 2a01369fd02558a5168639d508f8b42e0fccee7b618dcb08d95b5d003924ea27
                                • Opcode Fuzzy Hash: 43fe114faedc3be11b5daf14e92e58d089675017f97d0a7bac92153bee78ab16
                                • Instruction Fuzzy Hash: D501F9B1D04018ABDF109AACDC42ADE7AAADB21274F544360FC34922D1EB32DA208E91
                                Function 6092B72A Relevance: 9.0, Strings: 7, Instructions: 254COMMON
                                Download Yara Rule
                                Strings
                                • sqlite_master, xrefs: 6092B86C, 6092B8B2
                                • UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;, xrefs: 6092B932
                                • sqlite_temp_master, xrefs: 6092B877, 6092B87C, 6092B8BD, 6092B8C2
                                • UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;, xrefs: 6092B881
                                • UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q, xrefs: 6092B8C7
                                • sqlite_sequence, xrefs: 6092B8DF
                                • UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q, xrefs: 6092B902
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;$UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q$UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q$UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;$sqlite_master$sqlite_sequence$sqlite_temp_master
                                • API String ID: 0-1637520386
                                • Opcode ID: e428bcf9e33e1d999040a9c2527324db9c2edc8877b3990d0b8c928b89b6c2bf
                                • Instruction ID: 006707d2f5ac255ce0f74ffe064c4911c4beffee1f3f876b1e9a1c256d526883
                                • Opcode Fuzzy Hash: e428bcf9e33e1d999040a9c2527324db9c2edc8877b3990d0b8c928b89b6c2bf
                                • Instruction Fuzzy Hash: D58192B6E14104ABDB00CA98DC82FAE77BA9F75228F148714FA38973D5E731DA5087D1
                                Function 60916AEA Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 253COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_snprintf.SQLITE3(00000064,?,On page %d at right child: ,?,?), ref: 60916CF1
                                Strings
                                • Child page depth differs, xrefs: 60916C82
                                • Rowid %lld out of order (previous was %lld), xrefs: 60916B2B
                                • On page %d at right child: , xrefs: 60916CE6
                                • Rowid %lld out of order (max larger than parent min of %lld), xrefs: 60916DB4
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_snprintf
                                • String ID: Child page depth differs$On page %d at right child: $Rowid %lld out of order (max larger than parent min of %lld)$Rowid %lld out of order (previous was %lld)
                                • API String ID: 949980604-1712597054
                                • Opcode ID: bffb7f09eec43ccbbded913a8297225ac427236c12beec15ec644c97aa6c3e19
                                • Instruction ID: 4ea4050317f249728d77b405324294e5c73b1ee2907420e77c0dd7c0b8816ec5
                                • Opcode Fuzzy Hash: bffb7f09eec43ccbbded913a8297225ac427236c12beec15ec644c97aa6c3e19
                                • Instruction Fuzzy Hash: 87A160B5E041189BEB14CB68CC81FAAB7BAAB55214F1482D8E56C97281E731DEC1CF91
                                Function 609050C4 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 245COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: -$0123456789ABCDEF0123456789abcdef$NaN$thstndrd
                                • API String ID: 0-2392734905
                                • Opcode ID: ed222590127b5e1723d40211d72ca1fc52f1866199631f04a15c806571ff761c
                                • Instruction ID: 69a044d9ac1c25ce1f5300980b844d453241fa222aa510a2dd153abba89d3e65
                                • Opcode Fuzzy Hash: ed222590127b5e1723d40211d72ca1fc52f1866199631f04a15c806571ff761c
                                • Instruction Fuzzy Hash: F49105B0A052989FEB21CA288C457DABBB6AF67314F1441DCE899A7381D371DE80CF51
                                Function 60953338 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 198COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3(?), ref: 6095337D
                                • sqlite3_mutex_leave.SQLITE3(?), ref: 6095357D
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                • String ID: BINARY$INTEGER$no such table column: %s.%s
                                • API String ID: 1477753154-1639161350
                                • Opcode ID: 08d1ece09159eb2d4a6896c98e672745d2089ab76baa05d0f3c701372b637a9f
                                • Instruction ID: c6ea435358f9346285171c3fea0dbeddf69d8cad25f51c256fa20552508b9cf2
                                • Opcode Fuzzy Hash: 08d1ece09159eb2d4a6896c98e672745d2089ab76baa05d0f3c701372b637a9f
                                • Instruction Fuzzy Hash: 52815FB5D00209AFDF06CFA5C885BDEBBB6AF64314F148258E82467390E775DA94CF90
                                Function 6090512A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 197COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: -$0123456789ABCDEF0123456789abcdef$NaN$thstndrd
                                • API String ID: 0-2392734905
                                • Opcode ID: cc6a53990cb4d1818d8f19c7fd1f6d2a7e853bbe45df0283b841a961dc79d0e2
                                • Instruction ID: 5448fa6866c81ea94306f9d4812d7a3fa3e63fccee63efc7bd006c6e1a75a1e7
                                • Opcode Fuzzy Hash: cc6a53990cb4d1818d8f19c7fd1f6d2a7e853bbe45df0283b841a961dc79d0e2
                                • Instruction Fuzzy Hash: AE71C7B0E052699FFB21CA288C417DABBBAAF76304F0445DCD899A7281D774DE80CF51
                                Function 609316BC Relevance: 8.9, Strings: 7, Instructions: 179COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: DELETE FROM %Q.%s WHERE name=%Q$DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q$index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped$no such index: %S$sqlite_master$sqlite_stat1$sqlite_temp_master
                                • API String ID: 0-2541857092
                                • Opcode ID: ef653cc2a337e76ad2f9f01ab972da24adcfa42318a21a868cca03d62ef147bc
                                • Instruction ID: 7eff5b7121e88bd9f01e8e62ac10d4ee7aca8c771f69e355e403b3740f133782
                                • Opcode Fuzzy Hash: ef653cc2a337e76ad2f9f01ab972da24adcfa42318a21a868cca03d62ef147bc
                                • Instruction Fuzzy Hash: D151E6B5E00114BBDB04DE98CC81F9A77BAAF26224F144750F9389B3E1E731DA508BD2
                                Function 6091D0D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3(?), ref: 6091D114
                                • sqlite3_mutex_leave.SQLITE3(?), ref: 6091D141
                                • sqlite3_log.SQLITE3(00000015,bind on a busy prepared statement: [%s],?), ref: 6091D159
                                  • Part of subcall function 60953294: sqlite3_log.SQLITE3(00000015,misuse detected by source line %d,60901481), ref: 609532A7
                                Strings
                                • bind on a busy prepared statement: [%s], xrefs: 6091D152
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log$sqlite3_mutex_entersqlite3_mutex_leave
                                • String ID: bind on a busy prepared statement: [%s]
                                • API String ID: 2575432037-326506900
                                • Opcode ID: 4623e095003a5ab715efccd0638af4667ea72dedfeca6bfdacff63243bf34962
                                • Instruction ID: b3ad760c5e977af9e8900d34620a5f1c38d74e9b8e00531505fdb41be69a0f4e
                                • Opcode Fuzzy Hash: 4623e095003a5ab715efccd0638af4667ea72dedfeca6bfdacff63243bf34962
                                • Instruction Fuzzy Hash: 6C31E671A0C616BBE7155A28CC43B857727AF31338F140360B9749A2E1FB62E5B4CBC2
                                Function 60902D25 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_snprintf.SQLITE3(00000064,?,%04d-%02d-%02d,?,?,?), ref: 60902D08
                                • sqlite3_result_text.SQLITE3(?,?,000000FF,000000FF), ref: 60902D16
                                • sqlite3_value_text.SQLITE3(?), ref: 60902D74
                                  • Part of subcall function 609029F8: sqlite3_value_text.SQLITE3(?), ref: 60902AC2
                                • sqlite3_context_db_handle.SQLITE3(?), ref: 60902DB8
                                • sqlite3_result_text.SQLITE3(?,?,000000FF,Function_00004648), ref: 60903481
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_textsqlite3_value_text$sqlite3_context_db_handlesqlite3_snprintf
                                • String ID: %04d-%02d-%02d
                                • API String ID: 1181271155-516894531
                                • Opcode ID: 18a485fb7e25a6a131a6ea5e75f623ef28287de74a620b4162258d031e6448b2
                                • Instruction ID: 1cc63b55c51fe36cca3e22b2599f7a0304b78c2a340f32bbe54e71f786f7e5b2
                                • Opcode Fuzzy Hash: 18a485fb7e25a6a131a6ea5e75f623ef28287de74a620b4162258d031e6448b2
                                • Instruction Fuzzy Hash: 223146B290819A5FDF128B64CC80BE97B7AAF12324F0843D9F925962D2E335CD51CB91
                                Function 6092AEFC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_text.SQLITE3(?), ref: 6092AF0D
                                • sqlite3_value_text.SQLITE3(?), ref: 6092AF1B
                                • sqlite3_context_db_handle.SQLITE3(?), ref: 6092AF3E
                                • sqlite3_result_text.SQLITE3(00000000,00000000,000000FF,Function_00004648), ref: 6092AFE1
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_value_text$sqlite3_context_db_handlesqlite3_result_text
                                • String ID: %.*s"%w"%s
                                • API String ID: 1879233184-442545016
                                • Opcode ID: acf3228951d4d5b3b84dbb4d30ed84e6eea3662427877989eaa3441c26fe69cb
                                • Instruction ID: 2bea4090302f58162f8e0a6171fb142a32c3b39ce669151c0a3d7b329a8986e6
                                • Opcode Fuzzy Hash: acf3228951d4d5b3b84dbb4d30ed84e6eea3662427877989eaa3441c26fe69cb
                                • Instruction Fuzzy Hash: F12175F2D04109ABDF00CAA8DDC1BEE7BB9AB25324F104651E434E72D5D738DA90C791
                                Function 6092ACA8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_text.SQLITE3(?), ref: 6092ACB9
                                • sqlite3_value_text.SQLITE3(?), ref: 6092ACC7
                                • sqlite3_context_db_handle.SQLITE3(?), ref: 6092ACE3
                                • sqlite3_result_text.SQLITE3(00000000,00000000,000000FF,Function_00004648), ref: 6092AD5C
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_value_text$sqlite3_context_db_handlesqlite3_result_text
                                • String ID: %.*s"%w"%s
                                • API String ID: 1879233184-442545016
                                • Opcode ID: ef161cb622920f8edefa304a2c3b6d072db416b1d30dcffe9bd6b183768c90db
                                • Instruction ID: fdd285bb38bea8e25ddbe9f5cf73a145424b123625e9b4152668fe7549ee2125
                                • Opcode Fuzzy Hash: ef161cb622920f8edefa304a2c3b6d072db416b1d30dcffe9bd6b183768c90db
                                • Instruction Fuzzy Hash: 592183B2D04109ABDF10CAA8DC81BDE7BB9AB25224F100651F874E72D1E735DA90CB91
                                Function 60935010 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_aggregate_context.SQLITE3(?,00000000), ref: 60935020
                                • sqlite3_result_error.SQLITE3(?,integer overflow,000000FF), ref: 6093504C
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_aggregate_contextsqlite3_result_error
                                • String ID: integer overflow
                                • API String ID: 3157865255-1678498654
                                • Opcode ID: 31847c9cfacdff8ee569c45f2c0d0d867d11a7242f584a94bd0f303de68dc8db
                                • Instruction ID: bff6a881f6892265f5e2c7d3526e579a589dc3f36dc31bb5581adc6764217575
                                • Opcode Fuzzy Hash: 31847c9cfacdff8ee569c45f2c0d0d867d11a7242f584a94bd0f303de68dc8db
                                • Instruction Fuzzy Hash: CD0126B1A08210ABD70C9B388C42F123A5F5B39328F1647A06578562F3FB32D940CAE2
                                Function 60960598 Relevance: 7.9, APIs: 5, Instructions: 402COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_malloc.SQLITE3(00000000), ref: 609605E3
                                  • Part of subcall function 60904358: sqlite3_initialize.SQLITE3(609038B0,0000000A), ref: 6090435E
                                • memset.MSVCRT ref: 60960618
                                • memset.MSVCRT ref: 6096072D
                                • memset.MSVCRT ref: 60960743
                                • sqlite3_free.SQLITE3(?), ref: 609609E7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memset$sqlite3_freesqlite3_initializesqlite3_malloc
                                • String ID:
                                • API String ID: 358622989-0
                                • Opcode ID: 5d382a9f32a4f2641675e1af48bd82dda7d6496f468081972979a6921afba881
                                • Instruction ID: a08b4f41889f40d3cec74ebed3ab6f081bb7f083dd9e05e727cbe45658db6641
                                • Opcode Fuzzy Hash: 5d382a9f32a4f2641675e1af48bd82dda7d6496f468081972979a6921afba881
                                • Instruction Fuzzy Hash: 7FE16675D102089BEB15CFA8CC81A9E77BAEF94324F244218F9289B391E736D951CF90
                                Function 60902588 Relevance: 7.8, Strings: 6, Instructions: 332COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: day$hour$minute$month$second$year
                                • API String ID: 0-1242934661
                                • Opcode ID: a9154811c5f26ce519986c6a65807180f7039939b44ccd7bc6016bc02c92052d
                                • Instruction ID: 7951080be4c0909bcbe3ebd45861e04887e02543c823f885dac6f29a834e162b
                                • Opcode Fuzzy Hash: a9154811c5f26ce519986c6a65807180f7039939b44ccd7bc6016bc02c92052d
                                • Instruction Fuzzy Hash: B5D1B271D042188BEF10CB68C9407CDBBB6FF56324F69829CD969BB281E7399D95CB40
                                Function 60930560 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 261COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • foreign key on %s should reference only one column of table %T, xrefs: 609305CA
                                • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 609305F5
                                • unknown column "%s" in foreign key definition, xrefs: 60930752
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memcpy
                                • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                • API String ID: 3510742995-272990098
                                • Opcode ID: 432cca28e5d4490b44ed7f601f8066842eca65c87c251fc426535241a22703ab
                                • Instruction ID: 2e670a4ad003cb52a2731a1615d177c0c259db032edff558221b40c05fae45bd
                                • Opcode Fuzzy Hash: 432cca28e5d4490b44ed7f601f8066842eca65c87c251fc426535241a22703ab
                                • Instruction Fuzzy Hash: 62B17175900119DFCB04CF58C891A9EBBB2FFA9314F148298E869AB391D731EA51CFD1
                                Function 60925ADC Relevance: 7.8, Strings: 6, Instructions: 252COMMON
                                Download Yara Rule
                                Strings
                                • subqueries prohibited in CHECK constraints, xrefs: 60925D79
                                • wrong number of arguments to function %.*s(), xrefs: 60925D1A
                                • not authorized to use function: %s, xrefs: 60925CAD
                                • parameters prohibited in CHECK constraints, xrefs: 60925DB1
                                • misuse of aggregate function %.*s(), xrefs: 60925CDC
                                • no such function: %.*s, xrefs: 60925D02
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: misuse of aggregate function %.*s()$no such function: %.*s$not authorized to use function: %s$parameters prohibited in CHECK constraints$subqueries prohibited in CHECK constraints$wrong number of arguments to function %.*s()
                                • API String ID: 0-3482232559
                                • Opcode ID: 0fc8cf4dd67d13f6ecd605536c7de418c12a0229a80ad6664ac0a45a767fded8
                                • Instruction ID: 2c3bbaee252c51f9d64c8d0633d82f17c31ef3414d2846a6d02bbe4f33322a54
                                • Opcode Fuzzy Hash: 0fc8cf4dd67d13f6ecd605536c7de418c12a0229a80ad6664ac0a45a767fded8
                                • Instruction Fuzzy Hash: 12910470914205AFEB10CF58D885BAEBBB7FB25324F208249E8649B2DDC775DD41CB91
                                Function 6095AEF0 Relevance: 7.7, APIs: 5, Instructions: 209COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_malloc.SQLITE3(?), ref: 6095AF79
                                  • Part of subcall function 60904358: sqlite3_initialize.SQLITE3(609038B0,0000000A), ref: 6090435E
                                • memcpy.MSVCRT ref: 6095AFDF
                                • sqlite3_realloc.SQLITE3(?,?), ref: 6095B008
                                • memcpy.MSVCRT ref: 6095B02C
                                • sqlite3_malloc.SQLITE3(?), ref: 6095B060
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memcpysqlite3_malloc$sqlite3_initializesqlite3_realloc
                                • String ID:
                                • API String ID: 3891156697-0
                                • Opcode ID: d48dee5eb5662ac2cdad3e7713ddebc7c58ef476eeff7ae6652aab89e56388a7
                                • Instruction ID: ca90373d2212decd267ec7ba7e53ca1a773905d20b0ad5dcef78995e35a4e883
                                • Opcode Fuzzy Hash: d48dee5eb5662ac2cdad3e7713ddebc7c58ef476eeff7ae6652aab89e56388a7
                                • Instruction Fuzzy Hash: 2F7150B1A002059FCB05CF69C881A9B7BFAEF68324F144255FD28DB385E734DA65CB91
                                Function 6091D808 Relevance: 7.7, Strings: 6, Instructions: 193COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memcpy
                                • String ID: %!.15g$%02x$%lld$'%.*q'$NULL$zeroblob(%d)
                                • API String ID: 3510742995-1155818137
                                • Opcode ID: 9744e37788be60375da64c3acc8ad8dcf04a9f6accaf01cf21e1f0cb0be18ddc
                                • Instruction ID: 6c993bad126782374cf5ee68b340cb722a4d41d477935cfa82eb6d62171d7e4e
                                • Opcode Fuzzy Hash: 9744e37788be60375da64c3acc8ad8dcf04a9f6accaf01cf21e1f0cb0be18ddc
                                • Instruction Fuzzy Hash: 6261D1B1A09118ABEB109F54CC81F9A777BAF25328F0043D5F929A7381E735DAD1CB91
                                Function 6095F8D4 Relevance: 7.7, Strings: 6, Instructions: 167COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0$0$0$0$0$0
                                • API String ID: 0-522429219
                                • Opcode ID: e38f60435a67d4e12ff2abe5291ad3c39fb6cc9c7562a1a7c1c75f190a9323d0
                                • Instruction ID: 250809b03e83936193c902d0f8b0ac333451618946762e85acfff531225f7afc
                                • Opcode Fuzzy Hash: e38f60435a67d4e12ff2abe5291ad3c39fb6cc9c7562a1a7c1c75f190a9323d0
                                • Instruction Fuzzy Hash: 8F7199B1D44209DFDB02CF89C5A87CDBBF2BB14329F254069D404AB256E7349DAACF90
                                Function 6095A520 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 60b5774d79f2cbd2a3e34b025bd7bfa29019e4566738a3d77de7e3c15be6d2dc
                                • Instruction ID: 0b66aeb850ac5081d24ad7eb3c2329f1b4798d16ee2d3d2b92312911974b5ff3
                                • Opcode Fuzzy Hash: 60b5774d79f2cbd2a3e34b025bd7bfa29019e4566738a3d77de7e3c15be6d2dc
                                • Instruction Fuzzy Hash: 5941BFB0A007009FD721CF6ACC81B4AB7FABB25324F540A29E496C7781F734F9668B54
                                Function 609088EA Relevance: 7.6, APIs: 5, Instructions: 112fileCOMMON
                                Download Yara Rule
                                APIs
                                • LockFile.KERNEL32(?,00000000,00000001,00000000), ref: 6090892E
                                • GetLastError.KERNEL32(?,?,00000000), ref: 60908942
                                • LockFile.KERNEL32(?,40000001,00000000,00000001,00000000), ref: 60908995
                                • LockFile.KERNEL32(00000003,3FFFFFFE,00000000,000001FE,00000000), ref: 609089EC
                                • UnlockFile.KERNEL32(?,00000000,00000001,00000000), ref: 60908A34
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: File$Lock$ErrorLastUnlock
                                • String ID:
                                • API String ID: 49849229-0
                                • Opcode ID: 5187d20604208f0ffc7199394cbdc62dd6ff1687a210ce4f07e08113efc0f733
                                • Instruction ID: 0fd7d3989b3c928914bb5c8acbe734beef34a60cb32e61b49855aa16c156bb05
                                • Opcode Fuzzy Hash: 5187d20604208f0ffc7199394cbdc62dd6ff1687a210ce4f07e08113efc0f733
                                • Instruction Fuzzy Hash: EE312671B44302A7FF045AD48D827673AAB5B31724F10823DEEB5661C0D7F5CD549B82
                                Function 6090A5DC Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memsetsqlite3_freesqlite3_mallocsqlite3_mutex_entersqlite3_mutex_leave
                                • String ID:
                                • API String ID: 1487794214-0
                                • Opcode ID: f37fe0824fb784c4ce1edf7ea46355dc8cdecc2b367053bd58fd10b5df0c7f7a
                                • Instruction ID: f7e969af48753a0746318355755df4d6b72f9f539e816f1bd29cafb71a3dc9eb
                                • Opcode Fuzzy Hash: f37fe0824fb784c4ce1edf7ea46355dc8cdecc2b367053bd58fd10b5df0c7f7a
                                • Instruction Fuzzy Hash: 7C319071E10105AFDB04DF28C881A9E7BBAFF64314F158268E829AB391D731DE91CBD1
                                Function 6091064E Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3(00000000), ref: 60910654
                                • sqlite3_mutex_leave.SQLITE3(00000000), ref: 6091066B
                                • sqlite3_free.SQLITE3(00000000), ref: 60910719
                                • sqlite3_free.SQLITE3(?), ref: 60910722
                                • sqlite3_mutex_leave.SQLITE3(00000000), ref: 60910740
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_freesqlite3_mutex_leave$sqlite3_mutex_enter
                                • String ID:
                                • API String ID: 2387331255-0
                                • Opcode ID: efc9b72d3267717f7cfefb524ca7113bfc499236646fe3f355123a1e7ac3fef6
                                • Instruction ID: 192b2939cc933f1fbe3fb7f6208af30521dfaf7c3813293b189d7e3c1f79f6b5
                                • Opcode Fuzzy Hash: efc9b72d3267717f7cfefb524ca7113bfc499236646fe3f355123a1e7ac3fef6
                                • Instruction Fuzzy Hash: 1731A670A042098FEB15CF24C8807597BE7AFF4224F148399D8355B2D1EB71E9A0CF81
                                Function 60904378 Relevance: 7.6, APIs: 5, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3 ref: 60904394
                                • sqlite3_mutex_leave.SQLITE3 ref: 609043DE
                                • sqlite3_mutex_leave.SQLITE3 ref: 609043F9
                                • sqlite3_mutex_enter.SQLITE3 ref: 60904413
                                • sqlite3_mutex_leave.SQLITE3 ref: 60904455
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_leave$sqlite3_mutex_enter
                                • String ID:
                                • API String ID: 1664011779-0
                                • Opcode ID: 55c8beb7c4c449e7af6d33c4fa32d59074ebf0e6619199ad416b15d6a3d69585
                                • Instruction ID: 89b60c44d62977b2df06718d8c236b1e9923bcfcbc713a7d04347fca5d174ced
                                • Opcode Fuzzy Hash: 55c8beb7c4c449e7af6d33c4fa32d59074ebf0e6619199ad416b15d6a3d69585
                                • Instruction Fuzzy Hash: 9A2189B1D39101A7EF0497A8CD42B643E6BA737238F144318B539A62F0FB718660DF92
                                Function 6095A3CC Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 60959B1C: sqlite3_malloc.SQLITE3(?), ref: 60959B6E
                                • sqlite3_step.SQLITE3(?), ref: 6095A402
                                • sqlite3_column_text.SQLITE3(?,?), ref: 6095A427
                                  • Part of subcall function 6091CE18: sqlite3_value_text.SQLITE3(00000000,?,?), ref: 6091CE33
                                • sqlite3_reset.SQLITE3(?), ref: 6095A454
                                • sqlite3_reset.SQLITE3(?), ref: 6095A466
                                • sqlite3_reset.SQLITE3(?), ref: 6095A476
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_reset$sqlite3_column_textsqlite3_mallocsqlite3_stepsqlite3_value_text
                                • String ID:
                                • API String ID: 2273511477-0
                                • Opcode ID: e7834d3e6b5291082fb8b0a19a3edea57c51785f92989f1858a55176634bd8ef
                                • Instruction ID: 5ab180601582e8201b57bdda6e6d304d1c16d50102a3e5a718b8d5b3ab031832
                                • Opcode Fuzzy Hash: e7834d3e6b5291082fb8b0a19a3edea57c51785f92989f1858a55176634bd8ef
                                • Instruction Fuzzy Hash: FC21D871A04109BBCB01DE99CC86ACD376BAB72338F104270F824A72B1E771DE6597A5
                                Function 60902494 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                APIs
                                • strncmp.MSVCRT(?,start of ,00000009), ref: 609024A2
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: strncmp
                                • String ID: day$month$start of $year
                                • API String ID: 1114863663-2452992177
                                • Opcode ID: 90d681442905ff6407c33be9d45d02eda26a01f3b875eaec461b23f1cf6f4f77
                                • Instruction ID: 0fd505a68cb9f449bf4645ad3061d327084b762fea45f67a91967ce737cb3b31
                                • Opcode Fuzzy Hash: 90d681442905ff6407c33be9d45d02eda26a01f3b875eaec461b23f1cf6f4f77
                                • Instruction Fuzzy Hash: C42188B15043099BEB208F64D95038DB7B6FB2532CF24035DD9665B382E3B5ED848B81
                                Function 60933930 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_type.SQLITE3(?), ref: 60933943
                                • sqlite3_value_bytes.SQLITE3(?), ref: 60933969
                                • sqlite3_value_text.SQLITE3(?), ref: 60933979
                                • sqlite3_result_int.SQLITE3(?,00000000), ref: 609339A9
                                • sqlite3_result_null.SQLITE3(?), ref: 609339B4
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_intsqlite3_result_nullsqlite3_value_bytessqlite3_value_textsqlite3_value_type
                                • String ID:
                                • API String ID: 3140553922-0
                                • Opcode ID: ccdb2f3753d62462d80309ef3ea275dbb4dfdd5007096abe9b7baadea1a9691d
                                • Instruction ID: a4adb4d5c39b0989a0bfcf891abd4b608ffe11f614c6fc47ba2f5677e1d5f393
                                • Opcode Fuzzy Hash: ccdb2f3753d62462d80309ef3ea275dbb4dfdd5007096abe9b7baadea1a9691d
                                • Instruction Fuzzy Hash: 7A012BA1D8C025D7EF09153C4C433957A5B9B33238F2487A0E8B4912E1FBD6D9A69897
                                Function 609083C0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                • AreFileApisANSI.KERNEL32(?,?,?,?,609084C3,?), ref: 609083C9
                                • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000), ref: 609083E6
                                • malloc.MSVCRT ref: 609083F6
                                • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000), ref: 60908416
                                • free.MSVCRT(00000000), ref: 60908428
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                • String ID:
                                • API String ID: 4053608372-0
                                • Opcode ID: eea88cee260f320a7ce379abffcb607cb84d0991e80e9a358eef75a23f191261
                                • Instruction ID: f55d1bb5a8722c2ab0ef8f12ebef5d8e7f5967d53b3776c9165c4ff5ed595233
                                • Opcode Fuzzy Hash: eea88cee260f320a7ce379abffcb607cb84d0991e80e9a358eef75a23f191261
                                • Instruction Fuzzy Hash: 6101F962F5823133EA2025BC4C43FEB359D8B62A74F204334BE74D62D0FB98DA0551E5
                                Function 6090843C Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • AreFileApisANSI.KERNEL32 ref: 60908445
                                • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 60908463
                                • malloc.MSVCRT ref: 6090846E
                                • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6090848F
                                • free.MSVCRT(00000000), ref: 6090849E
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                • String ID:
                                • API String ID: 4053608372-0
                                • Opcode ID: 0d8ee2bf2e74955ba81b322446314c0f74b903fdced92bb11be0bd34311ba634
                                • Instruction ID: 5bc2e6a39c46fec9b1159fe764b619a356425e51c2a162ed1fa21174a6f4b9ab
                                • Opcode Fuzzy Hash: 0d8ee2bf2e74955ba81b322446314c0f74b903fdced92bb11be0bd34311ba634
                                • Instruction Fuzzy Hash: A601C87275432136FA3025BC4C83FAB259D8B62BB4F204320BE71AA1D1E6D4E90141E5
                                Function 6095AB98 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_column_bytes.SQLITE3(00000000,00000004), ref: 6095ABB6
                                  • Part of subcall function 6091CCF8: sqlite3_value_bytes.SQLITE3(00000000,?,?), ref: 6091CD13
                                • sqlite3_column_blob.SQLITE3(00000000,00000004), ref: 6095ABC5
                                  • Part of subcall function 6091CCC0: sqlite3_value_blob.SQLITE3(00000000,?,?), ref: 6091CCDB
                                • sqlite3_column_int64.SQLITE3(00000000,00000003), ref: 6095ABD4
                                  • Part of subcall function 6091CDD8: sqlite3_value_int64.SQLITE3(00000000,?,?), ref: 6091CDF4
                                • sqlite3_column_int64.SQLITE3(00000000,00000002), ref: 6095ABE4
                                • sqlite3_column_int64.SQLITE3(00000000,00000001), ref: 6095ABF4
                                  • Part of subcall function 6095A7E4: sqlite3_malloc.SQLITE3(-00000048), ref: 6095A832
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_column_int64$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_value_blobsqlite3_value_bytessqlite3_value_int64
                                • String ID:
                                • API String ID: 4211689184-0
                                • Opcode ID: a3b9f73e301d1e6fb0d4ed18e83ef96e68a2b165fb3f5a071d892a2b4b936381
                                • Instruction ID: 9a6442e6ce1c83060868af1e089720d32df2048aa54851e475b0723b96217ba8
                                • Opcode Fuzzy Hash: a3b9f73e301d1e6fb0d4ed18e83ef96e68a2b165fb3f5a071d892a2b4b936381
                                • Instruction Fuzzy Hash: D0014FE1D8551536EA1126285C03FAB361D8B62638F440760BE78B12C2EB5A967140EA
                                Function 60953A54 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_free$sqlite3_finalize
                                • String ID:
                                • API String ID: 1247242322-0
                                • Opcode ID: 3846bbf35325b6ae73849036dec16ed899bce58aac2beefecacd9e2243bbdcf5
                                • Instruction ID: 2fd2b81b3d5ab144ac4b7774a34105e5dd2e3ccb6d2963b6d74ce4816bb3e3da
                                • Opcode Fuzzy Hash: 3846bbf35325b6ae73849036dec16ed899bce58aac2beefecacd9e2243bbdcf5
                                • Instruction Fuzzy Hash: 780186B28004105BDB119B68CC82A85B765BF25224F554370ECBD9B196EF21E9668BD1
                                Function 6092ED06 Relevance: 7.5, Strings: 6, Instructions: 32COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: aolf$bolc$buod$laer$rahc$txet
                                • API String ID: 0-4292189430
                                • Opcode ID: 1e4c63bcd6b34b0093b9b4a7c22cbace232c2901254bb12ba568dd87ca1d6b94
                                • Instruction ID: b88dd17ef2ca84ab65b63cefcf7aef5b29089f82ad88f5b5e44e15dc6071594a
                                • Opcode Fuzzy Hash: 1e4c63bcd6b34b0093b9b4a7c22cbace232c2901254bb12ba568dd87ca1d6b94
                                • Instruction Fuzzy Hash: 07F08248E384F805DA234439A5E13692EEF07F3715F68C163D4E15A2DFE428CE919383
                                Function 6095D380 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 250COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_column_text.SQLITE3(00000000,00000001), ref: 6095D3C5
                                  • Part of subcall function 6091CE18: sqlite3_value_text.SQLITE3(00000000,?,?), ref: 6091CE33
                                • sqlite3_column_type.SQLITE3(00000000,00000001), ref: 6095D3DB
                                  • Part of subcall function 6091CECC: sqlite3_value_type.SQLITE3(00000000,?,?), ref: 6091CEE7
                                • sqlite3_column_bytes.SQLITE3(00000000,00000001), ref: 6095D3FF
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_column_bytessqlite3_column_textsqlite3_column_typesqlite3_value_textsqlite3_value_type
                                • String ID: </b>
                                • API String ID: 4040450707-1040354646
                                • Opcode ID: 48eea97133c2a5e5f9029caec620c1ae24b0b66da48402b8e2d3a936c3a875da
                                • Instruction ID: 79d2ec24da09d8d78be6ef0aa53ce1cc5bcac7a23663cfa26b65cd0f6916c134
                                • Opcode Fuzzy Hash: 48eea97133c2a5e5f9029caec620c1ae24b0b66da48402b8e2d3a936c3a875da
                                • Instruction Fuzzy Hash: E2913F71E012099BDB11DFD9C881ADEB7FAAB58324F204224E928E7391E734DE55CB91
                                Function 609231F4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 229COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                • too many levels of trigger recursion, xrefs: 6092328C
                                • statement aborts at %d: [%s] %s, xrefs: 60924204
                                • out of memory, xrefs: 60924321
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: out of memory$statement aborts at %d: [%s] %s$too many levels of trigger recursion
                                • API String ID: 632333372-3996290085
                                • Opcode ID: 427d70b30c3973605f8dd8a92aa06ef0f40a69daf44c952abd769b617c253ffe
                                • Instruction ID: 6d40cc283e843d2e029752551d0b5733c08124740dd18cda16cae59ec8bb7da9
                                • Opcode Fuzzy Hash: 427d70b30c3973605f8dd8a92aa06ef0f40a69daf44c952abd769b617c253ffe
                                • Instruction Fuzzy Hash: 85C1D274A00219CFDB60CF18C880B89B7B6BF59314F1586DAD85CAB355E731EA85CF91
                                Function 609222E0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 175COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                • API String ID: 632333372-3170954634
                                • Opcode ID: 82ac5f966042afbdaefa35cf87a243ef699bf4b3558827b5e6d62bb92fc680c9
                                • Instruction ID: 5eafe7a8731e78cd0888f60c5f9ecdce8987728b6974c5dcf33c83482fd31eae
                                • Opcode Fuzzy Hash: 82ac5f966042afbdaefa35cf87a243ef699bf4b3558827b5e6d62bb92fc680c9
                                • Instruction Fuzzy Hash: 7B71AA71D04259DBDB20CB18CC41B98B7B6AB25314F1086D5E52DA7291E735EEE0CF92
                                Function 6092CD82 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_result_error.SQLITE3(00000007,00000000,000000FF), ref: 6092D00F
                                • sqlite3_result_error_code.SQLITE3(00000000,00000000), ref: 6092D037
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_errorsqlite3_result_error_code
                                • String ID: database is already attached$out of memory
                                • API String ID: 3914000214-17769021
                                • Opcode ID: d458f67f225301ffb9dd9aefa9b79e8026f6b6e71b2bb232405e178faa761a72
                                • Instruction ID: b021f1476e7cacfe2f8fb76ce2b536c694fc44e09d27be0e690d92e1c038b05a
                                • Opcode Fuzzy Hash: d458f67f225301ffb9dd9aefa9b79e8026f6b6e71b2bb232405e178faa761a72
                                • Instruction Fuzzy Hash: 2D5173F1D00105ABDF10CFA4C981B9DB7B6AF25324F248654E438AB3C1E775DA91CBA2
                                Function 6092CE52 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_result_error.SQLITE3(00000007,00000000,000000FF), ref: 6092D00F
                                • sqlite3_result_error_code.SQLITE3(00000000,00000000), ref: 6092D037
                                Strings
                                • out of memory, xrefs: 6092CFB1
                                • attached databases must use the same text encoding as main database, xrefs: 6092CE6E
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_errorsqlite3_result_error_code
                                • String ID: attached databases must use the same text encoding as main database$out of memory
                                • API String ID: 3914000214-1192372931
                                • Opcode ID: 8c9c42476ad5fd16f9f2f47be3981747787a4fa841375bdc26ef99efa57f6586
                                • Instruction ID: 5b6dd732eefb36ea29c818183a4c1e1ad13c495233f721e57ad73ca4380c0a2d
                                • Opcode Fuzzy Hash: 8c9c42476ad5fd16f9f2f47be3981747787a4fa841375bdc26ef99efa57f6586
                                • Instruction Fuzzy Hash: 9851C6F1D14105ABDF00CBA4CC81B9DBBB6AF25224F244754E878673D1E735DA90CBA2
                                Function 6091EA3C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: d$out of memory$statement aborts at %d: [%s] %s
                                • API String ID: 632333372-2968457213
                                • Opcode ID: ff328d8d0ff1be8dfaf8e8bf75d0a3f9e3d5bbadb8122e400750799c07417c5c
                                • Instruction ID: d6b0caf1cf5730a79a1c576e7cde195e379a6d591d65a2ac7363440a2c6c8fd2
                                • Opcode Fuzzy Hash: ff328d8d0ff1be8dfaf8e8bf75d0a3f9e3d5bbadb8122e400750799c07417c5c
                                • Instruction Fuzzy Hash: 33517071D042599BDB20CF18CC81B98B7B6AF24328F1486D5E52DAB381E735EAD5CF81
                                Function 6093D868 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_strnicmp.SQLITE3(?,-5A8FD0B0,?), ref: 6093D8DC
                                Strings
                                • RIGHT and FULL OUTER JOINs are not currently supported, xrefs: 6093D97A
                                • unknown or unsupported join type: %T %T%s%T, xrefs: 6093D958
                                • naturaleftouterightfullinnercross, xrefs: 6093D8D4
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_strnicmp
                                • String ID: RIGHT and FULL OUTER JOINs are not currently supported$naturaleftouterightfullinnercross$unknown or unsupported join type: %T %T%s%T
                                • API String ID: 1961171630-2505462533
                                • Opcode ID: e3af5be7b10793fef61ad4569cc3d7bfd9e31684c7d712f5edbec6bb65d21251
                                • Instruction ID: 026fc9e5ac77c7d36b477b6ba20536bf6d0cac9ccbdd1e78f04d960ba503cc0f
                                • Opcode Fuzzy Hash: e3af5be7b10793fef61ad4569cc3d7bfd9e31684c7d712f5edbec6bb65d21251
                                • Instruction Fuzzy Hash: BC41A7B1E021199FCB04CE99E8917AEB7BBEB55314F104119E965A7381D734DD41CFA0
                                Function 60908C40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_snprintf.SQLITE3(000000E6,?,60908C32,00000000), ref: 60908C6A
                                • sqlite3_snprintf.SQLITE3(?,?,%s\etilqs_,?), ref: 60908D2C
                                • sqlite3_randomness.SQLITE3(00000014,00000000), ref: 60908D48
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_snprintf$sqlite3_randomness
                                • String ID: %s\etilqs_
                                • API String ID: 798288620-2269359198
                                • Opcode ID: a9af6d4b15d21c407496d0f9cca1e85c409f3e3ecbf2316e190a2d18f6e9e5e5
                                • Instruction ID: c5770bb2c65e2378883f3352b1a5bb508beafe0c61651afb542a799cb6654f3b
                                • Opcode Fuzzy Hash: a9af6d4b15d21c407496d0f9cca1e85c409f3e3ecbf2316e190a2d18f6e9e5e5
                                • Instruction Fuzzy Hash: 3C218E719045581AEB218A78CC42BD73B6E9F75324F400399AEB9D72C2E7B0DE81C6B1
                                Function 60939CF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3(00000000), ref: 60939D28
                                • sqlite3_mutex_leave.SQLITE3(00000000), ref: 60939D50
                                • sqlite3_free.SQLITE3(00000000), ref: 60939D9F
                                Strings
                                • automatic extension loading failed: %s, xrefs: 60939D7F
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_freesqlite3_mutex_entersqlite3_mutex_leave
                                • String ID: automatic extension loading failed: %s
                                • API String ID: 2240884162-2218554779
                                • Opcode ID: decf5c3043e669f59a18fe3e6b854a98b0719b8ec72bd2522a96d90ac8c53578
                                • Instruction ID: a8618ba7999cefd114636848ccee666809663fd9a43652f2af6706bd75aa8189
                                • Opcode Fuzzy Hash: decf5c3043e669f59a18fe3e6b854a98b0719b8ec72bd2522a96d90ac8c53578
                                • Instruction Fuzzy Hash: 2111B976D04114ABEB009AA8CC83BCD7ABAEB21228F104254F938A62D1EF75D6559F91
                                Function 6095C6AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_text.SQLITE3(6095C89A), ref: 6095C6BF
                                • sqlite3_value_bytes.SQLITE3(6095C89A), ref: 6095C6CA
                                • sqlite3_strnicmp.SQLITE3(00000000,optimize,00000008), ref: 6095C6F0
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_strnicmpsqlite3_value_bytessqlite3_value_text
                                • String ID: optimize
                                • API String ID: 79068242-3797040228
                                • Opcode ID: f3d0e276febe57e46bebf5422bef27953526e90f3e26e0b9fc0032052589e86a
                                • Instruction ID: a8962575a3e0752e783aee938ba306a2da95b44ba9eed673236b5d0aa1072aee
                                • Opcode Fuzzy Hash: f3d0e276febe57e46bebf5422bef27953526e90f3e26e0b9fc0032052589e86a
                                • Instruction Fuzzy Hash: 11012BA1E0910127C612517F5C82B8E319A873A3B8F140B31FE34A63C1FB19CA7941D2
                                Function 6095EAC4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mprintf.SQLITE3(DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';,?,?,?,?,?,?), ref: 6095EAE4
                                  • Part of subcall function 60905F80: sqlite3_initialize.SQLITE3 ref: 60905F86
                                  • Part of subcall function 60905F80: sqlite3_vmprintf.SQLITE3(?,?), ref: 60905F99
                                • sqlite3_exec.SQLITE3(?,00000000,00000000,00000000,00000000), ref: 6095EB09
                                • sqlite3_free.SQLITE3(00000000), ref: 6095EB17
                                Strings
                                • DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';, xrefs: 6095EADF
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_execsqlite3_freesqlite3_initializesqlite3_mprintfsqlite3_vmprintf
                                • String ID: DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';
                                • API String ID: 2657363448-2071071404
                                • Opcode ID: c4899106833158e2a6d205adc3e80adabe0d0e7aa810ce90bc784e686d65db64
                                • Instruction ID: 139ca6fcc219c90a7cbae3fa496baf9133c649b86b42bf31934888371731076d
                                • Opcode Fuzzy Hash: c4899106833158e2a6d205adc3e80adabe0d0e7aa810ce90bc784e686d65db64
                                • Instruction Fuzzy Hash: DAF02DB29045013BE221926E9C83FB7729EDBA5238F140714FE79922C0FF65ED2546D5
                                Function 60961864 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mprintf.SQLITE3(ALTER TABLE %Q.'%q_node' RENAME TO "%w_node";ALTER TABLE %Q.'%q_parent' RENAME TO "%w_parent";ALTER TABLE %Q.'%q_rowid' RENAME TO "%w_rowid";,?,?,?,?,?,?,?,?,?), ref: 6096188F
                                  • Part of subcall function 60905F80: sqlite3_initialize.SQLITE3 ref: 60905F86
                                  • Part of subcall function 60905F80: sqlite3_vmprintf.SQLITE3(?,?), ref: 60905F99
                                • sqlite3_exec.SQLITE3(?,00000000,00000000,00000000,00000000), ref: 609618AA
                                • sqlite3_free.SQLITE3(00000000), ref: 609618B8
                                  • Part of subcall function 609045DC: sqlite3_mutex_enter.SQLITE3 ref: 609045FC
                                  • Part of subcall function 609045DC: sqlite3_mutex_leave.SQLITE3 ref: 6090462E
                                Strings
                                • ALTER TABLE %Q.'%q_node' RENAME TO "%w_node";ALTER TABLE %Q.'%q_parent' RENAME TO "%w_parent";ALTER TABLE %Q.'%q_rowid' RENAME TO "%w_rowid";, xrefs: 6096188A
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_execsqlite3_freesqlite3_initializesqlite3_mprintfsqlite3_mutex_entersqlite3_mutex_leavesqlite3_vmprintf
                                • String ID: ALTER TABLE %Q.'%q_node' RENAME TO "%w_node";ALTER TABLE %Q.'%q_parent' RENAME TO "%w_parent";ALTER TABLE %Q.'%q_rowid' RENAME TO "%w_rowid";
                                • API String ID: 4065800182-2843444156
                                • Opcode ID: 39786e990e1b4dba20bcd6bb53270c6dc0631acd04ad45705992bc9662f1c113
                                • Instruction ID: 52fb81bf9bb9e8938901634229f024efc43c0354ce22ae37808949522bfdf6de
                                • Opcode Fuzzy Hash: 39786e990e1b4dba20bcd6bb53270c6dc0631acd04ad45705992bc9662f1c113
                                • Instruction Fuzzy Hash: F7F0C8E2A001013BF61046999C82FB7779DDBA4634F144318BD69A32C0FA60FD1146A1
                                Function 60954184 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mprintf.SQLITE3(SELECT 1 FROM %Q.sqlite_master WHERE name='%q%s',?,?,?), ref: 609541AA
                                  • Part of subcall function 60905F80: sqlite3_initialize.SQLITE3 ref: 60905F86
                                  • Part of subcall function 60905F80: sqlite3_vmprintf.SQLITE3(?,?), ref: 60905F99
                                • sqlite3_exec.SQLITE3(?,00000000,Function_00054120,?,00000000), ref: 609541C3
                                • sqlite3_free.SQLITE3(00000000), ref: 609541D1
                                  • Part of subcall function 609045DC: sqlite3_mutex_enter.SQLITE3 ref: 609045FC
                                  • Part of subcall function 609045DC: sqlite3_mutex_leave.SQLITE3 ref: 6090462E
                                Strings
                                • SELECT 1 FROM %Q.sqlite_master WHERE name='%q%s', xrefs: 609541A5
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_execsqlite3_freesqlite3_initializesqlite3_mprintfsqlite3_mutex_entersqlite3_mutex_leavesqlite3_vmprintf
                                • String ID: SELECT 1 FROM %Q.sqlite_master WHERE name='%q%s'
                                • API String ID: 4065800182-1798282360
                                • Opcode ID: 74b1b50eb32f3d01137f7b6919a060bc37d15640bba12b706fea5e7010ccb2a9
                                • Instruction ID: 1668bb7d0f07829b9328181e7e47e792fa74c481de29cd6e2f21c62fb0ecf51b
                                • Opcode Fuzzy Hash: 74b1b50eb32f3d01137f7b6919a060bc37d15640bba12b706fea5e7010ccb2a9
                                • Instruction Fuzzy Hash: B4F0863540810AABCB029E959C41BCE7F69DF35228F140150FD2462250D775DA75DFA1
                                Function 6091CA04 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mprintf.SQLITE3(unable to use function %s in the requested context,?), ref: 6091CA1C
                                  • Part of subcall function 60905F80: sqlite3_initialize.SQLITE3 ref: 60905F86
                                  • Part of subcall function 60905F80: sqlite3_vmprintf.SQLITE3(?,?), ref: 60905F99
                                • sqlite3_result_error.SQLITE3(?,00000000,000000FF), ref: 6091CA2A
                                • sqlite3_free.SQLITE3(00000000), ref: 6091CA36
                                  • Part of subcall function 609045DC: sqlite3_mutex_enter.SQLITE3 ref: 609045FC
                                  • Part of subcall function 609045DC: sqlite3_mutex_leave.SQLITE3 ref: 6090462E
                                Strings
                                • unable to use function %s in the requested context, xrefs: 6091CA17
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_freesqlite3_initializesqlite3_mprintfsqlite3_mutex_entersqlite3_mutex_leavesqlite3_result_errorsqlite3_vmprintf
                                • String ID: unable to use function %s in the requested context
                                • API String ID: 3642412779-47290733
                                • Opcode ID: 60fd5e80f2972424c93c7227016e995030c04acb186eeb41d3602dcacadbe0b2
                                • Instruction ID: f8e9b2896c4d983eef2f6119129d4816f630fd71dee2734ceec679c777d4bbf1
                                • Opcode Fuzzy Hash: 60fd5e80f2972424c93c7227016e995030c04acb186eeb41d3602dcacadbe0b2
                                • Instruction Fuzzy Hash: 17E026B280C0253BCA10666D9C83EDB3A5D9E36178F500360FD79A32E2FF11E67085E2
                                Function 609435D0 Relevance: 6.5, Strings: 5, Instructions: 203COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')$sqlite_master$sqlite_temp_master$trigger$type='trigger' AND name='%q'
                                • API String ID: 0-1017051986
                                • Opcode ID: e2abd558da6d6c868020f8410f80701eae142bc1a5543327faf28d324b009460
                                • Instruction ID: a4423aa4c81e21d1cb585ba1b9e7804378fbf519f5d28f96f1f313afbfffd9b8
                                • Opcode Fuzzy Hash: e2abd558da6d6c868020f8410f80701eae142bc1a5543327faf28d324b009460
                                • Instruction Fuzzy Hash: 8B71B3B1D00105ABDB10CAB8CC41E9FB7FAAF69224F148354F974A7391E735EA51CBA0
                                Function 60917B18 Relevance: 6.4, APIs: 4, Instructions: 417COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3(?), ref: 60917B2D
                                  • Part of subcall function 6090EB0C: sqlite3_mutex_try.SQLITE3(?), ref: 6090EB2F
                                • sqlite3_mutex_enter.SQLITE3(?), ref: 60917B4F
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_enter$sqlite3_mutex_try
                                • String ID:
                                • API String ID: 2340854336-0
                                • Opcode ID: 7e5ed05dc055e0cc66a336d526b8bddf2b813b1aabaa90a500bd7a579a85130b
                                • Instruction ID: 4203572f8927b7a60159f205c345de70de857b96d8994e1f649c9618ddf1a2e7
                                • Opcode Fuzzy Hash: 7e5ed05dc055e0cc66a336d526b8bddf2b813b1aabaa90a500bd7a579a85130b
                                • Instruction Fuzzy Hash: 91E19471E041099BDB01CF68CC81A9EB7B6AB64324F244294F978973D1FB35DE91CB91
                                Function 609463E8 Relevance: 6.4, Strings: 5, Instructions: 146COMMON
                                Download Yara Rule
                                Strings
                                • sqlite_master, xrefs: 6094648B, 6094649B
                                • sqlite_temp_master, xrefs: 60946496
                                • name='%q', xrefs: 609464F9
                                • CREATE VIRTUAL TABLE %T, xrefs: 6094645C
                                • UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d, xrefs: 609464A8
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: CREATE VIRTUAL TABLE %T$UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d$name='%q'$sqlite_master$sqlite_temp_master
                                • API String ID: 0-2143766635
                                • Opcode ID: a0c01ce6a4d177e877f4ab60382877dc464a0940b14d5d1eb0d6559ca139e8cb
                                • Instruction ID: 1e60116f6b0a35d70ec96c14b72202cadab05446993ea4846a697dff0169393e
                                • Opcode Fuzzy Hash: a0c01ce6a4d177e877f4ab60382877dc464a0940b14d5d1eb0d6559ca139e8cb
                                • Instruction Fuzzy Hash: A351E7B5A04604BBDB10CF68CC81F9E77AAEB65328F144364F9689B3D1D731EA50CB91
                                Function 60956984 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                Download Yara Rule
                                Strings
                                • ALTER TABLE %Q.'%q_docsize' RENAME TO '%q_docsize';, xrefs: 609569DC
                                • ALTER TABLE %Q.'%q_segments' RENAME TO '%q_segments';, xrefs: 60956A14
                                • ALTER TABLE %Q.'%q_segdir' RENAME TO '%q_segdir';, xrefs: 60956A30
                                • ALTER TABLE %Q.'%q_stat' RENAME TO '%q_stat';, xrefs: 609569F8
                                • ALTER TABLE %Q.'%q_content' RENAME TO '%q_content';, xrefs: 609569A7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_vmprintf
                                • String ID: ALTER TABLE %Q.'%q_content' RENAME TO '%q_content';$ALTER TABLE %Q.'%q_docsize' RENAME TO '%q_docsize';$ALTER TABLE %Q.'%q_segdir' RENAME TO '%q_segdir';$ALTER TABLE %Q.'%q_segments' RENAME TO '%q_segments';$ALTER TABLE %Q.'%q_stat' RENAME TO '%q_stat';
                                • API String ID: 1100454213-385190691
                                • Opcode ID: 030098600ad9c24ca465ec1e696bd458d83a34325a64ff9a8f15010ffd1a4c98
                                • Instruction ID: 792ec31899127f533265a4faae9729ec7a18b010498a68a2d34489988ffbdcec
                                • Opcode Fuzzy Hash: 030098600ad9c24ca465ec1e696bd458d83a34325a64ff9a8f15010ffd1a4c98
                                • Instruction Fuzzy Hash: E4219272800144BBCF12CEA68C85E9F7B7AEF6A224F044144FE246A195D332D634E766
                                Function 60953C74 Relevance: 6.3, Strings: 5, Instructions: 62COMMON
                                Download Yara Rule
                                Strings
                                • DROP TABLE IF EXISTS %Q.'%q_segdir', xrefs: 60953CC6
                                • DROP TABLE IF EXISTS %Q.'%q_docsize', xrefs: 60953CDE
                                • DROP TABLE IF EXISTS %Q.'%q_content', xrefs: 60953C93
                                • DROP TABLE IF EXISTS %Q.'%q_stat', xrefs: 60953CF6
                                • DROP TABLE IF EXISTS %Q.'%q_segments', xrefs: 60953CAE
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_free$sqlite3_finalize$sqlite3_execsqlite3_vmprintf
                                • String ID: DROP TABLE IF EXISTS %Q.'%q_content'$DROP TABLE IF EXISTS %Q.'%q_docsize'$DROP TABLE IF EXISTS %Q.'%q_segdir'$DROP TABLE IF EXISTS %Q.'%q_segments'$DROP TABLE IF EXISTS %Q.'%q_stat'
                                • API String ID: 3630088679-4190201087
                                • Opcode ID: fadf2282ddc7e48b7f4545284ae83914a710cb1b47f5e8e866f13d003e522f83
                                • Instruction ID: 56ea717123ca0184c09033ce9c17faa77f219adeb62fb0d20708a1defc478447
                                • Opcode Fuzzy Hash: fadf2282ddc7e48b7f4545284ae83914a710cb1b47f5e8e866f13d003e522f83
                                • Instruction Fuzzy Hash: 4411427290050177C7129BB79C82E5ABB3EBB65178F144700BA7861591E732E274A7E1
                                Function 6093A3B4 Relevance: 6.3, Strings: 5, Instructions: 25COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: CASCADE$NO ACTION$RESTRICT$SET DEFAULT$SET NULL
                                • API String ID: 0-559306718
                                • Opcode ID: 04f0136f2b6c790901061903b7deb4cd2482d5b4446bd2486d28c434f55a4057
                                • Instruction ID: 44c610c999b56b0cd1b745be3fdcd0d467086f22b991d75ada44af72a3949bbb
                                • Opcode Fuzzy Hash: 04f0136f2b6c790901061903b7deb4cd2482d5b4446bd2486d28c434f55a4057
                                • Instruction Fuzzy Hash: 8CE042152A83B5928E2E014D8C8956E398FE273798FB00623E9B2DE650D149DCC46E93
                                Function 6092BEA4 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 164COMMON
                                Download Yara Rule
                                Strings
                                • virtual tables may not be altered, xrefs: 6092BEE9
                                • Cannot add a column to a view, xrefs: 6092BF05
                                • sqlite_altertab_%s, xrefs: 6092BF87
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                • API String ID: 0-2063813899
                                • Opcode ID: aea2dffd2bac11630124342975b324442070ec31c9570539fe3ee5c401eed91e
                                • Instruction ID: 7a4bc70c7cd57cae23a1c96b1d85928aa6aee4c16fa5b91e892a0ce5358d448f
                                • Opcode Fuzzy Hash: aea2dffd2bac11630124342975b324442070ec31c9570539fe3ee5c401eed91e
                                • Instruction Fuzzy Hash: FB5193B5900605EBDB00CF68C881B8AB7B6BF65324F148754E9789B395E735EA54CBC0
                                Function 6095F190 Relevance: 6.2, APIs: 4, Instructions: 158COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_free.SQLITE3(00000000), ref: 6095F1C1
                                  • Part of subcall function 609045DC: sqlite3_mutex_enter.SQLITE3 ref: 609045FC
                                  • Part of subcall function 609045DC: sqlite3_mutex_leave.SQLITE3 ref: 6090462E
                                • sqlite3_value_int64.SQLITE3(?), ref: 6095F1E0
                                  • Part of subcall function 6095F100: sqlite3_bind_int64.SQLITE3(?,00000001,?,?), ref: 6095F124
                                  • Part of subcall function 6095F100: sqlite3_step.SQLITE3(?), ref: 6095F132
                                  • Part of subcall function 6095F100: sqlite3_column_int64.SQLITE3(?,00000000), ref: 6095F14A
                                  • Part of subcall function 6095F100: sqlite3_reset.SQLITE3(?), ref: 6095F16B
                                • sqlite3_malloc.SQLITE3(00000000), ref: 6095F23C
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_bind_int64sqlite3_column_int64sqlite3_freesqlite3_mallocsqlite3_mutex_entersqlite3_mutex_leavesqlite3_resetsqlite3_stepsqlite3_value_int64
                                • String ID:
                                • API String ID: 2028852888-0
                                • Opcode ID: 8ba4222590a0488d2a5500f55ab3df62c4ade78f20a5cf404c298e253614d004
                                • Instruction ID: b78d761bf243f5fadb5e82b832d9fba73fe0b06e894602a8e6d92299260b5cd7
                                • Opcode Fuzzy Hash: 8ba4222590a0488d2a5500f55ab3df62c4ade78f20a5cf404c298e253614d004
                                • Instruction Fuzzy Hash: 495184B1D0020A9FDF11DFA9C88179EB7B9FF14368F144615E924A7280E335DA64CBD1
                                Function 60954798 Relevance: 6.1, APIs: 4, Instructions: 147COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_realloc.SQLITE3(00000000,00000000), ref: 6095485A
                                • sqlite3_free.SQLITE3(00000000), ref: 6095486D
                                • memcpy.MSVCRT ref: 6095488F
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memcpysqlite3_freesqlite3_realloc
                                • String ID:
                                • API String ID: 1869821998-0
                                • Opcode ID: ea2e69014317d4c594a80e3ddeac26e94361b053c877dc5c4c30a02b79babfd8
                                • Instruction ID: 2c40c47913f64ffa3cf89b4a6fddf81ea60e42054348e66d44aa65c75c6f9ff0
                                • Opcode Fuzzy Hash: ea2e69014317d4c594a80e3ddeac26e94361b053c877dc5c4c30a02b79babfd8
                                • Instruction Fuzzy Hash: D25108B1D002199BDF41CFA9CC81ADEB7B6BB58324F148215E924B3380E739D9658FA1
                                Function 609029F8 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_type.SQLITE3(?), ref: 60902A35
                                • sqlite3_value_double.SQLITE3(?), ref: 60902A4C
                                • sqlite3_value_text.SQLITE3(?), ref: 60902AC2
                                  • Part of subcall function 60901A48: sqlite3_context_db_handle.SQLITE3(?), ref: 60901A58
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_context_db_handlesqlite3_value_doublesqlite3_value_textsqlite3_value_type
                                • String ID:
                                • API String ID: 3025975540-0
                                • Opcode ID: 883f1c2bd198a86e9c7f8f16744ff7b5a38b47fab92e370511a1fca4becc1459
                                • Instruction ID: 2b19577da66b28719aa370d6b6ae0baf9e8b4d2675e0ca4785485665dba851ce
                                • Opcode Fuzzy Hash: 883f1c2bd198a86e9c7f8f16744ff7b5a38b47fab92e370511a1fca4becc1459
                                • Instruction Fuzzy Hash: 8431C2B1E041099BEF105F68CC4269B76AAEF31324F244668EC36E22D5FB36DE508252
                                Function 6095C340 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 60959B1C: sqlite3_malloc.SQLITE3(?), ref: 60959B6E
                                • sqlite3_step.SQLITE3(?), ref: 6095C36D
                                • sqlite3_column_bytes.SQLITE3(?,00000000), ref: 6095C386
                                  • Part of subcall function 6091CCF8: sqlite3_value_bytes.SQLITE3(00000000,?,?), ref: 6091CD13
                                • sqlite3_column_blob.SQLITE3(?,00000000), ref: 6095C396
                                  • Part of subcall function 6091CCC0: sqlite3_value_blob.SQLITE3(00000000,?,?), ref: 6091CCDB
                                • sqlite3_reset.SQLITE3(?), ref: 6095C418
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_resetsqlite3_stepsqlite3_value_blobsqlite3_value_bytes
                                • String ID:
                                • API String ID: 601408230-0
                                • Opcode ID: 48101379ffbe1d2cfa8363c5964501c8f84ed201df037f684a18952220ccbcce
                                • Instruction ID: 29a69ca5d3ef4e2b33b09842baeb41add185e7afe6c486bdcbd26bac4e405168
                                • Opcode Fuzzy Hash: 48101379ffbe1d2cfa8363c5964501c8f84ed201df037f684a18952220ccbcce
                                • Instruction Fuzzy Hash: B23181B1D041099BDB11CFA9CC42ADEB7B6AB24324F104660E964F7290E731EE659B91
                                Function 60955CB0 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_free
                                • String ID:
                                • API String ID: 2313487548-0
                                • Opcode ID: a4618fd008f5aaa51926f5a17f92b4c0112d17dd5e5ae3194db94ff97b9e9f83
                                • Instruction ID: 15b6790ba6c5b209cd1f1a2f33f551f48d3fad424f02dfd9d1ce1796c8aceb3d
                                • Opcode Fuzzy Hash: a4618fd008f5aaa51926f5a17f92b4c0112d17dd5e5ae3194db94ff97b9e9f83
                                • Instruction Fuzzy Hash: 6E316DB1A00605AFCB11CF99CC41A9AB7B5FF18324F144718F96593790E731E925DF90
                                Function 60904474 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3 ref: 609044B9
                                • sqlite3_mutex_leave.SQLITE3 ref: 609044F0
                                • sqlite3_mutex_enter.SQLITE3 ref: 6090451E
                                • sqlite3_mutex_leave.SQLITE3 ref: 6090454F
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                • String ID:
                                • API String ID: 1477753154-0
                                • Opcode ID: 6774c33a7c82a58d58328f96956de20259a36487c873f544e75b34e786953e23
                                • Instruction ID: a039931e18abd69968e6d37638f9d6b315f7e9be3e2694b850d8f826327bffee
                                • Opcode Fuzzy Hash: 6774c33a7c82a58d58328f96956de20259a36487c873f544e75b34e786953e23
                                • Instruction Fuzzy Hash: 7621BBB152820257EF0457E8CCD2F253E9B6737138F140328B939A22F0EB51C5509D91
                                Function 609561D8 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_result_int64.SQLITE3(?,?,?), ref: 60956214
                                • sqlite3_result_blob.SQLITE3(?,?,00000004,000000FF), ref: 60956229
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_blobsqlite3_result_int64
                                • String ID:
                                • API String ID: 1084261363-0
                                • Opcode ID: ceaeebdd1b6cda8446a4d10fbc26b7c37b8ae956e9553800f881bc950aecc2d3
                                • Instruction ID: f2c3c984bce7e90868872b0ae49fb5d68e50f943b415baf2bf9e3e2f5dcd4db4
                                • Opcode Fuzzy Hash: ceaeebdd1b6cda8446a4d10fbc26b7c37b8ae956e9553800f881bc950aecc2d3
                                • Instruction Fuzzy Hash: B71186B5A08105ABCB01DA998C81DAE777E9B65234F104364FA74D32D0E731E955C791
                                Function 6090861C Relevance: 6.1, APIs: 4, Instructions: 63fileCOMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 6090864D
                                • GetLastError.KERNEL32(?,?,?,00000000), ref: 60908659
                                • WriteFile.KERNEL32(?,?,?,00000000,00000000), ref: 6090867D
                                • GetLastError.KERNEL32(?,?,?,00000000), ref: 6090869B
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: ErrorFileLast$PointerWrite
                                • String ID:
                                • API String ID: 2977825765-0
                                • Opcode ID: 0ab99cccd734933dabbd4b2dcc42b853f279058f816fe5116ca2d87a66818af8
                                • Instruction ID: de2cf6c93da3e80cfdb50bcca2ececece6ad12b0d12ac01b49017223849baed4
                                • Opcode Fuzzy Hash: 0ab99cccd734933dabbd4b2dcc42b853f279058f816fe5116ca2d87a66818af8
                                • Instruction Fuzzy Hash: 19116371A00215ABDB00DEA9C981BCBBBFEAF64364F118225FD65D7280E7B1D950CB91
                                Function 60933818 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_user_data.SQLITE3(?), ref: 6093382B
                                • sqlite3_value_type.SQLITE3(?), ref: 6093385B
                                • sqlite3_value_type.SQLITE3(?), ref: 6093387A
                                • sqlite3_result_value.SQLITE3(?,?), ref: 609338B5
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_value_type$sqlite3_result_valuesqlite3_user_data
                                • String ID:
                                • API String ID: 962813756-0
                                • Opcode ID: 13ce01b419d2a275202ff6da1aad9dcc5fd59eb420855532d1b7da88e99c39d0
                                • Instruction ID: 1daa7fe66951fb5d57585e9d970a61c5476fdc7b1444d11016945e046bf4adad
                                • Opcode Fuzzy Hash: 13ce01b419d2a275202ff6da1aad9dcc5fd59eb420855532d1b7da88e99c39d0
                                • Instruction Fuzzy Hash: D1118471D00519ABDF119E7CCC82ADE7B76DB21234F144754F874972D0E731E6608B91
                                Function 609087A8 Relevance: 6.1, APIs: 4, Instructions: 60fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 60908290: GetVersionExA.KERNEL32(00000094), ref: 609082B6
                                • LockFileEx.KERNEL32(?,00000001,00000000,000001FE,00000000,?), ref: 609087EA
                                • sqlite3_randomness.SQLITE3(00000004,?), ref: 60908801
                                • LockFile.KERNEL32(?,40000002,00000000,00000001,00000000), ref: 60908838
                                • GetLastError.KERNEL32(00000000,?), ref: 60908846
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: FileLock$ErrorLastVersionsqlite3_randomness
                                • String ID:
                                • API String ID: 3783970047-0
                                • Opcode ID: 03b6292fa73bc03487d63639b15cdac96991c8ffb5ba1d0b7939d9024ebb9ed2
                                • Instruction ID: bbb0588ef9f15b4c9f5aad7ea6a5009850f487cf9093bc6b0659108f5c84de5b
                                • Opcode Fuzzy Hash: 03b6292fa73bc03487d63639b15cdac96991c8ffb5ba1d0b7939d9024ebb9ed2
                                • Instruction Fuzzy Hash: 52112B707007055BEB10CBA8CC43BAB77EAAF14724F108228FA75A62C0E7F0E911C795
                                Function 60933F98 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_text.SQLITE3(?), ref: 60933FA9
                                • sqlite3_value_bytes.SQLITE3(?), ref: 60933FB5
                                  • Part of subcall function 60933E9C: sqlite3_context_db_handle.SQLITE3(?), ref: 60933EB2
                                  • Part of subcall function 60933E9C: sqlite3_result_error_toobig.SQLITE3(?), ref: 60933ECC
                                • memcpy.MSVCRT ref: 60933FEA
                                • sqlite3_result_text.SQLITE3(?,00000000,000000FF,?), ref: 6093401C
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memcpysqlite3_context_db_handlesqlite3_result_error_toobigsqlite3_result_textsqlite3_value_bytessqlite3_value_text
                                • String ID:
                                • API String ID: 3682123484-0
                                • Opcode ID: e08c5a7ea2cd1e353da6a51b05f83987fbb354da222a3f566083d6005e137cb5
                                • Instruction ID: 1672ee2b7af80f2ae8ea713c702650e3fb5a2a442b953de587c2e71e22899d4e
                                • Opcode Fuzzy Hash: e08c5a7ea2cd1e353da6a51b05f83987fbb354da222a3f566083d6005e137cb5
                                • Instruction Fuzzy Hash: 3A116371D042612BD71156BDCC81B973FDEAB53234F044760F974862D3EB25D55187A1
                                Function 60939BBC Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_initialize.SQLITE3 ref: 60939BC8
                                • sqlite3_mutex_enter.SQLITE3(00000000), ref: 60939BE7
                                • sqlite3_realloc.SQLITE3(00000000), ref: 60939C2B
                                • sqlite3_mutex_leave.SQLITE3(00000000), ref: 60939C58
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_initializesqlite3_mutex_entersqlite3_mutex_leavesqlite3_realloc
                                • String ID:
                                • API String ID: 4044328851-0
                                • Opcode ID: 4823dd09efd2d24e03dbfbb7aaa9499200e5048b1b7f3e4a82202348b0f97c77
                                • Instruction ID: 3f376c4dc189ab81eda9efaeb0e1704494057fe966f1df34ae021d5ef58cad4b
                                • Opcode Fuzzy Hash: 4823dd09efd2d24e03dbfbb7aaa9499200e5048b1b7f3e4a82202348b0f97c77
                                • Instruction Fuzzy Hash: 09110A3061811147DB059BB9DC8176A3BBBE763324F105229E9A9DB2D0EF71D8629F81
                                Function 60908354 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,609084D5,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,609084D5,00000000), ref: 60908372
                                • malloc.MSVCRT ref: 6090837D
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,609084D5,000000FF,00000000,00000000,00000000,00000000), ref: 609083A0
                                • free.MSVCRT(00000000), ref: 609083AF
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide$freemalloc
                                • String ID:
                                • API String ID: 2605342592-0
                                • Opcode ID: b98ed0502d9c222e9509d1805c1e0e81408f9908a1a6522d86f1aa0c8536fa4f
                                • Instruction ID: 33d53ccb8ee8fbb6c27f99295ed36883bcf06bd41ace5b72ad564b7270acc216
                                • Opcode Fuzzy Hash: b98ed0502d9c222e9509d1805c1e0e81408f9908a1a6522d86f1aa0c8536fa4f
                                • Instruction Fuzzy Hash: EAF0BB7178431232F63020B90C43F87699E87A2FB4F300325BB71BE1C0EAC0E90041E5
                                Function 60945528 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_prepare.SQLITE3(?,?,000000FF,?,00000000), ref: 60945551
                                • sqlite3_step.SQLITE3(?), ref: 60945563
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_preparesqlite3_step
                                • String ID:
                                • API String ID: 1244513089-0
                                • Opcode ID: 0ec4ca3433530b2b6b142952069e64585406e50692dfcc3d37a481189dc97b22
                                • Instruction ID: 72b8552da8c7c99e325d8c51808d9eb0ef8ce70d2143209b9964e4ea72ef51f1
                                • Opcode Fuzzy Hash: 0ec4ca3433530b2b6b142952069e64585406e50692dfcc3d37a481189dc97b22
                                • Instruction Fuzzy Hash: C00167E1D08115B7DA0095A59C82A9A762F9B3A23CF244310BD35A52D1FF35DB6045A2
                                Function 609038D0 Relevance: 6.0, APIs: 4, Instructions: 44stringCOMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_initialize.SQLITE3 ref: 609038DC
                                • sqlite3_mutex_enter.SQLITE3(00000000), ref: 609038FC
                                • strcmp.MSVCRT ref: 6090391E
                                • sqlite3_mutex_leave.SQLITE3(00000000), ref: 6090392E
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_initializesqlite3_mutex_entersqlite3_mutex_leavestrcmp
                                • String ID:
                                • API String ID: 3985776146-0
                                • Opcode ID: 21aee3f84cfbd2ca2079da40454c760ad837ad86e5b84259dc1fbc939a2f95c3
                                • Instruction ID: a4b8b1f610732bd92332020ca00faf459b0bae453b9ed6754154925274f33b32
                                • Opcode Fuzzy Hash: 21aee3f84cfbd2ca2079da40454c760ad837ad86e5b84259dc1fbc939a2f95c3
                                • Instruction Fuzzy Hash: D2F0C222A14601A7DB001A798C82E963A6F5B36278F148338FE3A962D2FF51C92155E2
                                Function 609349B8 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_context_db_handle.SQLITE3(?), ref: 609349CB
                                • sqlite3_value_int64.SQLITE3(?), ref: 609349D7
                                • sqlite3_result_error_toobig.SQLITE3(?), ref: 609349F5
                                • sqlite3_result_zeroblob.SQLITE3(?,00000000), ref: 60934A01
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_context_db_handlesqlite3_result_error_toobigsqlite3_result_zeroblobsqlite3_value_int64
                                • String ID:
                                • API String ID: 4140278614-0
                                • Opcode ID: aa99529f00ae9a81894a615f308a22fcd0dc30de73b737942db6052b81bf6d74
                                • Instruction ID: d1bad8aee34dbe2d28588639deb60acdf63b44bef55c4f8a8d687725a790b40d
                                • Opcode Fuzzy Hash: aa99529f00ae9a81894a615f308a22fcd0dc30de73b737942db6052b81bf6d74
                                • Instruction Fuzzy Hash: E5F059A1B08515178B14967C8CC396F36AFABB6538F140330F974932D0FB52F9614AD3
                                Function 6095B85C Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 60959B1C: sqlite3_malloc.SQLITE3(?), ref: 60959B6E
                                • sqlite3_step.SQLITE3(?), ref: 6095B87F
                                • sqlite3_column_int.SQLITE3(?,00000000), ref: 6095B894
                                  • Part of subcall function 6091CDA0: sqlite3_value_int.SQLITE3(00000000,?,?), ref: 6091CDBB
                                • sqlite3_column_int.SQLITE3(?,00000001), ref: 6095B8A8
                                • sqlite3_reset.SQLITE3(?), ref: 6095B8BD
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_column_int$sqlite3_mallocsqlite3_resetsqlite3_stepsqlite3_value_int
                                • String ID:
                                • API String ID: 1060755066-0
                                • Opcode ID: b6ae19d9a4d4526fdb7d50e9895ba456e751d108eb3b1b54b40d78289c8c940b
                                • Instruction ID: 175502a08eb837f4f399382cf798f99d433f010b745c95dea987756765d3a9e5
                                • Opcode Fuzzy Hash: b6ae19d9a4d4526fdb7d50e9895ba456e751d108eb3b1b54b40d78289c8c940b
                                • Instruction Fuzzy Hash: F7F044B4E54108BBDB019E64CC43B4D367A9B71228F2046B0F934A52E1FB72DF606791
                                Function 60961D5C Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_prepare_v2.SQLITE3(00000000,00000000,000000FF,00000000,00000000), ref: 60961D84
                                • sqlite3_step.SQLITE3(00000000), ref: 60961D96
                                • sqlite3_column_int.SQLITE3(00000000,00000000), ref: 60961DAB
                                  • Part of subcall function 6091CDA0: sqlite3_value_int.SQLITE3(00000000,?,?), ref: 6091CDBB
                                • sqlite3_finalize.SQLITE3(00000000), ref: 60961DC0
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_column_intsqlite3_finalizesqlite3_prepare_v2sqlite3_stepsqlite3_value_int
                                • String ID:
                                • API String ID: 4265739436-0
                                • Opcode ID: ee0a89426b9b406e5d1b9e07da0146c8fe987a64b321b0cea111c316efab09de
                                • Instruction ID: 1bbcfe26471b2f8348980d3f33443b32f8540f8a5c42ee24c41a4624a8275fed
                                • Opcode Fuzzy Hash: ee0a89426b9b406e5d1b9e07da0146c8fe987a64b321b0cea111c316efab09de
                                • Instruction Fuzzy Hash: 11F044B5E18109A7EB019A68CD4279D767A9B71328F2447B0BC34A52E5FF32DF105681
                                Function 60935328 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_aggregate_context.SQLITE3(?,00000000), ref: 60935338
                                • sqlite3_result_error_toobig.SQLITE3(?), ref: 6093534E
                                • sqlite3_result_error_nomem.SQLITE3(?), ref: 60935362
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_aggregate_contextsqlite3_result_error_nomemsqlite3_result_error_toobig
                                • String ID:
                                • API String ID: 1724789113-0
                                • Opcode ID: 2e505c92f2940ad846a4b5501bb3a48839a91093c29ec6c52295acbfd03233d0
                                • Instruction ID: 548a522eba180e30677fa919ba20569e94ffb15b04c9c6cf4623044274078752
                                • Opcode Fuzzy Hash: 2e505c92f2940ad846a4b5501bb3a48839a91093c29ec6c52295acbfd03233d0
                                • Instruction Fuzzy Hash: 45F054D1D4C309A6EB1965384C82B16350E0B3517CF180BA07A75651E3FF65D59485E6
                                Function 609086BC Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 609086DE
                                • GetLastError.KERNEL32(?,?,?,00000000), ref: 609086E8
                                • SetEndOfFile.KERNEL32(?), ref: 609086F7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: File$ErrorLastPointer
                                • String ID:
                                • API String ID: 841452515-0
                                • Opcode ID: 5853718245507d4c1948f9797afe9d5cf346b1f4021155cdecc5c61b978ec33e
                                • Instruction ID: 864422f49f1def332555bbda3b339753be28fa2732e628c6a86b9ea5a9ef88f1
                                • Opcode Fuzzy Hash: 5853718245507d4c1948f9797afe9d5cf346b1f4021155cdecc5c61b978ec33e
                                • Instruction Fuzzy Hash: B7F09670A20204DBEF00DE75CC82A5A77AE9B24324F20C324FC34CA1D5E730C9108B61
                                Function 6090AC9E Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3 ref: 6090ACB3
                                • sqlite3_mutex_leave.SQLITE3 ref: 6090ACE6
                                • sqlite3_free.SQLITE3(?), ref: 6090ACF1
                                  • Part of subcall function 609045DC: sqlite3_mutex_enter.SQLITE3 ref: 609045FC
                                  • Part of subcall function 609045DC: sqlite3_mutex_leave.SQLITE3 ref: 6090462E
                                • sqlite3_free.SQLITE3(?), ref: 6090ACFD
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_freesqlite3_mutex_entersqlite3_mutex_leave
                                • String ID:
                                • API String ID: 2240884162-0
                                • Opcode ID: 9bcf06732574d3e2c158dccc9e19a962e844a53c0ac3e7bcb9343189bf4dfe34
                                • Instruction ID: e7272ed09a7a0976cedeb2110df72aff60af6b47ae796f9297a36244592db056
                                • Opcode Fuzzy Hash: 9bcf06732574d3e2c158dccc9e19a962e844a53c0ac3e7bcb9343189bf4dfe34
                                • Instruction Fuzzy Hash: C9F09071C341016FDB00AB78CCC3A053B6A6B3123CF184328B839A62F2EF61C5609AD2
                                Function 6090ACA0 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_enter.SQLITE3 ref: 6090ACB3
                                • sqlite3_mutex_leave.SQLITE3 ref: 6090ACE6
                                • sqlite3_free.SQLITE3(?), ref: 6090ACF1
                                  • Part of subcall function 609045DC: sqlite3_mutex_enter.SQLITE3 ref: 609045FC
                                  • Part of subcall function 609045DC: sqlite3_mutex_leave.SQLITE3 ref: 6090462E
                                • sqlite3_free.SQLITE3(?), ref: 6090ACFD
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_freesqlite3_mutex_entersqlite3_mutex_leave
                                • String ID:
                                • API String ID: 2240884162-0
                                • Opcode ID: 10c482f34697d9ee1da627e77c904093378d445808dc9e3322e74b3263a1a9ce
                                • Instruction ID: e9553154157bb5b952b98bb356fb39a4d3fc4b41b711c95ba13daf77ebc7b4a3
                                • Opcode Fuzzy Hash: 10c482f34697d9ee1da627e77c904093378d445808dc9e3322e74b3263a1a9ce
                                • Instruction Fuzzy Hash: 4EF03071C341056FDB01AB78CCC3A153B6A6B3123CF584328B879A62F2EF61D5619AD2
                                Function 60954654 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_finalize.SQLITE3(?), ref: 60954664
                                  • Part of subcall function 60957704: sqlite3_free.SQLITE3(53F4C483), ref: 60957731
                                  • Part of subcall function 60957704: sqlite3_free.SQLITE3(60954674), ref: 6095773A
                                • sqlite3_free.SQLITE3(?), ref: 6095467D
                                  • Part of subcall function 609045DC: sqlite3_mutex_enter.SQLITE3 ref: 609045FC
                                  • Part of subcall function 609045DC: sqlite3_mutex_leave.SQLITE3 ref: 6090462E
                                • sqlite3_free.SQLITE3(?), ref: 60954688
                                • sqlite3_free.SQLITE3(?), ref: 60954694
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_free$sqlite3_finalizesqlite3_mutex_entersqlite3_mutex_leave
                                • String ID:
                                • API String ID: 960908050-0
                                • Opcode ID: 7a2148533edbb31b7a9b47462b9c00a8c40823d32dc928b8dfe71916fdf0a54a
                                • Instruction ID: 25bcce2b13bfa096b65f4cd707fc078aa69f2a4bac055e20b877902ae4718da4
                                • Opcode Fuzzy Hash: 7a2148533edbb31b7a9b47462b9c00a8c40823d32dc928b8dfe71916fdf0a54a
                                • Instruction Fuzzy Hash: 4AE039E1D141056BCB126A78DCC390976265E3513CB284360BD79982E2FF22CA709AD2
                                Function 60939C68 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_initialize.SQLITE3 ref: 60939C6F
                                • sqlite3_mutex_enter.SQLITE3(00000000), ref: 60939C88
                                • sqlite3_free.SQLITE3 ref: 60939C99
                                  • Part of subcall function 609045DC: sqlite3_mutex_enter.SQLITE3 ref: 609045FC
                                  • Part of subcall function 609045DC: sqlite3_mutex_leave.SQLITE3 ref: 6090462E
                                • sqlite3_mutex_leave.SQLITE3(00000000), ref: 60939CB6
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_freesqlite3_initialize
                                • String ID:
                                • API String ID: 2190448585-0
                                • Opcode ID: 227b1eadc1e461160a5e833a9cebf42c45f6319e24f14bc206f945daf41d19a3
                                • Instruction ID: eba75cb8a09929526dd17b003ee09ada0c99075913df41d460a7401ef25a89a2
                                • Opcode Fuzzy Hash: 227b1eadc1e461160a5e833a9cebf42c45f6319e24f14bc206f945daf41d19a3
                                • Instruction Fuzzy Hash: 69E092A092860617E60067B4DC93B1939AE173213CF004328697AA52E2FFA6C5254FD5
                                Function 6091FCA8 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 449COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                • string or blob too big, xrefs: 609242DB
                                • statement aborts at %d: [%s] %s, xrefs: 60924204
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: statement aborts at %d: [%s] %s$string or blob too big
                                • API String ID: 632333372-977909764
                                • Opcode ID: 425f7f2527971d985b7d4f0a11a7ae95e0ff41d2d4a1a664fc4e3d793190746b
                                • Instruction ID: c4ab6de983b8ae4f6eff81f657b8fa05815b81a9711116636a8311b02a0c99a2
                                • Opcode Fuzzy Hash: 425f7f2527971d985b7d4f0a11a7ae95e0ff41d2d4a1a664fc4e3d793190746b
                                • Instruction Fuzzy Hash: 6D222770E042299FDB20CF64CC80B98BBB6BB25314F1482D5E958AB392E735DE95CF41
                                Function 6091A104 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: %.2x$d
                                • API String ID: 0-598075750
                                • Opcode ID: f956e1f953b382926e5e9ea0de6ee3876357190dc17c852edd61f6f86f424de0
                                • Instruction ID: 233542f280c38b3bede5905940c30ab18aefe04c56a7c5d728515ae15d5114a2
                                • Opcode Fuzzy Hash: f956e1f953b382926e5e9ea0de6ee3876357190dc17c852edd61f6f86f424de0
                                • Instruction Fuzzy Hash: C0C1D5B0A08249DFDB05CF68C885B5A7BB2BF15314F1545C8D854AF382E375EE95CB81
                                Function 60921BCC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 274COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                • statement aborts at %d: [%s] %s, xrefs: 60924204
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: statement aborts at %d: [%s] %s
                                • API String ID: 632333372-2689542837
                                • Opcode ID: 08260af3eb65a4ff0796a01eaec50f7d1985005ea748defe4727a34176a99636
                                • Instruction ID: a9aae310bb2605302c5f24db28df9fb46f25c449c6bec4446c93897c1b216b6a
                                • Opcode Fuzzy Hash: 08260af3eb65a4ff0796a01eaec50f7d1985005ea748defe4727a34176a99636
                                • Instruction Fuzzy Hash: 8CD11674E04268CFEB60CF18DC40B89B7B6BB26324F1082D9D928A7295D7359ED5CF52
                                Function 6094773C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 218COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_type.SQLITE3(00000000), ref: 60947811
                                • sqlite3_value_text.SQLITE3(?), ref: 60947825
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_value_textsqlite3_value_type
                                • String ID: ^
                                • API String ID: 436598578-1590793086
                                • Opcode ID: 89a4740298707de96cf78454c619f9760a74b183054b9c20dc790a5412604ff6
                                • Instruction ID: f213b863d6723ce97d29a3ece5aac9d59620442880a5ce3be03a0ef811226037
                                • Opcode Fuzzy Hash: 89a4740298707de96cf78454c619f9760a74b183054b9c20dc790a5412604ff6
                                • Instruction Fuzzy Hash: 2681B1B5D042499BDB10CF68CC81BAEFBBAAF25324F144654E874A73C1E735DA41CBA1
                                Function 6090576E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 188COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: NaN$gfff
                                • API String ID: 0-138074715
                                • Opcode ID: bffa5b40489f537e321fb630cba1bd73d0ae0dbff3acad0db907c86fff45a1d0
                                • Instruction ID: 7bb8a2344eae970665d476a11fb0077f194608ed9ca06765abe9df36cd61047f
                                • Opcode Fuzzy Hash: bffa5b40489f537e321fb630cba1bd73d0ae0dbff3acad0db907c86fff45a1d0
                                • Instruction Fuzzy Hash: 6A61D874D092A64FEB228A2C88557CABFA69F72314F1442DDC9DA97282D334CEC5CB51
                                Function 6091A24A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 174COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_snprintf.SQLITE3(00000003,?,%.2x,?), ref: 6091A427
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_snprintf
                                • String ID: %.2x$d
                                • API String ID: 949980604-598075750
                                • Opcode ID: 6f89746001c406b70a495bbb0f2f3b7b00ef6b164a2402e94f219bf20a2b5bad
                                • Instruction ID: c1bdb3cf6999f60bf876f89899c9d4ba4b6c2cc17ec7839b08c73c748ede257d
                                • Opcode Fuzzy Hash: 6f89746001c406b70a495bbb0f2f3b7b00ef6b164a2402e94f219bf20a2b5bad
                                • Instruction Fuzzy Hash: BA71F6B0A08245DFDB15CF28C88174A7BF1AF25314F1546C8D8A59F386E3B5EA95CB81
                                Function 60922EE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: out of memory$statement aborts at %d: [%s] %s
                                • API String ID: 632333372-4133732515
                                • Opcode ID: f9355a3b07bc5ae691028829ddc0f5158b581fe723557db6f5a2777199d42d29
                                • Instruction ID: 012c7bd8051c6f9945b8d24139cfd4105289b91c53abd0a780a137940489291f
                                • Opcode Fuzzy Hash: f9355a3b07bc5ae691028829ddc0f5158b581fe723557db6f5a2777199d42d29
                                • Instruction Fuzzy Hash: 5561A071D042589BDB20CB18CC41B99B7B6AB25324F0482D5E92CA7391EB35EBD5CF92
                                Function 6092177E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: out of memory$statement aborts at %d: [%s] %s
                                • API String ID: 632333372-4133732515
                                • Opcode ID: 09ae4b2ee42910fe685e924c3ee928d8fd68d41a888ca342522d3afa16842a0a
                                • Instruction ID: 3114d13feb3081b93e27453a65417d5feda6617d8cb0173929bc22c911ff57c7
                                • Opcode Fuzzy Hash: 09ae4b2ee42910fe685e924c3ee928d8fd68d41a888ca342522d3afa16842a0a
                                • Instruction Fuzzy Hash: B8616AB1D04258DBDB20CF14CC40B99B7B6BB25328F1446D5E92C67291D775AEE4CF82
                                Function 609218F6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: $statement aborts at %d: [%s] %s
                                • API String ID: 632333372-2430958165
                                • Opcode ID: 280cf48f35343039ce5c1e5379e8d3435d40d1f17ad33c5755c2f45344b12895
                                • Instruction ID: 967b823bab1626d3959957d4c422930264901028f6d66423456578177a1e30d5
                                • Opcode Fuzzy Hash: 280cf48f35343039ce5c1e5379e8d3435d40d1f17ad33c5755c2f45344b12895
                                • Instruction Fuzzy Hash: 5A613574A04269CBDB20CF18C880B99B7B6BF29314F1081D6D81CAB391E771AED5CF91
                                Function 6092CE22 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_result_error.SQLITE3(00000007,00000000,000000FF), ref: 6092D00F
                                • sqlite3_result_error_code.SQLITE3(00000000,00000000), ref: 6092D037
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_errorsqlite3_result_error_code
                                • String ID: out of memory
                                • API String ID: 3914000214-2599737071
                                • Opcode ID: 0d7057ea4fa43a6b84c1a812a53f1c11fec23a89a39e973e663ca192f0b110df
                                • Instruction ID: 9cd3bf9281168a07a177865b6a0d286198b6619c54266b2ed85356814646c251
                                • Opcode Fuzzy Hash: 0d7057ea4fa43a6b84c1a812a53f1c11fec23a89a39e973e663ca192f0b110df
                                • Instruction Fuzzy Hash: F551A3F1D14105ABDF00CBA4CD81B9DB6B6AF35234F244754E838672D1E735DA90DBA2
                                Function 60916A1A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_snprintf.SQLITE3(00000064,?,On tree page %d cell %d: ,?,00000000), ref: 60916A59
                                • sqlite3_snprintf.SQLITE3(00000064,?,On page %d at right child: ,?,?), ref: 60916CF1
                                Strings
                                • On page %d at right child: , xrefs: 60916CE6
                                • Rowid %lld out of order (max larger than parent min of %lld), xrefs: 60916DB4
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_snprintf
                                • String ID: On page %d at right child: $Rowid %lld out of order (max larger than parent min of %lld)
                                • API String ID: 949980604-622707001
                                • Opcode ID: 672fc77c5c7aa8429e40d1bb344542c8d098d5531508167f9ee8b103e4eedbe4
                                • Instruction ID: 498bd98d8175bd6b5d99ee28a98de07a33a42c13cbc2ec184c2b47da34b94705
                                • Opcode Fuzzy Hash: 672fc77c5c7aa8429e40d1bb344542c8d098d5531508167f9ee8b103e4eedbe4
                                • Instruction Fuzzy Hash: 7D417FB5F041189FEB10CB64CC80F99B7BABB65314F1482C8E5289B291D775DEC5CB91
                                Function 60924586 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_mutex_leave.SQLITE3(?), ref: 60924AE8
                                Strings
                                • cannot open view: %s, xrefs: 609245E8
                                • cannot open virtual table: %s, xrefs: 609245C7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_mutex_leave
                                • String ID: cannot open view: %s$cannot open virtual table: %s
                                • API String ID: 2496040974-55500233
                                • Opcode ID: b7e245fcc402c75218ab8a778551e92a42eef66518464823f295c45eb4d73171
                                • Instruction ID: 6ed16fd65c590bee1173d99d6c3fa3495c284cc0210ad42305b01283ba827b2c
                                • Opcode Fuzzy Hash: b7e245fcc402c75218ab8a778551e92a42eef66518464823f295c45eb4d73171
                                • Instruction Fuzzy Hash: 4D41E4B2C006095BDB018A58DC82BEE777AAF76228F140308F974672D5E735DA51CBD2
                                Function 6092314C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 111COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: out of memory$statement aborts at %d: [%s] %s
                                • API String ID: 632333372-4133732515
                                • Opcode ID: d85c7886dce05cedb179a19f4cb98e77106c9c9750b4d1006b9bdde0b19b18fc
                                • Instruction ID: 9d8335cf620ccb2dcaf5d97683ffde7c9f460f1ad01b67c770e50bf7a70e3fc6
                                • Opcode Fuzzy Hash: d85c7886dce05cedb179a19f4cb98e77106c9c9750b4d1006b9bdde0b19b18fc
                                • Instruction Fuzzy Hash: FF41B271904249DBDB20CF18CC41B98B776BF24318F1086C5E929A7386E735EAA5CF91
                                Function 60921986 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: $statement aborts at %d: [%s] %s
                                • API String ID: 632333372-2430958165
                                • Opcode ID: 7ea3ad690a2d1a365429822185902ee3a21539ee7ba15ecca0feeb95c59d4211
                                • Instruction ID: b04b79db0d1031a1802afcd147965f1fb4f330317af8b46425e12e6304dbd814
                                • Opcode Fuzzy Hash: 7ea3ad690a2d1a365429822185902ee3a21539ee7ba15ecca0feeb95c59d4211
                                • Instruction Fuzzy Hash: 43417870D142689BDB20CB18CC80BD9B7B6BB25314F1082D6E92DB7281E7759ED5CF91
                                Function 6091E834 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                • string or blob too big, xrefs: 609242DB
                                • statement aborts at %d: [%s] %s, xrefs: 60924204
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: statement aborts at %d: [%s] %s$string or blob too big
                                • API String ID: 632333372-977909764
                                • Opcode ID: 2387ab4654bc6e72b993bf4928e6c22fd60804381e50b40b992d2cd18d461e57
                                • Instruction ID: a6d572d0c308b3bf8df7d3b9a06ab3da186b46653bc34cbbf831870722525e0e
                                • Opcode Fuzzy Hash: 2387ab4654bc6e72b993bf4928e6c22fd60804381e50b40b992d2cd18d461e57
                                • Instruction Fuzzy Hash: C5417D71D04219DBDB20CB18DC41B98B77AAF25328F0482D5E92CA7281EB31DAE4CF81
                                Function 60923060 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: out of memory$statement aborts at %d: [%s] %s
                                • API String ID: 632333372-4133732515
                                • Opcode ID: d87a4a708e35811423a91bc8c892c7f10cfc5db5239c255ab09f7786b8054e57
                                • Instruction ID: 4be53cdfe38b26a2d13117e2700b616fd17371e12d3fc61cc281a4aadabe5e0a
                                • Opcode Fuzzy Hash: d87a4a708e35811423a91bc8c892c7f10cfc5db5239c255ab09f7786b8054e57
                                • Instruction Fuzzy Hash: 9B31F071D042499BDB20CA28DC41BD8B776AF21328F1486C5E92D672D5E735EBE4CF81
                                Function 60923870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_value_text.SQLITE3(?), ref: 609238AD
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                • statement aborts at %d: [%s] %s, xrefs: 60924204
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_logsqlite3_value_text
                                • String ID: statement aborts at %d: [%s] %s
                                • API String ID: 2320820228-2689542837
                                • Opcode ID: 2aefdc4603aa56d736eccb1f23cd1192ffbf029d1d53e5727778b4ba704665c7
                                • Instruction ID: 5200f1a6a824d04fd17246c1a21c1edc7c8c6bd6a8a36d67bd2ac44bbc71d73f
                                • Opcode Fuzzy Hash: 2aefdc4603aa56d736eccb1f23cd1192ffbf029d1d53e5727778b4ba704665c7
                                • Instruction Fuzzy Hash: D331DCB2D041589BDF208A28CC41BDD777AAB24228F0446D5E93DA22D1EB35DAE0CF81
                                Function 6091E99A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: out of memory$statement aborts at %d: [%s] %s
                                • API String ID: 632333372-4133732515
                                • Opcode ID: a8906b52168e5ce2bb4ae1635888996f08f92ee2d56bc77925d6da8870b26666
                                • Instruction ID: be206044e4c6704f1b43549144482c26ca871c694fb1fd72bf5bb60fa34118ed
                                • Opcode Fuzzy Hash: a8906b52168e5ce2bb4ae1635888996f08f92ee2d56bc77925d6da8870b26666
                                • Instruction Fuzzy Hash: 2131EF71D042599BDB20CA28CC41BD9B776AB20328F1446C5E92DB32C1EB75EBE4CF81
                                Function 609059DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_free.SQLITE3(00000000), ref: 60905C7A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_free
                                • String ID: +Inf$NaN
                                • API String ID: 2313487548-2365051862
                                • Opcode ID: 89e9133af137ff37053c664694aa4513170387d85be0e638e68a930f922be6a4
                                • Instruction ID: cdcb291de890e71e8bc8a0789c2707a04c035847b7355aa014c77b761245b118
                                • Opcode Fuzzy Hash: 89e9133af137ff37053c664694aa4513170387d85be0e638e68a930f922be6a4
                                • Instruction Fuzzy Hash: 5A21A5B1D043655BFB118E688D817CB76AA9B31324F1406DCE9AE52281E734CED5CF51
                                Function 6092C9F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON
                                Download Yara Rule
                                Strings
                                • sqlite_stat1, xrefs: 6092CA50
                                • SELECT idx, stat FROM %Q.sqlite_stat1, xrefs: 6092CA72
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: SELECT idx, stat FROM %Q.sqlite_stat1$sqlite_stat1
                                • API String ID: 0-1024560077
                                • Opcode ID: ff0f8b3ddee090dfd6d42ded054bc88909b2261af957c673e1dd59af00b25ee9
                                • Instruction ID: be75b4a06169c8a53b0878197bf259abbc257734efd2a0242a4a3ea605c0ebbf
                                • Opcode Fuzzy Hash: ff0f8b3ddee090dfd6d42ded054bc88909b2261af957c673e1dd59af00b25ee9
                                • Instruction Fuzzy Hash: 772146B1D046156BDB109A29DC81A4AB7AA9F72338F144714EC78B7385E734EE408BD1
                                Function 609239A8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                • statement aborts at %d: [%s] %s, xrefs: 60924204
                                • database table is locked: %s, xrefs: 60923A06
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: database table is locked: %s$statement aborts at %d: [%s] %s
                                • API String ID: 632333372-1225535641
                                • Opcode ID: b7bf0b814aa01aef0107c74a8369db7bc888bf2f8dad1edb801ec93ed1ea1a77
                                • Instruction ID: f41fb971696f0b57070f52ea9a2594c5de09597ce8609e7dd6304f538d0a0a07
                                • Opcode Fuzzy Hash: b7bf0b814aa01aef0107c74a8369db7bc888bf2f8dad1edb801ec93ed1ea1a77
                                • Instruction Fuzzy Hash: 9831C271D042949BDB20CB28CC41BDCB776AF25328F048AC5E96E76281E735DAE5CF41
                                Function 6092146E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,statement aborts at %d: [%s] %s,00000000,46C70775,45DBF845), ref: 6092420A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: ,$statement aborts at %d: [%s] %s
                                • API String ID: 632333372-667596864
                                • Opcode ID: 1448dfe71bfd84c5e91d6020aabf3294a4e82a643162d626daf074e4e0281d40
                                • Instruction ID: 273dc5918866f6411c12e3519f7bd8595b0d2f7817c0a7718af24228984d0618
                                • Opcode Fuzzy Hash: 1448dfe71bfd84c5e91d6020aabf3294a4e82a643162d626daf074e4e0281d40
                                • Instruction Fuzzy Hash: 49218B71D04258DBDB20CB68DC41BDCB776AB29324F0086D5E92D662D0EB359EE5CF81
                                Function 6093020A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_strnicmp.SQLITE3(?,sqlite_,00000007), ref: 60930268
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_strnicmp
                                • String ID: sqlite_$table %s may not be dropped
                                • API String ID: 1961171630-2701177213
                                • Opcode ID: 724f9a2961a2cc2effc5464666a27f35990185526e93bb399e1f226935d24396
                                • Instruction ID: 0b12538090a86757d284695ffbefed1b68f4f67de3b958dcdbdd7dd59cc61416
                                • Opcode Fuzzy Hash: 724f9a2961a2cc2effc5464666a27f35990185526e93bb399e1f226935d24396
                                • Instruction Fuzzy Hash: 800108B6D04114A7DB145695DC42B9B77BA9FB4328F104318FE78922D0FB32DA50CB91
                                Function 60905974 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_free.SQLITE3(00000000), ref: 60905C7A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_free
                                • String ID: %$NaN
                                • API String ID: 2313487548-2010511803
                                • Opcode ID: 49736882960563ba5327e211b37ea461ca4106f89384f7ee7faf60fb56e35e12
                                • Instruction ID: 6d7cad9b7b0a794a346bdf54bd942347070cead8027a6b5a34651889869288f5
                                • Opcode Fuzzy Hash: 49736882960563ba5327e211b37ea461ca4106f89384f7ee7faf60fb56e35e12
                                • Instruction Fuzzy Hash: B01194B2D043655BEB109A6C8C827CA766A9F31324F0406DCE9A9A2281EB35DE94CF51
                                Function 6090136C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_strnicmp.SQLITE3(?,SQLITE_,00000007), ref: 60901383
                                • sqlite3_strnicmp.SQLITE3(?,?,?), ref: 609013B4
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_strnicmp
                                • String ID: SQLITE_
                                • API String ID: 1961171630-787686576
                                • Opcode ID: d6c7293c88888f07f0ead0ff9666e5c5c7a410a4f84235bc0c66ff0d4efe1575
                                • Instruction ID: 74d6add12c28b9132aa7fe9de4f5ed215e635c25a069c059360120ef85ac3b57
                                • Opcode Fuzzy Hash: d6c7293c88888f07f0ead0ff9666e5c5c7a410a4f84235bc0c66ff0d4efe1575
                                • Instruction Fuzzy Hash: E801F762E0411467D700AA2D8C426DF3BAE9B6326CF544268F966E3281F721DE5186D2
                                Function 60918430 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 60918210: memcpy.MSVCRT ref: 609182A6
                                • sqlite3_snprintf.SQLITE3(00000020,1C438966,%!.15g,FFFFC0BF,1C43B70F), ref: 6091848B
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memcpysqlite3_snprintf
                                • String ID: %!.15g$%lld
                                • API String ID: 3220818946-2983862324
                                • Opcode ID: 4be5e892643b2f42e227c260d416bf27b6ef55bcf02673f94145257d092f6bd6
                                • Instruction ID: 7be3c80fe81fa7e1244156624003aa0e9d47482c05357c884bbbd9b67e81f5ac
                                • Opcode Fuzzy Hash: 4be5e892643b2f42e227c260d416bf27b6ef55bcf02673f94145257d092f6bd6
                                • Instruction Fuzzy Hash: E001D6B2E08105A6DF045E28CCC2B573A1A9F25224F144390BE38991E7EB75C570A7E6
                                Function 6091A3CE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 60918210: memcpy.MSVCRT ref: 609182A6
                                • sqlite3_snprintf.SQLITE3(00000003,?,%.2x,?), ref: 6091A427
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memcpysqlite3_snprintf
                                • String ID: %.2x$d
                                • API String ID: 3220818946-598075750
                                • Opcode ID: 20ac6053402f4c1f6ab26848b4f45d2644895180bd67732e54146a71c73cbf00
                                • Instruction ID: df1721e124bcd8af80963c64d61f55aa42e3dd1341d521aa7ea6ef5fd52cb264
                                • Opcode Fuzzy Hash: 20ac6053402f4c1f6ab26848b4f45d2644895180bd67732e54146a71c73cbf00
                                • Instruction Fuzzy Hash: A111A7B1A042859AEB05CF24DC857573F95AF2131DF0401C8D9949F2C6E7B9D7A4C7D1
                                Function 60939DE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                • atoi.MSVCRT ref: 60939E00
                                • sqlite3_strnicmp.SQLITE3(-5C919CBA,?,00000000), ref: 60939E45
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: atoisqlite3_strnicmp
                                • String ID: onoffalseyestruefull
                                • API String ID: 1336480274-88873426
                                • Opcode ID: d7db3fe5b85e77172c6d94f1024216e8a35996d934aa35912df0a746858dea14
                                • Instruction ID: c3f6cf6b9420c26e40cc0acb6abd412e3fc34fa5b43d67359e8b41a21cb5f0f8
                                • Opcode Fuzzy Hash: d7db3fe5b85e77172c6d94f1024216e8a35996d934aa35912df0a746858dea14
                                • Instruction Fuzzy Hash: 1B01F9528081701ACB19753A4C437A73F9FCF23228F540294FDF5DA1C2EF19C95589E1
                                Function 60902B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_snprintf.SQLITE3(00000064,?,%04d-%02d-%02d %02d:%02d:%02d,?,?,?,?,?,?), ref: 60902BEB
                                • sqlite3_result_text.SQLITE3(?,?,000000FF,000000FF), ref: 60902BF9
                                  • Part of subcall function 609029F8: sqlite3_value_text.SQLITE3(?), ref: 60902AC2
                                Strings
                                • %04d-%02d-%02d %02d:%02d:%02d, xrefs: 60902BDD
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_textsqlite3_snprintfsqlite3_value_text
                                • String ID: %04d-%02d-%02d %02d:%02d:%02d
                                • API String ID: 1073563473-4146437471
                                • Opcode ID: d42ed97ff9a82674d81b13fdd716fce914744bbc4a48a12b832370ba38a4b3e6
                                • Instruction ID: c32e567d290772449ec2586043b846fa9bb0f4eca7d50da5cc6b6f1ed5423c6f
                                • Opcode Fuzzy Hash: d42ed97ff9a82674d81b13fdd716fce914744bbc4a48a12b832370ba38a4b3e6
                                • Instruction Fuzzy Hash: 8F015272D0422DAEDF115B54CC41BEEB735EF26224F1002D4FA79311E0E7368EA48B52
                                Function 60902C25 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_snprintf.SQLITE3(00000064,?,%02d:%02d:%02d,?,?,?), ref: 60902C92
                                • sqlite3_result_text.SQLITE3(?,?,000000FF,000000FF), ref: 60902CA0
                                  • Part of subcall function 609029F8: sqlite3_value_text.SQLITE3(?), ref: 60902AC2
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_textsqlite3_snprintfsqlite3_value_text
                                • String ID: %02d:%02d:%02d
                                • API String ID: 1073563473-3862977440
                                • Opcode ID: 73579317a1d4373acbbcb391c2b81da1f923f3a9bbe98e78116fa7480436c51c
                                • Instruction ID: bbdb362b4d1c929b0fc365f907460f291fe873368f4f21e76e7fed080ae40de6
                                • Opcode Fuzzy Hash: 73579317a1d4373acbbcb391c2b81da1f923f3a9bbe98e78116fa7480436c51c
                                • Instruction Fuzzy Hash: 3B01A261D0422DAEEF105B548C41BEEB239EF26238F0007D4FAB9211D0E7368EA48B46
                                Function 6092CCF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_result_error.SQLITE3(00000007,00000000,000000FF), ref: 6092D00F
                                • sqlite3_result_error_code.SQLITE3(00000000,00000000), ref: 6092D037
                                Strings
                                • cannot ATTACH database within transaction, xrefs: 6092CD04
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_errorsqlite3_result_error_code
                                • String ID: cannot ATTACH database within transaction
                                • API String ID: 3914000214-3302951542
                                • Opcode ID: 92424bc0ba4b32df0cb744f98f9c64bb4d87842009bb6a53bea83c4da9841fa6
                                • Instruction ID: c20bac5d5a360d9fccb77a41e262610d8acb3a5029748688a89a13432c7fe777
                                • Opcode Fuzzy Hash: 92424bc0ba4b32df0cb744f98f9c64bb4d87842009bb6a53bea83c4da9841fa6
                                • Instruction Fuzzy Hash: 70018FB2C18008ABCF00DA949C417DD7676AB65234F240354A434722D0E771DB90DBD2
                                Function 6091E61A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_log.SQLITE3(00000000,constraint failed at %d in [%s],00000000,46C70775), ref: 6091E63E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_log
                                • String ID: constraint failed at %d in [%s]$e
                                • API String ID: 632333372-2009694268
                                • Opcode ID: ce9f8585516b2f991d96c5195c62a1ac4d81b78019c5be8a755885ff7593f4bc
                                • Instruction ID: 80f6dbab8eee61301e6e16eb3f2d598a837bd740f98b2293fc4399f80fdb0cc0
                                • Opcode Fuzzy Hash: ce9f8585516b2f991d96c5195c62a1ac4d81b78019c5be8a755885ff7593f4bc
                                • Instruction Fuzzy Hash: E9018B72901158CBDF20CF58DC817DC7B72AB24224F0486D9E9396A298E735DED0CF81
                                Function 609329E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_strnicmp.SQLITE3(52414E49,INARINAR,00000000), ref: 60932A08
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_strnicmp
                                • String ID: INAR$INARINAR
                                • API String ID: 1961171630-3442119099
                                • Opcode ID: f92bd0921cc1d244ec59695dd244870ef0c49dbf2adf29593e77fc6aff949fe4
                                • Instruction ID: a29447678d6658fbbaf2fce9f17db9ade6c067312552f3979ded42b11d016644
                                • Opcode Fuzzy Hash: f92bd0921cc1d244ec59695dd244870ef0c49dbf2adf29593e77fc6aff949fe4
                                • Instruction Fuzzy Hash: AFF090716043655BDB369E19DD82A873BE9EB65320F004164EE14D7282E730EC11CBE0
                                Function 6092E61C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_strnicmp.SQLITE3(?,sqlite_,00000007), ref: 6092E649
                                Strings
                                • sqlite_, xrefs: 6092E643
                                • object name reserved for internal use: %s, xrefs: 6092E659
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_strnicmp
                                • String ID: object name reserved for internal use: %s$sqlite_
                                • API String ID: 1961171630-4055618681
                                • Opcode ID: 27b44df5261b26be7e0c6419a2bd4f3f30eb7328bb4d069cda13bf24a24b6abf
                                • Instruction ID: 9cbe6e52224b78fcdf05126cb4836d6bdfd580cabf2da39bf6ce8428d5427a2c
                                • Opcode Fuzzy Hash: 27b44df5261b26be7e0c6419a2bd4f3f30eb7328bb4d069cda13bf24a24b6abf
                                • Instruction Fuzzy Hash: 8FF0E9B1D382146AE7016639AC85FC73F9E8B31338F040240FC64A61CBF779DA9485C1
                                Function 6092D186 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_snprintf.SQLITE3(00000080,?,no such database: %s,00000000), ref: 6092D1BB
                                • sqlite3_result_error.SQLITE3(?,?,000000FF), ref: 6092D201
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_errorsqlite3_snprintf
                                • String ID: database %s is locked
                                • API String ID: 239710314-2447645556
                                • Opcode ID: 1674431f88f4fd433bbd4df25f48891a94aa5394018d62026eea2ba0d0d47e86
                                • Instruction ID: 2c7d2b59cbeb9ff575f0c9f19dfccb96a099a412e5ef9f921f449ed0331f6543
                                • Opcode Fuzzy Hash: 1674431f88f4fd433bbd4df25f48891a94aa5394018d62026eea2ba0d0d47e86
                                • Instruction Fuzzy Hash: A2F08972E0C0155AFF10965CDC83B997A6AAF3127CF1443A0FE78D51E6FF21C6244692
                                Function 60902CCD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                • sqlite3_snprintf.SQLITE3(00000064,?,%04d-%02d-%02d,?,?,?), ref: 60902D08
                                • sqlite3_result_text.SQLITE3(?,?,000000FF,000000FF), ref: 60902D16
                                  • Part of subcall function 609029F8: sqlite3_value_text.SQLITE3(?), ref: 60902AC2
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: sqlite3_result_textsqlite3_snprintfsqlite3_value_text
                                • String ID: %04d-%02d-%02d
                                • API String ID: 1073563473-516894531
                                • Opcode ID: 62d282b5882bac75e5026f785bb6559f35793bf40cdfe319c2ce8ba1c8905e68
                                • Instruction ID: f8fcd898a37fa06e4ead3bdb5871b873ea1658da59a690dfe5799752111cc178
                                • Opcode Fuzzy Hash: 62d282b5882bac75e5026f785bb6559f35793bf40cdfe319c2ce8ba1c8905e68
                                • Instruction Fuzzy Hash: D3F012B2C081296AEF4156544D42FDD763AAB3527CF140388F679301E4FB36CA649766
                                Function 6092739C Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: memcpy
                                • String ID:
                                • API String ID: 3510742995-0
                                • Opcode ID: 224f5cb80195640714b139eef9e497f84430a78e289590ca5c24314e4effba22
                                • Instruction ID: a64114aa067d6567175780155e0834e16724963195258b4c59ffd1c2bb6445a5
                                • Opcode Fuzzy Hash: 224f5cb80195640714b139eef9e497f84430a78e289590ca5c24314e4effba22
                                • Instruction Fuzzy Hash: C26195B1D10605EBDB10DFA4DC41BAEFBBAAF25324F108614F934A62D4E335DA50DB91
                                Function 609082E4 Relevance: 5.0, APIs: 4, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 60908301
                                • malloc.MSVCRT ref: 6090830E
                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 6090832F
                                • free.MSVCRT(00000000), ref: 60908341
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide$freemalloc
                                • String ID:
                                • API String ID: 2605342592-0
                                • Opcode ID: 2c4866a5839446b7a201c95327d33626e1d4d651ae77ce598a2255f12cd6cdd7
                                • Instruction ID: e7c83f387eba6eedd547519852008890735aa64cffc62c6485f42a8e02ed0484
                                • Opcode Fuzzy Hash: 2c4866a5839446b7a201c95327d33626e1d4d651ae77ce598a2255f12cd6cdd7
                                • Instruction Fuzzy Hash: C5F06861F9922133EA2021BD1C43F97359D8B62E74F244334BE74E62C0FA94E91541E6
                                Function 6093ED34 Relevance: 5.0, Strings: 4, Instructions: 21COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1891433640.0000000060901000.00000020.00000001.01000000.00000010.sdmp, Offset: 60900000, based on PE: true
                                • Associated: 00000002.00000002.1891398379.0000000060900000.00000002.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891493121.0000000060964000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891522281.0000000060966000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891543878.0000000060968000.00000004.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891576917.0000000060969000.00000008.00000001.01000000.00000010.sdmpDownload File
                                • Associated: 00000002.00000002.1891601811.000000006096C000.00000002.00000001.01000000.00000010.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_60900000_Setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: EXCEPT$INTERSECT$UNION$UNION ALL
                                • API String ID: 0-2459858163
                                • Opcode ID: f9c527c07503c6aa4a68655a3a3ee975df5a6fe5cbe1ea16f1ec1774b12f2d7e
                                • Instruction ID: 39c35cf3db39cd1c7825a861d2c7702f8f536396632d08464b6cd2532ae53c46
                                • Opcode Fuzzy Hash: f9c527c07503c6aa4a68655a3a3ee975df5a6fe5cbe1ea16f1ec1774b12f2d7e
                                • Instruction Fuzzy Hash: 11D09E1828837CC2AB7C540CA441695769B2A73A44FF04923E434DE2D5F354EC406E93