Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AUCHKVG4Ic.exe

Overview

General Information

Sample name:AUCHKVG4Ic.exe
renamed because original name is a hash value
Original sample name:ae76cb8ba0c29acf348b81f607c81312.exe
Analysis ID:1566412
MD5:ae76cb8ba0c29acf348b81f607c81312
SHA1:67e2206d5a5beadc48a7022776ead6a83b07cc55
SHA256:af84cf74629f1487325a0c18e73916087d3af81912b8a87be43300f67da7033c
Tags:exeuser-abuse_ch
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Socks5Systemz
AI detected suspicious sample
Contains functionality to infect the boot sector
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • AUCHKVG4Ic.exe (PID: 4588 cmdline: "C:\Users\user\Desktop\AUCHKVG4Ic.exe" MD5: AE76CB8BA0C29ACF348B81F607C81312)
    • AUCHKVG4Ic.tmp (PID: 3872 cmdline: "C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp" /SL5="$20450,3407737,54272,C:\Users\user\Desktop\AUCHKVG4Ic.exe" MD5: 40B10288749DE20BB477384387D5FB8A)
      • net.exe (PID: 4008 cmdline: "C:\Windows\system32\net.exe" pause darel_video_studio_1215 MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 1060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 6528 cmdline: C:\Windows\system32\net1 pause darel_video_studio_1215 MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • darelvideostudio32.exe (PID: 5324 cmdline: "C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe" -i MD5: E883A0F90D0EBC036ED3C6C494AD5073)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-KUG1G.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\ProgramData\TableKnight\TableKnight.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000004.00000002.3008595636.0000000002E01000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
          00000004.00000000.1771386321.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            00000004.00000002.3008446756.0000000002D56000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
              00000001.00000002.3008599168.0000000005BB0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                Process Memory Space: darelvideostudio32.exe PID: 5324JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  4.0.darelvideostudio32.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-02T07:25:01.542508+010020287653Unknown Traffic192.168.2.449742188.119.66.185443TCP
                    2024-12-02T07:25:03.849804+010020287653Unknown Traffic192.168.2.449748188.119.66.185443TCP
                    2024-12-02T07:25:06.387280+010020287653Unknown Traffic192.168.2.449755188.119.66.185443TCP
                    2024-12-02T07:25:08.750564+010020287653Unknown Traffic192.168.2.449766188.119.66.185443TCP
                    2024-12-02T07:25:11.052288+010020287653Unknown Traffic192.168.2.449772188.119.66.185443TCP
                    2024-12-02T07:25:13.338375+010020287653Unknown Traffic192.168.2.449778188.119.66.185443TCP
                    2024-12-02T07:25:15.602969+010020287653Unknown Traffic192.168.2.449784188.119.66.185443TCP
                    2024-12-02T07:25:18.173631+010020287653Unknown Traffic192.168.2.449789188.119.66.185443TCP
                    2024-12-02T07:25:20.811268+010020287653Unknown Traffic192.168.2.449794188.119.66.185443TCP
                    2024-12-02T07:25:23.196803+010020287653Unknown Traffic192.168.2.449800188.119.66.185443TCP
                    2024-12-02T07:25:25.506294+010020287653Unknown Traffic192.168.2.449806188.119.66.185443TCP
                    2024-12-02T07:25:28.077242+010020287653Unknown Traffic192.168.2.449812188.119.66.185443TCP
                    2024-12-02T07:25:30.415353+010020287653Unknown Traffic192.168.2.449818188.119.66.185443TCP
                    2024-12-02T07:25:32.713276+010020287653Unknown Traffic192.168.2.449824188.119.66.185443TCP
                    2024-12-02T07:25:35.236621+010020287653Unknown Traffic192.168.2.449830188.119.66.185443TCP
                    2024-12-02T07:25:37.887804+010020287653Unknown Traffic192.168.2.449837188.119.66.185443TCP
                    2024-12-02T07:25:40.274433+010020287653Unknown Traffic192.168.2.449847188.119.66.185443TCP
                    2024-12-02T07:25:42.820881+010020287653Unknown Traffic192.168.2.449853188.119.66.185443TCP
                    2024-12-02T07:25:45.136394+010020287653Unknown Traffic192.168.2.449859188.119.66.185443TCP
                    2024-12-02T07:25:47.520703+010020287653Unknown Traffic192.168.2.449865188.119.66.185443TCP
                    2024-12-02T07:25:49.868905+010020287653Unknown Traffic192.168.2.449871188.119.66.185443TCP
                    2024-12-02T07:25:52.211201+010020287653Unknown Traffic192.168.2.449877188.119.66.185443TCP
                    2024-12-02T07:25:54.562825+010020287653Unknown Traffic192.168.2.449883188.119.66.185443TCP
                    2024-12-02T07:25:56.910094+010020287653Unknown Traffic192.168.2.449889188.119.66.185443TCP
                    2024-12-02T07:25:59.292068+010020287653Unknown Traffic192.168.2.449894188.119.66.185443TCP
                    2024-12-02T07:26:01.666511+010020287653Unknown Traffic192.168.2.449899188.119.66.185443TCP
                    2024-12-02T07:26:03.992973+010020287653Unknown Traffic192.168.2.449905188.119.66.185443TCP
                    2024-12-02T07:26:06.549448+010020287653Unknown Traffic192.168.2.449910188.119.66.185443TCP
                    2024-12-02T07:26:08.972916+010020287653Unknown Traffic192.168.2.449918188.119.66.185443TCP
                    2024-12-02T07:26:11.405790+010020287653Unknown Traffic192.168.2.449926188.119.66.185443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-02T07:25:02.251899+010028032742Potentially Bad Traffic192.168.2.449742188.119.66.185443TCP
                    2024-12-02T07:25:04.553984+010028032742Potentially Bad Traffic192.168.2.449748188.119.66.185443TCP
                    2024-12-02T07:25:07.120516+010028032742Potentially Bad Traffic192.168.2.449755188.119.66.185443TCP
                    2024-12-02T07:25:09.466645+010028032742Potentially Bad Traffic192.168.2.449766188.119.66.185443TCP
                    2024-12-02T07:25:11.748239+010028032742Potentially Bad Traffic192.168.2.449772188.119.66.185443TCP
                    2024-12-02T07:25:14.031762+010028032742Potentially Bad Traffic192.168.2.449778188.119.66.185443TCP
                    2024-12-02T07:25:16.300787+010028032742Potentially Bad Traffic192.168.2.449784188.119.66.185443TCP
                    2024-12-02T07:25:18.925799+010028032742Potentially Bad Traffic192.168.2.449789188.119.66.185443TCP
                    2024-12-02T07:25:21.535664+010028032742Potentially Bad Traffic192.168.2.449794188.119.66.185443TCP
                    2024-12-02T07:25:23.911502+010028032742Potentially Bad Traffic192.168.2.449800188.119.66.185443TCP
                    2024-12-02T07:25:26.200708+010028032742Potentially Bad Traffic192.168.2.449806188.119.66.185443TCP
                    2024-12-02T07:25:28.788903+010028032742Potentially Bad Traffic192.168.2.449812188.119.66.185443TCP
                    2024-12-02T07:25:31.119326+010028032742Potentially Bad Traffic192.168.2.449818188.119.66.185443TCP
                    2024-12-02T07:25:33.411344+010028032742Potentially Bad Traffic192.168.2.449824188.119.66.185443TCP
                    2024-12-02T07:25:35.945861+010028032742Potentially Bad Traffic192.168.2.449830188.119.66.185443TCP
                    2024-12-02T07:25:38.598762+010028032742Potentially Bad Traffic192.168.2.449837188.119.66.185443TCP
                    2024-12-02T07:25:40.990956+010028032742Potentially Bad Traffic192.168.2.449847188.119.66.185443TCP
                    2024-12-02T07:25:43.552924+010028032742Potentially Bad Traffic192.168.2.449853188.119.66.185443TCP
                    2024-12-02T07:25:45.829763+010028032742Potentially Bad Traffic192.168.2.449859188.119.66.185443TCP
                    2024-12-02T07:25:48.236015+010028032742Potentially Bad Traffic192.168.2.449865188.119.66.185443TCP
                    2024-12-02T07:25:50.595330+010028032742Potentially Bad Traffic192.168.2.449871188.119.66.185443TCP
                    2024-12-02T07:25:52.922897+010028032742Potentially Bad Traffic192.168.2.449877188.119.66.185443TCP
                    2024-12-02T07:25:55.284591+010028032742Potentially Bad Traffic192.168.2.449883188.119.66.185443TCP
                    2024-12-02T07:25:57.615505+010028032742Potentially Bad Traffic192.168.2.449889188.119.66.185443TCP
                    2024-12-02T07:26:00.041634+010028032742Potentially Bad Traffic192.168.2.449894188.119.66.185443TCP
                    2024-12-02T07:26:02.372837+010028032742Potentially Bad Traffic192.168.2.449899188.119.66.185443TCP
                    2024-12-02T07:26:04.696011+010028032742Potentially Bad Traffic192.168.2.449905188.119.66.185443TCP
                    2024-12-02T07:26:07.253029+010028032742Potentially Bad Traffic192.168.2.449910188.119.66.185443TCP
                    2024-12-02T07:26:09.784569+010028032742Potentially Bad Traffic192.168.2.449918188.119.66.185443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeAvira: detection malicious, Label: HEUR/AGEN.1336964
                    Source: C:\ProgramData\TableKnight\TableKnight.exeAvira: detection malicious, Label: HEUR/AGEN.1336964
                    Multi AV Scanner detection for dropped file
                    Source: C:\ProgramData\TableKnight\TableKnight.exeReversingLabs: Detection: 28%
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeReversingLabs: Detection: 28%
                    Multi AV Scanner detection for submitted file
                    Source: AUCHKVG4Ic.exeReversingLabs: Detection: 34%
                    Source: AUCHKVG4Ic.exeVirustotal: Detection: 29%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeJoe Sandbox ML: detected
                    Source: C:\ProgramData\TableKnight\TableKnight.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0045CFA8 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045CFA8
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0045D05C ArcFourCrypt,1_2_0045D05C
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0045D074 ArcFourCrypt,1_2_0045D074
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

                    Compliance

                    barindex
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeUnpacked PE file: 4.2.darelvideostudio32.exe.400000.0.unpack
                    Source: AUCHKVG4Ic.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Darel VideoStudio_is1Jump to behavior
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.4:49742 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.4:49905 version: TLS 1.2
                    Source: Binary string: msvcp71.pdbx# source: is-6H2NB.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-MRTMC.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-6H2NB.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-G610Q.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-MRTMC.tmp.1.dr
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00452A34 FindFirstFileA,GetLastError,1_2_00452A34
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00474D70 FindFirstFileA,FindNextFileA,FindClose,1_2_00474D70
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00462578 FindFirstFileA,FindNextFileA,FindClose,1_2_00462578
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004975B0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004975B0
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00463B04 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463B04
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00463F80 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463F80
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49766 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49755 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49778 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49748 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49742 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49784 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49794 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49772 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49853 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49800 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49806 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49789 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49865 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49812 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49830 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49837 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49871 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49847 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49889 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49877 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49894 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49824 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49905 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49859 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49910 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49899 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49883 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49926 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49818 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49918 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49755 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49766 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49742 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49830 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49806 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49818 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49800 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49859 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49853 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49784 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49789 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49837 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49847 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49778 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49812 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49824 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49772 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49894 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49748 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49899 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49889 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49865 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49871 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49794 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49910 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49918 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49905 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49883 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49877 -> 188.119.66.185:443
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_02E02B95 WSASetLastError,WSARecv,WSASetLastError,select,4_2_02E02B95
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: AUCHKVG4Ic.tmp, AUCHKVG4Ic.tmp, 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AUCHKVG4Ic.tmp.0.dr, is-PKSRV.tmp.1.drString found in binary or memory: http://www.innosetup.com/
                    Source: AUCHKVG4Ic.exe, 00000000.00000003.1757782833.0000000002330000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.exe, 00000000.00000003.1757930766.0000000002098000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.tmp, AUCHKVG4Ic.tmp, 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AUCHKVG4Ic.tmp.0.dr, is-PKSRV.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
                    Source: AUCHKVG4Ic.exe, 00000000.00000003.1757782833.0000000002330000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.exe, 00000000.00000003.1757930766.0000000002098000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.tmp, 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AUCHKVG4Ic.tmp.0.dr, is-PKSRV.tmp.1.drString found in binary or memory: http://www.remobjects.com/psU
                    Source: AUCHKVG4Ic.tmp, 00000001.00000002.3008599168.0000000005D12000.00000004.00001000.00020000.00000000.sdmp, darelvideostudio32.exe, 00000004.00000000.1771608741.0000000000568000.00000002.00000001.01000000.00000008.sdmp, is-KUG1G.tmp.1.dr, darelvideostudio32.exe.1.dr, TableKnight.exe.4.drString found in binary or memory: http://www.zldo.narod.ru/plugins.html
                    Source: darelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmp, darelvideostudio32.exe, 00000004.00000002.3007788955.00000000009E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/
                    Source: darelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185//
                    Source: darelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/1
                    Source: darelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/6
                    Source: darelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/8
                    Source: darelvideostudio32.exe, 00000004.00000002.3007788955.00000000009E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/?
                    Source: darelvideostudio32.exe, 00000004.00000002.3008947098.0000000003425000.00000004.00000020.00020000.00000000.sdmp, darelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/C
                    Source: darelvideostudio32.exe, 00000004.00000002.3008947098.0000000003412000.00000004.00000020.00020000.00000000.sdmp, darelvideostudio32.exe, 00000004.00000002.3007788955.00000000009F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e3008888325
                    Source: darelvideostudio32.exe, 00000004.00000002.3008947098.0000000003425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/allowedCert_OS_1
                    Source: darelvideostudio32.exe, 00000004.00000002.3007788955.00000000009E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/en-GB
                    Source: darelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/g
                    Source: darelvideostudio32.exe, 00000004.00000002.3008947098.0000000003425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/icies
                    Source: darelvideostudio32.exe, 00000004.00000002.3007788955.00000000009E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/mCertificates
                    Source: darelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/n
                    Source: darelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/p
                    Source: darelvideostudio32.exe, 00000004.00000002.3007788955.00000000009E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/priseCertificates
                    Source: darelvideostudio32.exe, 00000004.00000002.3008947098.0000000003425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/rosoft
                    Source: AUCHKVG4Ic.exe, 00000000.00000003.1757394126.0000000002330000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.exe, 00000000.00000003.1757461794.0000000002091000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.exe, 00000000.00000002.3007531853.0000000002091000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.tmp, 00000001.00000002.3007965010.0000000001FE8000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.tmp, 00000001.00000002.3007648706.000000000075F000.00000004.00000020.00020000.00000000.sdmp, AUCHKVG4Ic.tmp, 00000001.00000003.1759503685.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.tmp, 00000001.00000003.1759601408.0000000001FE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49926 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49871 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49926
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49883
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49877 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49918
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49877
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49871
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49905
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.4:49742 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.4:49905 version: TLS 1.2
                    Source: is-G610Q.tmp.1.drBinary or memory string: DirectDrawCreateExmemstr_8677e04a-7
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0042F518 NtdllDefWindowProc_A,1_2_0042F518
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00423B7C NtdllDefWindowProc_A,1_2_00423B7C
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00478554 NtdllDefWindowProc_A,1_2_00478554
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004125D0 NtdllDefWindowProc_A,1_2_004125D0
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004573B4 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_004573B4
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0042E92C: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E92C
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004555B8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555B8
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: 0_2_0040840C0_2_0040840C
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004800021_2_00480002
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004704C81_2_004704C8
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004671CC1_2_004671CC
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004352C01_2_004352C0
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004861401_2_00486140
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004303541_2_00430354
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004444C01_2_004444C0
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004345BC1_2_004345BC
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00444A681_2_00444A68
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00430EE01_2_00430EE0
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0045EEEC1_2_0045EEEC
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0045AF941_2_0045AF94
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004870A01_2_004870A0
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004451601_2_00445160
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0046922C1_2_0046922C
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0048D4001_2_0048D400
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0044556C1_2_0044556C
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004519901_2_00451990
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0043DD481_2_0043DD48
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_004010514_2_00401051
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_00401C264_2_00401C26
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_004070A74_2_004070A7
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_609660FA4_2_609660FA
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6092114F4_2_6092114F
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6091F2C94_2_6091F2C9
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6096923E4_2_6096923E
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6093323D4_2_6093323D
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6095C3144_2_6095C314
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_609503124_2_60950312
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6094D33B4_2_6094D33B
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6093B3684_2_6093B368
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6096748C4_2_6096748C
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6093F42E4_2_6093F42E
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_609544704_2_60954470
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_609615FA4_2_609615FA
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6096A5EE4_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6096D6A44_2_6096D6A4
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_609606A84_2_609606A8
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_609326544_2_60932654
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_609556654_2_60955665
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6094B7DB4_2_6094B7DB
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6092F74D4_2_6092F74D
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_609648074_2_60964807
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6094E9BC4_2_6094E9BC
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_609379294_2_60937929
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6093FAD64_2_6093FAD6
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6096DAE84_2_6096DAE8
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6094DA3A4_2_6094DA3A
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_60936B274_2_60936B27
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_60954CF64_2_60954CF6
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_60950C6B4_2_60950C6B
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_60966DF14_2_60966DF1
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_60963D354_2_60963D35
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_60909E9C4_2_60909E9C
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_60951E864_2_60951E86
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_60912E0B4_2_60912E0B
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_60954FF84_2_60954FF8
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_02E1D38D4_2_02E1D38D
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_02E190844_2_02E19084
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_02E240294_2_02E24029
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_02E0E1AB4_2_02E0E1AB
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_02E1CE994_2_02E1CE99
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_02E176424_2_02E17642
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_02E19E3A4_2_02E19E3A
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_02E1D7A54_2_02E1D7A5
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_02E21FB44_2_02E21FB4
                    Source: Joe Sandbox ViewDropped File: C:\ProgramData\TableKnight\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: String function: 02E17CE0 appears 37 times
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: String function: 02E24530 appears 137 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: String function: 0040595C appears 116 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: String function: 00403400 appears 61 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: String function: 00406AB4 appears 41 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: String function: 00445DCC appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: String function: 004344D4 appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: String function: 0044609C appears 59 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: String function: 00408BFC appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: String function: 00457D3C appears 73 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: String function: 00403494 appears 82 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: String function: 004078E4 appears 42 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: String function: 00453318 appears 93 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: String function: 00457B30 appears 94 times
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: String function: 00403684 appears 221 times
                    Source: AUCHKVG4Ic.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: AUCHKVG4Ic.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: AUCHKVG4Ic.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: AUCHKVG4Ic.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: is-PKSRV.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: is-PKSRV.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-PKSRV.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: sqlite3.dll.4.drStatic PE information: Number of sections : 19 > 10
                    Source: is-2EFRQ.tmp.1.drStatic PE information: Number of sections : 19 > 10
                    Source: AUCHKVG4Ic.exe, 00000000.00000003.1757782833.0000000002330000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs AUCHKVG4Ic.exe
                    Source: AUCHKVG4Ic.exe, 00000000.00000003.1757930766.0000000002098000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs AUCHKVG4Ic.exe
                    Source: AUCHKVG4Ic.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@10/30@0/1
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_02E0FAA8 FormatMessageA,GetLastError,4_2_02E0FAA8
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004555B8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555B8
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00455DE0 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455DE0
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: CreateServiceA,CloseServiceHandle,4_2_004022B3
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0046DF04 GetVersion,CoCreateInstance,1_2_0046DF04
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409BEC
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_0040D0E8 StartServiceCtrlDispatcherA,4_2_0040D0E8
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_0040D0E8 StartServiceCtrlDispatcherA,4_2_0040D0E8
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7Jump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1060:120:WilError_03
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeFile created: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmpJump to behavior
                    Source: Yara matchFile source: 4.0.darelvideostudio32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.1771386321.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.3008599168.0000000005BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-KUG1G.tmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\TableKnight\TableKnight.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe, type: DROPPED
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                    Source: darelvideostudio32.exe, darelvideostudio32.exe, 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-2EFRQ.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: darelvideostudio32.exe, 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-2EFRQ.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: darelvideostudio32.exe, darelvideostudio32.exe, 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-2EFRQ.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                    Source: darelvideostudio32.exe, 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-2EFRQ.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                    Source: darelvideostudio32.exe, 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-2EFRQ.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: darelvideostudio32.exe, 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-2EFRQ.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: darelvideostudio32.exe, 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-2EFRQ.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: darelvideostudio32.exe, 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-2EFRQ.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: darelvideostudio32.exe, 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-2EFRQ.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: darelvideostudio32.exe, 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-2EFRQ.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: darelvideostudio32.exe, 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-2EFRQ.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: darelvideostudio32.exe, darelvideostudio32.exe, 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-2EFRQ.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: AUCHKVG4Ic.exeReversingLabs: Detection: 34%
                    Source: AUCHKVG4Ic.exeVirustotal: Detection: 29%
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeFile read: C:\Users\user\Desktop\AUCHKVG4Ic.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\AUCHKVG4Ic.exe "C:\Users\user\Desktop\AUCHKVG4Ic.exe"
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeProcess created: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp "C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp" /SL5="$20450,3407737,54272,C:\Users\user\Desktop\AUCHKVG4Ic.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" pause darel_video_studio_1215
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpProcess created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe "C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe" -i
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 pause darel_video_studio_1215
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeProcess created: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp "C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp" /SL5="$20450,3407737,54272,C:\Users\user\Desktop\AUCHKVG4Ic.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" pause darel_video_studio_1215Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpProcess created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe "C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe" -iJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 pause darel_video_studio_1215Jump to behavior
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: sqlite3.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpWindow found: window name: TMainFormJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Darel VideoStudio_is1Jump to behavior
                    Source: AUCHKVG4Ic.exeStatic file information: File size 3655965 > 1048576
                    Source: Binary string: msvcp71.pdbx# source: is-6H2NB.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-MRTMC.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-6H2NB.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-G610Q.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-MRTMC.tmp.1.dr

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeUnpacked PE file: 4.2.darelvideostudio32.exe.400000.0.unpack _stum_1:ER;_stun_1:R;_stuo_1:W;.rsrc:R;_stup_1:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeUnpacked PE file: 4.2.darelvideostudio32.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00450294 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00450294
                    Source: initial sampleStatic PE information: section where entry point is pointing to: _stum_1
                    Source: darelvideostudio32.exe.1.drStatic PE information: section name: _stum_1
                    Source: darelvideostudio32.exe.1.drStatic PE information: section name: _stun_1
                    Source: darelvideostudio32.exe.1.drStatic PE information: section name: _stuo_1
                    Source: darelvideostudio32.exe.1.drStatic PE information: section name: _stup_1
                    Source: is-2EFRQ.tmp.1.drStatic PE information: section name: /4
                    Source: is-2EFRQ.tmp.1.drStatic PE information: section name: /19
                    Source: is-2EFRQ.tmp.1.drStatic PE information: section name: /35
                    Source: is-2EFRQ.tmp.1.drStatic PE information: section name: /51
                    Source: is-2EFRQ.tmp.1.drStatic PE information: section name: /63
                    Source: is-2EFRQ.tmp.1.drStatic PE information: section name: /77
                    Source: is-2EFRQ.tmp.1.drStatic PE information: section name: /89
                    Source: is-2EFRQ.tmp.1.drStatic PE information: section name: /102
                    Source: is-2EFRQ.tmp.1.drStatic PE information: section name: /113
                    Source: is-2EFRQ.tmp.1.drStatic PE information: section name: /124
                    Source: is-G610Q.tmp.1.drStatic PE information: section name: Shared
                    Source: TableKnight.exe.4.drStatic PE information: section name: _stum_1
                    Source: TableKnight.exe.4.drStatic PE information: section name: _stun_1
                    Source: TableKnight.exe.4.drStatic PE information: section name: _stuo_1
                    Source: TableKnight.exe.4.drStatic PE information: section name: _stup_1
                    Source: sqlite3.dll.4.drStatic PE information: section name: /4
                    Source: sqlite3.dll.4.drStatic PE information: section name: /19
                    Source: sqlite3.dll.4.drStatic PE information: section name: /35
                    Source: sqlite3.dll.4.drStatic PE information: section name: /51
                    Source: sqlite3.dll.4.drStatic PE information: section name: /63
                    Source: sqlite3.dll.4.drStatic PE information: section name: /77
                    Source: sqlite3.dll.4.drStatic PE information: section name: /89
                    Source: sqlite3.dll.4.drStatic PE information: section name: /102
                    Source: sqlite3.dll.4.drStatic PE information: section name: /113
                    Source: sqlite3.dll.4.drStatic PE information: section name: /124
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: 0_2_004065B8 push 004065F5h; ret 0_2_004065ED
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0040993C push 00409979h; ret 1_2_00409971
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0040A037 push ds; ret 1_2_0040A038
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004941B8 push ecx; mov dword ptr [esp], ecx1_2_004941BD
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax1_2_004062B5
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004106C8 push ecx; mov dword ptr [esp], edx1_2_004106CD
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00412920 push 00412983h; ret 1_2_0041297B
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00484BE8 push ecx; mov dword ptr [esp], ecx1_2_00484BED
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0040D020 push ecx; mov dword ptr [esp], edx1_2_0040D022
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004590F0 push 00459134h; ret 1_2_0045912C
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00443438 push ecx; mov dword ptr [esp], ecx1_2_0044343C
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00483544 push 00483633h; ret 1_2_0048362B
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0040F580 push ecx; mov dword ptr [esp], edx1_2_0040F582
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0047759C push ecx; mov dword ptr [esp], edx1_2_0047759D
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004517CC push 004517FFh; ret 1_2_004517F7
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00451990 push ecx; mov dword ptr [esp], eax1_2_00451995
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0045FB44 push ecx; mov dword ptr [esp], ecx1_2_0045FB48
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00419C20 push ecx; mov dword ptr [esp], ecx1_2_00419C25
                    Source: darelvideostudio32.exe.1.drStatic PE information: section name: _stum_1 entropy: 7.760226038116491
                    Source: TableKnight.exe.4.drStatic PE information: section name: _stum_1 entropy: 7.760226038116491

                    Persistence and Installation Behavior

                    barindex
                    Contains functionality to infect the boot sector
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive04_2_00401A4F
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive04_2_02E0E9D4
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\ltkrn13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-MRTMC.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-2EFRQ.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Temp\is-MI0D5.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeFile created: C:\ProgramData\TableKnight\TableKnight.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Temp\is-MI0D5.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeFile created: C:\ProgramData\TableKnight\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Temp\is-MI0D5.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-KJ819.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\uninstall\is-PKSRV.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-6H2NB.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\LTDIS13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-C09GP.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\sqlite3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeFile created: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-G610Q.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-EF30Q.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpFile created: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\bjpeg23.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeFile created: C:\ProgramData\TableKnight\TableKnight.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeFile created: C:\ProgramData\TableKnight\sqlite3.dllJump to dropped file

                    Boot Survival

                    barindex
                    Contains functionality to infect the boot sector
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive04_2_00401A4F
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive04_2_02E0E9D4
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_0040D0E8 StartServiceCtrlDispatcherA,4_2_0040D0E8
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00423C04 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C04
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00423C04 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C04
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004241D4 IsIconic,SetActiveWindow,SetFocus,1_2_004241D4
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0042418C IsIconic,SetActiveWindow,1_2_0042418C
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0041837C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_0041837C
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00422854 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_00422854
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00482EF8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_00482EF8
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00417590 IsIconic,GetCapture,1_2_00417590
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00417CC6 IsIconic,SetWindowPos,1_2_00417CC6
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00417CC8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CC8
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0041F110 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F110
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_00402C0B rdtsc 4_2_00402C0B
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,4_2_00401B4B
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,4_2_02E0EAD8
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeWindow / User API: threadDelayed 5681Jump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeWindow / User API: threadDelayed 4242Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\ltkrn13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-MRTMC.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-2EFRQ.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MI0D5.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MI0D5.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-KJ819.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MI0D5.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\uninstall\is-PKSRV.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\LTDIS13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-6H2NB.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-C09GP.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-G610Q.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-EF30Q.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\bjpeg23.dll (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5699
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_4-62043
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeAPI coverage: 3.2 %
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe TID: 4460Thread sleep count: 5681 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe TID: 4460Thread sleep time: -11362000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe TID: 1144Thread sleep time: -1500000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe TID: 4460Thread sleep count: 4242 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe TID: 4460Thread sleep time: -8484000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00452A34 FindFirstFileA,GetLastError,1_2_00452A34
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00474D70 FindFirstFileA,FindNextFileA,FindClose,1_2_00474D70
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00462578 FindFirstFileA,FindNextFileA,FindClose,1_2_00462578
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004975B0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004975B0
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00463B04 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463B04
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00463F80 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463F80
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B30
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeThread delayed: delay time: 60000Jump to behavior
                    Source: darelvideostudio32.exe, 00000004.00000002.3007788955.0000000000908000.00000004.00000020.00020000.00000000.sdmp, darelvideostudio32.exe, 00000004.00000002.3008947098.0000000003412000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeAPI call chain: ExitProcess graph end nodegraph_0-6739
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeAPI call chain: ExitProcess graph end nodegraph_4-61768
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Found API chain indicative of debugger detection
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_4-61939
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_00402C0B rdtsc 4_2_00402C0B
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_02E1F2FE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,4_2_02E1F2FE
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_02E1F2FE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,4_2_02E1F2FE
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00450294 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00450294
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_02E05F1A RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,4_2_02E05F1A
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_02E18668 SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_02E18668
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00477F98 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00477F98
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 pause darel_video_studio_1215Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_0042E094 AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E094
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_02E171AD cpuid 4_2_02E171AD
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: GetLocaleInfoA,0_2_004051FC
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: GetLocaleInfoA,0_2_00405248
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: GetLocaleInfoA,1_2_00408558
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: GetLocaleInfoA,1_2_004085A4
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_004583E8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_004583E8
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                    Source: C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmpCode function: 1_2_00455570 GetUserNameA,1_2_00455570
                    Source: C:\Users\user\Desktop\AUCHKVG4Ic.exeCode function: 0_2_00405CE4 GetVersionExA,0_2_00405CE4

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Socks5Systemz
                    Source: Yara matchFile source: 00000004.00000002.3008595636.0000000002E01000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3008446756.0000000002D56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: darelvideostudio32.exe PID: 5324, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Socks5Systemz
                    Source: Yara matchFile source: 00000004.00000002.3008595636.0000000002E01000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3008446756.0000000002D56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: darelvideostudio32.exe PID: 5324, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,4_2_609660FA
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,4_2_6090C1D6
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,4_2_60963143
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,4_2_6096A2BD
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,4_2_6096923E
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,4_2_6096A38C
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,4_2_6096748C
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,4_2_609254B1
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,4_2_6094B407
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6090F435 sqlite3_bind_parameter_index,4_2_6090F435
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,4_2_609255D4
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_609255FF sqlite3_bind_text,4_2_609255FF
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,4_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,4_2_6094B54C
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,4_2_60925686
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,4_2_6094A6C5
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,4_2_609256E5
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,4_2_6094B6ED
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6092562A sqlite3_bind_blob,4_2_6092562A
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,4_2_60925655
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,4_2_6094C64A
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,4_2_609687A7
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,4_2_6095F7F7
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,4_2_6092570B
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,4_2_6095F772
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,4_2_60925778
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6090577D sqlite3_bind_parameter_name,4_2_6090577D
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,4_2_6094B764
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6090576B sqlite3_bind_parameter_count,4_2_6090576B
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,4_2_6094A894
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,4_2_6095F883
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,4_2_6094C8C2
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,4_2_6096281E
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,4_2_6096583A
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,4_2_6095F9AD
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,4_2_6094A92B
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6090EAE5 sqlite3_transfer_bindings,4_2_6090EAE5
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,4_2_6095FB98
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,4_2_6095ECA6
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,4_2_6095FCCE
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,4_2_6095FDAE
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,4_2_60966DF1
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,4_2_60969D75
                    Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exeCode function: 4_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,4_2_6095FFB2

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Service Execution                    		5
                    Windows Service                    		1
                    DLL Side-Loading                    		3
                    Obfuscated Files or Information                    		LSASS Memory1
                    Account Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		21
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Bootkit                    		1
                    Access Token Manipulation                    		21
                    Software Packing                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
                    Windows Service                    		1
                    DLL Side-Loading                    		NTDS35
                    System Information Discovery                    		Distributed Component Object ModelInput Capture12
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets251
                    Security Software Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials1
                    Process Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation                    		DCSync121
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                    Process Injection                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Bootkit                    		/etc/passwd and /etc/shadow3
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1566412 Sample: AUCHKVG4Ic.exe Startdate: 02/12/2024 Architecture: WINDOWS Score: 100 40 Antivirus detection for dropped file 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 7 other signatures 2->46 8 AUCHKVG4Ic.exe 2 2->8         started        process3 file4 24 C:\Users\user\AppData\...\AUCHKVG4Ic.tmp, PE32 8->24 dropped 11 AUCHKVG4Ic.tmp 18 18 8->11         started        process5 file6 26 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 11->26 dropped 28 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 11->28 dropped 30 C:\Users\user\AppData\...\unins000.exe (copy), PE32 11->30 dropped 32 17 other files (10 malicious) 11->32 dropped 14 darelvideostudio32.exe 1 19 11->14         started        18 net.exe 1 11->18         started        process7 dnsIp8 38 188.119.66.185, 443, 49742, 49748 FLYNETRU Russian Federation 14->38 34 C:\ProgramData\TableKnight\sqlite3.dll, PE32 14->34 dropped 36 C:\ProgramData\TableKnight\TableKnight.exe, PE32 14->36 dropped 20 conhost.exe 18->20         started        22 net1.exe 1 18->22         started        file9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    AUCHKVG4Ic.exe34%ReversingLabsWin32.Trojan.Munp
                    AUCHKVG4Ic.exe29%VirustotalBrowse

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe100%AviraHEUR/AGEN.1336964
                    C:\ProgramData\TableKnight\TableKnight.exe100%AviraHEUR/AGEN.1336964
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe100%Joe Sandbox ML
                    C:\ProgramData\TableKnight\TableKnight.exe100%Joe Sandbox ML
                    C:\ProgramData\TableKnight\TableKnight.exe29%ReversingLabs
                    C:\ProgramData\TableKnight\sqlite3.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\LTDIS13n.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\bjpeg23.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe29%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\gdiplus.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-2EFRQ.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-6H2NB.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-C09GP.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-EF30Q.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-G610Q.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-KJ819.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-MRTMC.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\ltkrn13n.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\msvcp71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\msvcr71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\sqlite3.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\uninstall\is-PKSRV.tmp3%ReversingLabs
                    C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\uninstall\unins000.exe (copy)3%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-MI0D5.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-MI0D5.tmp\_isetup\_setup64.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-MI0D5.tmp\_isetup\_shfoldr.dll0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250%Avira URL Cloudsafe
                    https://188.119.66.185//0%Avira URL Cloudsafe
                    https://188.119.66.185/p0%Avira URL Cloudsafe
                    https://188.119.66.185/priseCertificates0%Avira URL Cloudsafe
                    https://188.119.66.185/10%Avira URL Cloudsafe
                    https://188.119.66.185/n0%Avira URL Cloudsafe
                    https://188.119.66.185/mCertificates0%Avira URL Cloudsafe
                    https://188.119.66.185/80%Avira URL Cloudsafe
                    https://188.119.66.185/rosoft0%Avira URL Cloudsafe
                    https://188.119.66.185/0%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a0%Avira URL Cloudsafe
                    http://www.zldo.narod.ru/plugins.html0%Avira URL Cloudsafe
                    https://188.119.66.185/60%Avira URL Cloudsafe
                    https://188.119.66.185/en-GB0%Avira URL Cloudsafe
                    https://188.119.66.185//1%VirustotalBrowse
                    https://188.119.66.185/C0%Avira URL Cloudsafe
                    https://188.119.66.185/?0%Avira URL Cloudsafe
                    https://188.119.66.185/allowedCert_OS_10%Avira URL Cloudsafe
                    https://188.119.66.185/icies0%Avira URL Cloudsafe
                    https://188.119.66.185/priseCertificates1%VirustotalBrowse
                    https://188.119.66.185/g0%Avira URL Cloudsafe
                    https://188.119.66.185/11%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308afalse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.innosetup.com/AUCHKVG4Ic.tmp, AUCHKVG4Ic.tmp, 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AUCHKVG4Ic.tmp.0.dr, is-PKSRV.tmp.1.drfalse
                      		high
                      https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e3008888325darelvideostudio32.exe, 00000004.00000002.3008947098.0000000003412000.00000004.00000020.00020000.00000000.sdmp, darelvideostudio32.exe, 00000004.00000002.3007788955.00000000009F6000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://188.119.66.185/1darelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.remobjects.com/psUAUCHKVG4Ic.exe, 00000000.00000003.1757782833.0000000002330000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.exe, 00000000.00000003.1757930766.0000000002098000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.tmp, 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AUCHKVG4Ic.tmp.0.dr, is-PKSRV.tmp.1.drfalse
                        		high
                        https://188.119.66.185/pdarelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://188.119.66.185/priseCertificatesdarelvideostudio32.exe, 00000004.00000002.3007788955.00000000009E3000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://188.119.66.185//darelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://188.119.66.185/ndarelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://188.119.66.185/mCertificatesdarelvideostudio32.exe, 00000004.00000002.3007788955.00000000009E3000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://188.119.66.185/8darelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://188.119.66.185/rosoftdarelvideostudio32.exe, 00000004.00000002.3008947098.0000000003425000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://188.119.66.185/darelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmp, darelvideostudio32.exe, 00000004.00000002.3007788955.00000000009E3000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.zldo.narod.ru/plugins.htmlAUCHKVG4Ic.tmp, 00000001.00000002.3008599168.0000000005D12000.00000004.00001000.00020000.00000000.sdmp, darelvideostudio32.exe, 00000004.00000000.1771608741.0000000000568000.00000002.00000001.01000000.00000008.sdmp, is-KUG1G.tmp.1.dr, darelvideostudio32.exe.1.dr, TableKnight.exe.4.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://188.119.66.185/6darelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://188.119.66.185/en-GBdarelvideostudio32.exe, 00000004.00000002.3007788955.00000000009E3000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://188.119.66.185/Cdarelvideostudio32.exe, 00000004.00000002.3008947098.0000000003425000.00000004.00000020.00020000.00000000.sdmp, darelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.remobjects.com/psAUCHKVG4Ic.exe, 00000000.00000003.1757782833.0000000002330000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.exe, 00000000.00000003.1757930766.0000000002098000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.tmp, AUCHKVG4Ic.tmp, 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AUCHKVG4Ic.tmp.0.dr, is-PKSRV.tmp.1.drfalse
                          		high
                          https://188.119.66.185/?darelvideostudio32.exe, 00000004.00000002.3007788955.00000000009E3000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.easycutstudio.com/support.htmlAUCHKVG4Ic.exe, 00000000.00000003.1757394126.0000000002330000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.exe, 00000000.00000003.1757461794.0000000002091000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.exe, 00000000.00000002.3007531853.0000000002091000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.tmp, 00000001.00000002.3007965010.0000000001FE8000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.tmp, 00000001.00000002.3007648706.000000000075F000.00000004.00000020.00020000.00000000.sdmp, AUCHKVG4Ic.tmp, 00000001.00000003.1759503685.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, AUCHKVG4Ic.tmp, 00000001.00000003.1759601408.0000000001FE8000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            https://188.119.66.185/allowedCert_OS_1darelvideostudio32.exe, 00000004.00000002.3008947098.0000000003425000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://188.119.66.185/iciesdarelvideostudio32.exe, 00000004.00000002.3008947098.0000000003425000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://188.119.66.185/gdarelvideostudio32.exe, 00000004.00000002.3008947098.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            188.119.66.185
                            		unknownRussian Federation
                            		209499FLYNETRUfalse

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1566412
                            Start date and time:2024-12-02 07:23:05 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 5s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:10
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:AUCHKVG4Ic.exe
                            renamed because original name is a hash value
                            Original Sample Name:ae76cb8ba0c29acf348b81f607c81312.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@10/30@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 91%
                            • Number of executed functions: 178
                            • Number of non-executed functions: 282
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            01:24:40API Interceptor548658x Sleep call for process: darelvideostudio32.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            FLYNETRUhttps://drive.google.com/file/d/11kk4glvCJRDeJ3XhdemRR_FFW8tGlSei/view?usp=sharing_eip&ts=67364a0bGet hashmaliciousUnknownBrowse
                            • 188.119.66.154
                            https://onlinefeature.blob.core.windows.net/plus/online.html?jd6123Get hashmaliciousUnknownBrowse
                            • 188.119.66.154
                            https://drive.google.com/file/d/18nCGMab9f1NLpGJOXakFvZYKY-28KcAUGet hashmaliciousUnknownBrowse
                            • 188.119.66.154
                            https://account.access.online.wellsfarqoadvisor.com/Get hashmaliciousUnknownBrowse
                            • 188.119.66.154
                            https://drive.google.com/file/d/1NEezG13UwZmQ3Wo3-DatJjXtVryEdLgi/view?usp=sharing_eil_m&ts=66abab49Get hashmaliciousUnknownBrowse
                            • 188.119.66.154
                            https://drive.google.com/file/d/1k12LdpNmUu0v8Yq62fSmRHaTyelrig_e/view?usp=sharing_eil_m&ts=66aba2b8Get hashmaliciousUnknownBrowse
                            • 188.119.66.154
                            https://drive.google.com/file/d/1_aEpYOY1FVGWm0tYgtIqzmiLUYAxv3xX/view?usp=sharing_eil_m&ts=66aa981dGet hashmaliciousUnknownBrowse
                            • 188.119.66.154
                            https://drive.google.com/file/d/1iBGZ3tnBbFf8JoQ7AtG9EaiEdvQdWLdG/view?usp=sharing_eil_m&ts=66aa9881Get hashmaliciousUnknownBrowse
                            • 188.119.66.154
                            https://drive.google.com/file/d/1zSpnnmNby57iJjkk1VT46OLWl7gkrx-3/view?usp=sharing_eil_m&ts=66aa52c7Get hashmaliciousUnknownBrowse
                            • 188.119.66.154
                            Important_ Review Needed - Access-ID Restriction Notice.pdfGet hashmaliciousUnknownBrowse
                            • 188.119.66.154

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            51c64c77e60f3980eea90869b68c58a8SOfQumBuFd.exeGet hashmaliciousBinder HackTool, Stealc, VidarBrowse
                            • 188.119.66.185
                            cZ3Ju8l4ia.dllGet hashmaliciousCobaltStrikeBrowse
                            • 188.119.66.185
                            o17Id8x04U.dllGet hashmaliciousCobaltStrikeBrowse
                            • 188.119.66.185
                            cZ3Ju8l4ia.dllGet hashmaliciousCobaltStrikeBrowse
                            • 188.119.66.185
                            o17Id8x04U.dllGet hashmaliciousCobaltStrikeBrowse
                            • 188.119.66.185
                            QkBj8CevLU.exeGet hashmaliciousStealc, VidarBrowse
                            • 188.119.66.185
                            Zu52pZcHen.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                            • 188.119.66.185
                            u5ge1oaSA6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                            • 188.119.66.185
                            G05J2DyCQA.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                            • 188.119.66.185
                            LauncherV3.31.exeGet hashmaliciousStealc, VidarBrowse
                            • 188.119.66.185

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            C:\ProgramData\TableKnight\sqlite3.dllgetlab.exeGet hashmaliciousSocks5SystemzBrowse
                              file.exeGet hashmaliciousNymaim, Socks5SystemzBrowse
                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                  file.exeGet hashmaliciousSocks5SystemzBrowse
                                    file.exeGet hashmaliciousSocks5SystemzBrowse
                                      OXrZ6fj4Hq.exeGet hashmaliciousNeshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWormBrowse
                                        IrAr85Qv7X.exeGet hashmaliciousMars Stealer, VidarBrowse
                                          8BQ2v9glrG.exeGet hashmaliciousMars Stealer, VidarBrowse
                                            BBiIn5gqhd.exeGet hashmaliciousMars Stealer, VidarBrowse
                                              gacut_837143941.exeGet hashmaliciousUnknownBrowse

                                                Created / dropped Files

                                                C:\ProgramData\TableKnight\TableKnight.exe

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):3955723
                                                Entropy (8bit):6.277901645053585
                                                Encrypted:false
                                                SSDEEP:49152:AIZ3lKkj164PmNNo6SUUGoUvX3J3Dn1jS/W1:Ak3lKkxDeNC6SbGoUvX3J3Rm/W1
                                                MD5:E883A0F90D0EBC036ED3C6C494AD5073
                                                SHA1:FB2C5FF8D8E0B5C7B40A23C7121755307C0E117C
                                                SHA-256:CEC73E5814BC73C66239F100E24FB60B3E38FDC1CB3597FDDFD42CD165D39BE5
                                                SHA-512:43203970B0B09C64F67B61DD063142DEB600B51AC3CB9951808AD0B8DD6932225F961C843AF8866C6537A086C3A999C932FF87B093CF3597019FC98DA9370A3A
                                                Malicious:true
                                                Yara Hits:
                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\TableKnight\TableKnight.exe, Author: Joe Security
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 29%
                                                Reputation:low
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L..."v.L.............................q............@...........................<.....N.<.....................................d........p.............................................................................................................._stum_1.z........................... ..`_stun_1.~$.......&..................@..@_stuo_1..d.......2..................@....rsrc........p......................@..@_stup_1..4.......2...*..............`...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\TableKnight\sqlite3.dll

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):645592
                                                Entropy (8bit):6.50414583238337
                                                Encrypted:false
                                                SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Joe Sandbox View:
                                                • Filename: getlab.exe, Detection: malicious, Browse
                                                • Filename: file.exe, Detection: malicious, Browse
                                                • Filename: file.exe, Detection: malicious, Browse
                                                • Filename: file.exe, Detection: malicious, Browse
                                                • Filename: file.exe, Detection: malicious, Browse
                                                • Filename: OXrZ6fj4Hq.exe, Detection: malicious, Browse
                                                • Filename: IrAr85Qv7X.exe, Detection: malicious, Browse
                                                • Filename: 8BQ2v9glrG.exe, Detection: malicious, Browse
                                                • Filename: BBiIn5gqhd.exe, Detection: malicious, Browse
                                                • Filename: gacut_837143941.exe, Detection: malicious, Browse
                                                Reputation:high, very likely benign file
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

                                                C:\ProgramData\de121it56.dat

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                File Type:ISO-8859 text, with no line terminators
                                                Category:dropped
                                                Size (bytes):8
                                                Entropy (8bit):2.0
                                                Encrypted:false
                                                SSDEEP:3:YCl/ln:Ym/ln
                                                MD5:0377A134AD66D4B51F99029D1D4B8E41
                                                SHA1:E2DDE9360224FE231E6FDC0AC9865F6D5D952053
                                                SHA-256:BD033D5146E95D99ED81A485C056296F218D6349B2EC18B6A98A64D39A77ED47
                                                SHA-512:FF97DF5E7184E3DE1307A18A65890273DF654F0D3584D40D9EFD6438A84650F7DB6FDF07DE1C2B9533DFABDE4B810FA3AB3BA02250253FEB105E7135A8A984A4
                                                Malicious:false
                                                Reputation:low
                                                Preview:.RMg....

                                                C:\ProgramData\de121rc56.dat

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):4
                                                Entropy (8bit):0.8112781244591328
                                                Encrypted:false
                                                SSDEEP:3:4ln:on
                                                MD5:4616D47786BC7F127A19D876FAC19DE2
                                                SHA1:8DCE15A7067D398B07F94BF5FDD497F56EA7FB34
                                                SHA-256:AD497F997EAD95DB601F7D7ED72A7A624BA52CE6F4145A6DC7EC10D1F03876A9
                                                SHA-512:CBDC804D6F96C581A3E5E9420B88A79F0E75465E445D7F1DCED25D3AF7F1F28790BD99CA62C5ED5E2C9E05195F184637DBEDE1AE7013101060167A8366C6C6F4
                                                Malicious:false
                                                Reputation:low
                                                Preview:....

                                                C:\ProgramData\de121resa.dat

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):128
                                                Entropy (8bit):2.9012093522336393
                                                Encrypted:false
                                                SSDEEP:3:ObXXXd0AbDBdUBWetxt:Or9Lb3UFx
                                                MD5:679DD163372163CD8FFC24E3C9E758B3
                                                SHA1:F307C14CA65810C8D0238B89B49B2ACD7C5B233B
                                                SHA-256:510EA89D00FA427C33BD67AEEA60D21066976F085959C2AFE1F69411A8CA722D
                                                SHA-512:46C464F15BCE39E28DCD48AF36C424845631D2B48D7E37D7FBBBEE0BC4DF32445A2810E397BF29FCA76C0364B1AA30CC05DCF4D9E799C6C697B49A174560969C
                                                Malicious:false
                                                Preview:12b48997735ce8b4537cf99be74bb62f518d3799011c89eb7c719048e83fac56................................................................

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\LTDIS13n.dll (copy)

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):265728
                                                Entropy (8bit):6.4472652154517345
                                                Encrypted:false
                                                SSDEEP:6144:Fs7u3JL96d15Y2BmKh678IuYAhN3YCjlgiZioXyLWvCe93rZ5WZOlUmpNJ5mlbb/:e7WJL96d15Y2BmKh678IuYAhN3YCjlgw
                                                MD5:752CA72DE243F44AF2ED3FF023EF826E
                                                SHA1:7B508F6B72BD270A861B368EC9FE4BF55D8D472F
                                                SHA-256:F8196F03F8CBED87A92BA5C1207A9063D4EEBB0C22CA88A279F1AE1B1F1B8196
                                                SHA-512:4E5A7242C25D4BBF9087F813D4BF057432271A0F08580DA8C894B7C290DE9E0CF640F6F616B0B6C6CAD14DC0AFDD2697D2855BA4070270824540BAE835FE8C4A
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..=...........!................`;.......................................P.......................'..............p...o.......d.... .......................0..\.......................................................4............................text...k........................... ..`.rdata..............................@..@.data....9.......0..................@....idata..............................@....rsrc........ ......................@..@.reloc..T....0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\bjpeg23.dll (copy)

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):176128
                                                Entropy (8bit):6.204917493416147
                                                Encrypted:false
                                                SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darel.chm (copy)

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:MS Windows HtmlHelp Data
                                                Category:dropped
                                                Size (bytes):78183
                                                Entropy (8bit):7.692742945771669
                                                Encrypted:false
                                                SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                Malicious:false
                                                Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:modified
                                                Size (bytes):3955723
                                                Entropy (8bit):6.277901645053585
                                                Encrypted:false
                                                SSDEEP:49152:AIZ3lKkj164PmNNo6SUUGoUvX3J3Dn1jS/W1:Ak3lKkxDeNC6SbGoUvX3J3Rm/W1
                                                MD5:E883A0F90D0EBC036ED3C6C494AD5073
                                                SHA1:FB2C5FF8D8E0B5C7B40A23C7121755307C0E117C
                                                SHA-256:CEC73E5814BC73C66239F100E24FB60B3E38FDC1CB3597FDDFD42CD165D39BE5
                                                SHA-512:43203970B0B09C64F67B61DD063142DEB600B51AC3CB9951808AD0B8DD6932225F961C843AF8866C6537A086C3A999C932FF87B093CF3597019FC98DA9370A3A
                                                Malicious:true
                                                Yara Hits:
                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe, Author: Joe Security
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 29%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L..."v.L.............................q............@...........................<.....N.<.....................................d........p.............................................................................................................._stum_1.z........................... ..`_stun_1.~$.......&..................@..@_stuo_1..d.......2..................@....rsrc........p......................@..@_stup_1..4.......2...*..............`...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\gdiplus.dll (copy)

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):1645320
                                                Entropy (8bit):6.787752063353702
                                                Encrypted:false
                                                SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                MD5:871C903A90C45CA08A9D42803916C3F7
                                                SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-2EFRQ.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):645592
                                                Entropy (8bit):6.50414583238337
                                                Encrypted:false
                                                SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-6H2NB.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):499712
                                                Entropy (8bit):6.414789978441117
                                                Encrypted:false
                                                SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-C09GP.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):445440
                                                Entropy (8bit):6.439135831549689
                                                Encrypted:false
                                                SSDEEP:12288:sosmML3+OytpWFkCU1wayvT33iiDNmAE27R9sY9kP0O+:soslvJ3RaY9wU
                                                MD5:CAC7E17311797C5471733638C0DC1F01
                                                SHA1:58E0BD1B63525A2955439CB9BE3431CEA7FF1121
                                                SHA-256:19248357ED7CFF72DEAD18B5743BF66C61438D68374BDA59E3B9D444C6F8F505
                                                SHA-512:A677319AC8A2096D95FFC69F22810BD4F083F6BF55B8A77F20D8FB8EE01F2FEE619CE318D1F55C392A8F3A4D635D9285712E2C572E62997014641C36EDC060A2
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..=...........!.........\......@!....................................... .......................'..........................P.......H.......................l....................................................................................text............................... ..`.rdata..2$.......&..................@..@.data...............................@....idata..............................@....rsrc...H...........................@..@.reloc...&.......(..................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-EF30Q.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):265728
                                                Entropy (8bit):6.4472652154517345
                                                Encrypted:false
                                                SSDEEP:6144:Fs7u3JL96d15Y2BmKh678IuYAhN3YCjlgiZioXyLWvCe93rZ5WZOlUmpNJ5mlbb/:e7WJL96d15Y2BmKh678IuYAhN3YCjlgw
                                                MD5:752CA72DE243F44AF2ED3FF023EF826E
                                                SHA1:7B508F6B72BD270A861B368EC9FE4BF55D8D472F
                                                SHA-256:F8196F03F8CBED87A92BA5C1207A9063D4EEBB0C22CA88A279F1AE1B1F1B8196
                                                SHA-512:4E5A7242C25D4BBF9087F813D4BF057432271A0F08580DA8C894B7C290DE9E0CF640F6F616B0B6C6CAD14DC0AFDD2697D2855BA4070270824540BAE835FE8C4A
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..=...........!................`;.......................................P.......................'..............p...o.......d.... .......................0..\.......................................................4............................text...k........................... ..`.rdata..............................@..@.data....9.......0..................@....idata..............................@....rsrc........ ......................@..@.reloc..T....0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-G610Q.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):1645320
                                                Entropy (8bit):6.787752063353702
                                                Encrypted:false
                                                SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                MD5:871C903A90C45CA08A9D42803916C3F7
                                                SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-KJ819.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):176128
                                                Entropy (8bit):6.204917493416147
                                                Encrypted:false
                                                SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-KUG1G.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):3955723
                                                Entropy (8bit):6.277901339551027
                                                Encrypted:false
                                                SSDEEP:49152:nIZ3lKkj164PmNNo6SUUGoUvX3J3Dn1jS/W1:nk3lKkxDeNC6SbGoUvX3J3Rm/W1
                                                MD5:592A4A2200B2F1360C93080AE58EA526
                                                SHA1:7DA96930625F38723929AF1F26271928A74BDED1
                                                SHA-256:FF5E7A5F6AA5B345C5877E2D2EAFEBB42B07220440D03FD358FF9E2F8753243E
                                                SHA-512:FA17F381498F9A52979D74AFA027CC427E547F185190B77E51C45585CDF6E07C4F81A9A3884E37AC46430A8FD070576B822EDE98C61151856E1EF6514E1A09E2
                                                Malicious:false
                                                Yara Hits:
                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-KUG1G.tmp, Author: Joe Security
                                                Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L..."v.L.............................q............@...........................<.....N.<.....................................d........p.............................................................................................................._stum_1.z........................... ..`_stun_1.~$.......&..................@..@_stuo_1..d.......2..................@....rsrc........p......................@..@_stup_1..4.......2...*..............`...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-LHKR7.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:MS Windows HtmlHelp Data
                                                Category:dropped
                                                Size (bytes):78183
                                                Entropy (8bit):7.692742945771669
                                                Encrypted:false
                                                SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                Malicious:false
                                                Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\is-MRTMC.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):348160
                                                Entropy (8bit):6.542655141037356
                                                Encrypted:false
                                                SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\ltkrn13n.dll (copy)

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):445440
                                                Entropy (8bit):6.439135831549689
                                                Encrypted:false
                                                SSDEEP:12288:sosmML3+OytpWFkCU1wayvT33iiDNmAE27R9sY9kP0O+:soslvJ3RaY9wU
                                                MD5:CAC7E17311797C5471733638C0DC1F01
                                                SHA1:58E0BD1B63525A2955439CB9BE3431CEA7FF1121
                                                SHA-256:19248357ED7CFF72DEAD18B5743BF66C61438D68374BDA59E3B9D444C6F8F505
                                                SHA-512:A677319AC8A2096D95FFC69F22810BD4F083F6BF55B8A77F20D8FB8EE01F2FEE619CE318D1F55C392A8F3A4D635D9285712E2C572E62997014641C36EDC060A2
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..=...........!.........\......@!....................................... .......................'..........................P.......H.......................l....................................................................................text............................... ..`.rdata..2$.......&..................@..@.data...............................@....idata..............................@....rsrc...H...........................@..@.reloc...&.......(..................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\msvcp71.dll (copy)

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):499712
                                                Entropy (8bit):6.414789978441117
                                                Encrypted:false
                                                SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\msvcr71.dll (copy)

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):348160
                                                Entropy (8bit):6.542655141037356
                                                Encrypted:false
                                                SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\sqlite3.dll (copy)

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):645592
                                                Entropy (8bit):6.50414583238337
                                                Encrypted:false
                                                SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\uninstall\is-PKSRV.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):715253
                                                Entropy (8bit):6.514670688980411
                                                Encrypted:false
                                                SSDEEP:12288:D/kqO+1G7DMvrP537dzHsA6BllcOuGbnH3ERNIg9rNlQyRmh1K8xyFV:jkqZ1G7DMvrP537dzHsA6hcHGbH3E0hA
                                                MD5:5628959C491E9FBC54C10B5C339EBA38
                                                SHA1:7376F29714F50A487725C758E330760B333B6647
                                                SHA-256:00FE63DFA6CFCB9079B96319B6B140EB50E6EE813692B5BBFF6E2502DA0B7B9B
                                                SHA-512:4B492E92572606AA58899631A0AF3C0D333613E9918B41B7AA6CB5918BF0472DA4ABF5F44F34B6689D54E2C1B1A55E658213E62991472AC3DAA0F8C9A62D007F
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 3%
                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t........................@..............................................@..............................`%..................................................................................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS.....l................................idata..`%.......&..................@....tls.....................................rdata..............................@..P.reloc..@.... ......................@..P.rsrc...............................@..P.....................J..............@..P........................................................................................................................................

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\uninstall\unins000.dat

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:InnoSetup Log Darel VideoStudio, version 0x30, 4966 bytes, 878411\user, "C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7"
                                                Category:dropped
                                                Size (bytes):4966
                                                Entropy (8bit):4.774085401863823
                                                Encrypted:false
                                                SSDEEP:96:U43nWavn8FpOmn/9u+eOIhea7ICSss/LnDLS06F7:DnWavnSpOc1HIhpICSsAnDu08
                                                MD5:775D2C23D833523132B355B95C198B4E
                                                SHA1:FD966B120C2C9A9430D7EF1C001C10288CAEA334
                                                SHA-256:8DCF57904B21600612423E9F81A0D8733E6932914421025352F466D90196187D
                                                SHA-512:70A4689B1FAA164B046118BDD72568DEEDBB2DF8B959BCBF0E0850E93E1154C0BC322C53E3AE7CB8BF5A5F01C5AFF1241447ADA54A01F1B4EC26763FFA56DB0A
                                                Malicious:false
                                                Preview:Inno Setup Uninstall Log (b)....................................Darel VideoStudio...............................................................................................................Darel VideoStudio...............................................................................................................0.......f...%...............................................................................................................O..............N......V....878411.user6C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7...............I.. .....8......IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:

                                                C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\uninstall\unins000.exe (copy)

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):715253
                                                Entropy (8bit):6.514670688980411
                                                Encrypted:false
                                                SSDEEP:12288:D/kqO+1G7DMvrP537dzHsA6BllcOuGbnH3ERNIg9rNlQyRmh1K8xyFV:jkqZ1G7DMvrP537dzHsA6hcHGbH3E0hA
                                                MD5:5628959C491E9FBC54C10B5C339EBA38
                                                SHA1:7376F29714F50A487725C758E330760B333B6647
                                                SHA-256:00FE63DFA6CFCB9079B96319B6B140EB50E6EE813692B5BBFF6E2502DA0B7B9B
                                                SHA-512:4B492E92572606AA58899631A0AF3C0D333613E9918B41B7AA6CB5918BF0472DA4ABF5F44F34B6689D54E2C1B1A55E658213E62991472AC3DAA0F8C9A62D007F
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 3%
                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t........................@..............................................@..............................`%..................................................................................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS.....l................................idata..`%.......&..................@....tls.....................................rdata..............................@..P.reloc..@.... ......................@..P.rsrc...............................@..P.....................J..............@..P........................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\AUCHKVG4Ic.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):704000
                                                Entropy (8bit):6.506144087340529
                                                Encrypted:false
                                                SSDEEP:12288:r/kqO+1G7DMvrP537dzHsA6BllcOuGbnH3ERNIg9rNlQyRmh1K8xyF:bkqZ1G7DMvrP537dzHsA6hcHGbH3E0hs
                                                MD5:40B10288749DE20BB477384387D5FB8A
                                                SHA1:A696CC006EBC4EE1D72176185DA5C6B10ABFE037
                                                SHA-256:0587B2BCD86A0B67B2874D24D855E7ED739BD7615B211290B80F66DF11064CA8
                                                SHA-512:9C66FA38014D90FA54BB5A7A6561C8F36DB9745327DCFD0979F1A07ADD7FA24131F5CA6A2678E3B4A6B37E3B8E10B5870E658C631F77A88059754BD85D501768
                                                Malicious:true
                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t........................@..............................................@..............................`%..................................................................................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS.....l................................idata..`%.......&..................@....tls.....................................rdata..............................@..P.reloc..@.... ......................@..P.rsrc...............................@..P.....................J..............@..P........................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\is-MI0D5.tmp\_isetup\_iscrypt.dll

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):2560
                                                Entropy (8bit):2.8818118453929262
                                                Encrypted:false
                                                SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                MD5:A69559718AB506675E907FE49DEB71E9
                                                SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\is-MI0D5.tmp\_isetup\_setup64.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):6144
                                                Entropy (8bit):4.215994423157539
                                                Encrypted:false
                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\is-MI0D5.tmp\_isetup\_shfoldr.dll

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                Category:dropped
                                                Size (bytes):23312
                                                Entropy (8bit):4.596242908851566
                                                Encrypted:false
                                                SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.997971554567522
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 98.86%
                                                • Inno Setup installer (109748/4) 1.08%
                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                File name:AUCHKVG4Ic.exe
                                                File size:3'655'965 bytes
                                                MD5:ae76cb8ba0c29acf348b81f607c81312
                                                SHA1:67e2206d5a5beadc48a7022776ead6a83b07cc55
                                                SHA256:af84cf74629f1487325a0c18e73916087d3af81912b8a87be43300f67da7033c
                                                SHA512:8affd7f4bc43112234be196721913d64b38f3e3081f7d7aeada32ce113d625b5135a3be932605659645100d498ebc60cf85975f11f44b34e6b713494171bc39f
                                                SSDEEP:98304:NjQbejEbxNE5dIgPJbImuu4nLA6aeoBWNhOXPc9:9QbeIle59PJbJul86agOXPC
                                                TLSH:980633E2B0E085B2E850CE7C0EFC7428CA61FFD21979E249319D5D6D0BB7A10AB55363
                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                File Icon

                                                Icon Hash:2d2e3797b32b2b99

                                                Static PE Info

                                                General

                                                Entrypoint:0x409c40
                                                Entrypoint Section:CODE
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:1
                                                OS Version Minor:0
                                                File Version Major:1
                                                File Version Minor:0
                                                Subsystem Version Major:1
                                                Subsystem Version Minor:0
                                                Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                                Entrypoint Preview

                                                Instruction
                                                push ebp
                                                mov ebp, esp
                                                add esp, FFFFFFC4h
                                                push ebx
                                                push esi
                                                push edi
                                                xor eax, eax
                                                mov dword ptr [ebp-10h], eax
                                                mov dword ptr [ebp-24h], eax
                                                call 00007FA5547A706Bh
                                                call 00007FA5547A8272h
                                                call 00007FA5547A8501h
                                                call 00007FA5547AA538h
                                                call 00007FA5547AA57Fh
                                                call 00007FA5547ACEAEh
                                                call 00007FA5547AD015h
                                                xor eax, eax
                                                push ebp
                                                push 0040A2FCh
                                                push dword ptr fs:[eax]
                                                mov dword ptr fs:[eax], esp
                                                xor edx, edx
                                                push ebp
                                                push 0040A2C5h
                                                push dword ptr fs:[edx]
                                                mov dword ptr fs:[edx], esp
                                                mov eax, dword ptr [0040C014h]
                                                call 00007FA5547ADA7Bh
                                                call 00007FA5547AD6AEh
                                                lea edx, dword ptr [ebp-10h]
                                                xor eax, eax
                                                call 00007FA5547AAB68h
                                                mov edx, dword ptr [ebp-10h]
                                                mov eax, 0040CE24h
                                                call 00007FA5547A7117h
                                                push 00000002h
                                                push 00000000h
                                                push 00000001h
                                                mov ecx, dword ptr [0040CE24h]
                                                mov dl, 01h
                                                mov eax, 0040738Ch
                                                call 00007FA5547AB3F7h
                                                mov dword ptr [0040CE28h], eax
                                                xor edx, edx
                                                push ebp
                                                push 0040A27Dh
                                                push dword ptr fs:[edx]
                                                mov dword ptr fs:[edx], esp
                                                call 00007FA5547ADAEBh
                                                mov dword ptr [0040CE30h], eax
                                                mov eax, dword ptr [0040CE30h]
                                                cmp dword ptr [eax+0Ch], 01h
                                                jne 00007FA5547ADC2Ah
                                                mov eax, dword ptr [0040CE30h]
                                                mov edx, 00000028h
                                                call 00007FA5547AB7F8h
                                                mov edx, dword ptr [00000030h]

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                CODE0x10000x93640x94002c410dfc3efd04d9b69c35c70921424eFalse0.6147856841216216data6.560885192755103IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                DATA0xb0000x24c0x400d5ea23d4ecf110fd2591314cbaa84278False0.310546875data2.7390956346874638IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                BSS0xc0000xe880x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                .rsrc0x110000x2c000x2c00d555932731b85b368422b4e876a1ac00False0.32270951704545453data4.459941052684769IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                RT_STRING0x125740x2f2data0.35543766578249336
                                                RT_STRING0x128680x30cdata0.3871794871794872
                                                RT_STRING0x12b740x2cedata0.42618384401114207
                                                RT_STRING0x12e440x68data0.75
                                                RT_STRING0x12eac0xb4data0.6277777777777778
                                                RT_STRING0x12f600xaedata0.5344827586206896
                                                RT_RCDATA0x130100x2cdata1.2045454545454546
                                                RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States0.2740066225165563
                                                RT_MANIFEST0x135340x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093

                                                Imports

                                                DLLImport
                                                kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                user32.dllMessageBoxA
                                                oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                comctl32.dllInitCommonControls
                                                advapi32.dllAdjustTokenPrivileges

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                DutchNetherlands
                                                EnglishUnited States

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-12-02T07:25:01.542508+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449742188.119.66.185443TCP
                                                2024-12-02T07:25:02.251899+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449742188.119.66.185443TCP
                                                2024-12-02T07:25:03.849804+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449748188.119.66.185443TCP
                                                2024-12-02T07:25:04.553984+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449748188.119.66.185443TCP
                                                2024-12-02T07:25:06.387280+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449755188.119.66.185443TCP
                                                2024-12-02T07:25:07.120516+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449755188.119.66.185443TCP
                                                2024-12-02T07:25:08.750564+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449766188.119.66.185443TCP
                                                2024-12-02T07:25:09.466645+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449766188.119.66.185443TCP
                                                2024-12-02T07:25:11.052288+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449772188.119.66.185443TCP
                                                2024-12-02T07:25:11.748239+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449772188.119.66.185443TCP
                                                2024-12-02T07:25:13.338375+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449778188.119.66.185443TCP
                                                2024-12-02T07:25:14.031762+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449778188.119.66.185443TCP
                                                2024-12-02T07:25:15.602969+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449784188.119.66.185443TCP
                                                2024-12-02T07:25:16.300787+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449784188.119.66.185443TCP
                                                2024-12-02T07:25:18.173631+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449789188.119.66.185443TCP
                                                2024-12-02T07:25:18.925799+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449789188.119.66.185443TCP
                                                2024-12-02T07:25:20.811268+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449794188.119.66.185443TCP
                                                2024-12-02T07:25:21.535664+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449794188.119.66.185443TCP
                                                2024-12-02T07:25:23.196803+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449800188.119.66.185443TCP
                                                2024-12-02T07:25:23.911502+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449800188.119.66.185443TCP
                                                2024-12-02T07:25:25.506294+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449806188.119.66.185443TCP
                                                2024-12-02T07:25:26.200708+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449806188.119.66.185443TCP
                                                2024-12-02T07:25:28.077242+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449812188.119.66.185443TCP
                                                2024-12-02T07:25:28.788903+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449812188.119.66.185443TCP
                                                2024-12-02T07:25:30.415353+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449818188.119.66.185443TCP
                                                2024-12-02T07:25:31.119326+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449818188.119.66.185443TCP
                                                2024-12-02T07:25:32.713276+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449824188.119.66.185443TCP
                                                2024-12-02T07:25:33.411344+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449824188.119.66.185443TCP
                                                2024-12-02T07:25:35.236621+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449830188.119.66.185443TCP
                                                2024-12-02T07:25:35.945861+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449830188.119.66.185443TCP
                                                2024-12-02T07:25:37.887804+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449837188.119.66.185443TCP
                                                2024-12-02T07:25:38.598762+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449837188.119.66.185443TCP
                                                2024-12-02T07:25:40.274433+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449847188.119.66.185443TCP
                                                2024-12-02T07:25:40.990956+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449847188.119.66.185443TCP
                                                2024-12-02T07:25:42.820881+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449853188.119.66.185443TCP
                                                2024-12-02T07:25:43.552924+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449853188.119.66.185443TCP
                                                2024-12-02T07:25:45.136394+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449859188.119.66.185443TCP
                                                2024-12-02T07:25:45.829763+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449859188.119.66.185443TCP
                                                2024-12-02T07:25:47.520703+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449865188.119.66.185443TCP
                                                2024-12-02T07:25:48.236015+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449865188.119.66.185443TCP
                                                2024-12-02T07:25:49.868905+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449871188.119.66.185443TCP
                                                2024-12-02T07:25:50.595330+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449871188.119.66.185443TCP
                                                2024-12-02T07:25:52.211201+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449877188.119.66.185443TCP
                                                2024-12-02T07:25:52.922897+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449877188.119.66.185443TCP
                                                2024-12-02T07:25:54.562825+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449883188.119.66.185443TCP
                                                2024-12-02T07:25:55.284591+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449883188.119.66.185443TCP
                                                2024-12-02T07:25:56.910094+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449889188.119.66.185443TCP
                                                2024-12-02T07:25:57.615505+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449889188.119.66.185443TCP
                                                2024-12-02T07:25:59.292068+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449894188.119.66.185443TCP
                                                2024-12-02T07:26:00.041634+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449894188.119.66.185443TCP
                                                2024-12-02T07:26:01.666511+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449899188.119.66.185443TCP
                                                2024-12-02T07:26:02.372837+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449899188.119.66.185443TCP
                                                2024-12-02T07:26:03.992973+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449905188.119.66.185443TCP
                                                2024-12-02T07:26:04.696011+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449905188.119.66.185443TCP
                                                2024-12-02T07:26:06.549448+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449910188.119.66.185443TCP
                                                2024-12-02T07:26:07.253029+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449910188.119.66.185443TCP
                                                2024-12-02T07:26:08.972916+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449918188.119.66.185443TCP
                                                2024-12-02T07:26:09.784569+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449918188.119.66.185443TCP
                                                2024-12-02T07:26:11.405790+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449926188.119.66.185443TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Dec 2, 2024 07:24:59.580524921 CET49742443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:24:59.580598116 CET44349742188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:24:59.580681086 CET49742443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:24:59.706197023 CET49742443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:24:59.706221104 CET44349742188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:01.542361975 CET44349742188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:01.542507887 CET49742443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:01.593430042 CET49742443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:01.593447924 CET44349742188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:01.593708992 CET44349742188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:01.593759060 CET49742443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:01.597691059 CET49742443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:01.643338919 CET44349742188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:02.251939058 CET44349742188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:02.251997948 CET49742443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:02.252001047 CET44349742188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:02.252043962 CET49742443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:02.280685902 CET49742443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:02.280702114 CET44349742188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:02.392292976 CET49748443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:02.392326117 CET44349748188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:02.392394066 CET49748443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:02.392702103 CET49748443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:02.392710924 CET44349748188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:03.849639893 CET44349748188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:03.849803925 CET49748443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:03.850354910 CET49748443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:03.850363970 CET44349748188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:03.850564003 CET49748443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:03.850569010 CET44349748188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:04.554001093 CET44349748188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:04.554133892 CET49748443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:04.554150105 CET44349748188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:04.554161072 CET44349748188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:04.554337978 CET49748443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:04.554562092 CET49748443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:04.554572105 CET44349748188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:04.672858953 CET49755443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:04.672897100 CET44349755188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:04.673002958 CET49755443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:04.673233986 CET49755443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:04.673249960 CET44349755188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:06.384088039 CET44349755188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:06.387279987 CET49755443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:06.387833118 CET49755443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:06.387840033 CET44349755188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:06.388014078 CET49755443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:06.388019085 CET44349755188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:07.120524883 CET44349755188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:07.120897055 CET44349755188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:07.120968103 CET49755443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:07.121123075 CET49755443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:07.121140003 CET44349755188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:07.235354900 CET49766443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:07.235368967 CET44349766188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:07.235471010 CET49766443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:07.235759974 CET49766443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:07.235769033 CET44349766188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:08.750475883 CET44349766188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:08.750564098 CET49766443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:08.751138926 CET49766443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:08.751143932 CET44349766188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:08.751324892 CET49766443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:08.751328945 CET44349766188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:09.466680050 CET44349766188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:09.466727018 CET44349766188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:09.466824055 CET49766443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:09.467017889 CET49766443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:09.467022896 CET44349766188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:09.587162018 CET49772443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:09.587172985 CET44349772188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:09.587248087 CET49772443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:09.587502956 CET49772443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:09.587512970 CET44349772188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:11.052176952 CET44349772188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:11.052288055 CET49772443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:11.052798033 CET49772443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:11.052804947 CET44349772188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:11.052985907 CET49772443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:11.052989960 CET44349772188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:11.748254061 CET44349772188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:11.748481989 CET44349772188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:11.748528004 CET49772443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:11.748538017 CET49772443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:11.748789072 CET49772443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:11.748794079 CET44349772188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:11.861114025 CET49778443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:11.861146927 CET44349778188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:11.861208916 CET49778443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:11.861567974 CET49778443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:11.861582041 CET44349778188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:13.338274956 CET44349778188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:13.338375092 CET49778443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:13.338783979 CET49778443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:13.338794947 CET44349778188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:13.338983059 CET49778443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:13.338989019 CET44349778188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:14.031802893 CET44349778188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:14.031855106 CET44349778188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:14.031874895 CET49778443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:14.031904936 CET49778443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:14.032159090 CET49778443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:14.032175064 CET44349778188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:14.141680002 CET49784443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:14.141716003 CET44349784188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:14.141789913 CET49784443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:14.142065048 CET49784443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:14.142081976 CET44349784188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:15.602832079 CET44349784188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:15.602968931 CET49784443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:15.603449106 CET49784443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:15.603457928 CET44349784188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:15.603672981 CET49784443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:15.603679895 CET44349784188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:16.300825119 CET44349784188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:16.300870895 CET44349784188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:16.300931931 CET49784443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:16.301101923 CET49784443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:16.301186085 CET49784443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:16.301214933 CET44349784188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:16.407414913 CET49789443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:16.407450914 CET44349789188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:16.407555103 CET49789443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:16.407821894 CET49789443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:16.407833099 CET44349789188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:18.173536062 CET44349789188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:18.173630953 CET49789443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:18.180973053 CET49789443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:18.180979967 CET44349789188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:18.181169033 CET49789443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:18.181173086 CET44349789188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:18.925813913 CET44349789188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:18.925859928 CET44349789188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:18.925892115 CET49789443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:18.925926924 CET49789443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:18.926183939 CET49789443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:18.926198959 CET44349789188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:19.032346010 CET49794443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:19.032388926 CET44349794188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:19.032473087 CET49794443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:19.032675028 CET49794443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:19.032691002 CET44349794188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:20.810050011 CET44349794188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:20.811268091 CET49794443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:20.811711073 CET49794443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:20.811717033 CET44349794188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:20.811892986 CET49794443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:20.811897993 CET44349794188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:21.535713911 CET44349794188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:21.535767078 CET49794443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:21.535789013 CET44349794188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:21.535801888 CET44349794188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:21.535835028 CET49794443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:21.535860062 CET49794443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:21.536046028 CET49794443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:21.536062002 CET44349794188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:21.641757965 CET49800443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:21.641794920 CET44349800188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:21.641885042 CET49800443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:21.642160892 CET49800443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:21.642175913 CET44349800188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:23.196736097 CET44349800188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:23.196803093 CET49800443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:23.207457066 CET49800443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:23.207468033 CET44349800188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:23.211119890 CET49800443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:23.211126089 CET44349800188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:23.911523104 CET44349800188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:23.911569118 CET44349800188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:23.911581993 CET49800443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:23.911616087 CET49800443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:23.911838055 CET49800443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:23.911855936 CET44349800188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:24.041199923 CET49806443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:24.041224957 CET44349806188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:24.041315079 CET49806443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:24.041569948 CET49806443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:24.041580915 CET44349806188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:25.506201029 CET44349806188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:25.506294012 CET49806443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:25.506663084 CET49806443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:25.506669044 CET44349806188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:25.506861925 CET49806443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:25.506865978 CET44349806188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:26.200731039 CET44349806188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:26.200783968 CET44349806188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:26.200848103 CET49806443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:26.200874090 CET49806443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:26.201267004 CET49806443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:26.201275110 CET44349806188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:26.313558102 CET49812443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:26.313575983 CET44349812188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:26.313647032 CET49812443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:26.313910961 CET49812443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:26.313921928 CET44349812188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:28.077148914 CET44349812188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:28.077241898 CET49812443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:28.080313921 CET49812443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:28.080318928 CET44349812188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:28.080534935 CET49812443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:28.080538988 CET44349812188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:28.788918018 CET44349812188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:28.788961887 CET44349812188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:28.788980961 CET49812443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:28.789006948 CET49812443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:28.789308071 CET49812443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:28.789318085 CET44349812188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:28.907237053 CET49818443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:28.907263041 CET44349818188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:28.907330990 CET49818443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:28.907593012 CET49818443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:28.907603979 CET44349818188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:30.415265083 CET44349818188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:30.415353060 CET49818443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:30.415843964 CET49818443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:30.415848970 CET44349818188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:30.416023970 CET49818443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:30.416028023 CET44349818188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:31.119347095 CET44349818188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:31.119395971 CET44349818188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:31.119417906 CET49818443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:31.119441986 CET49818443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:31.119712114 CET49818443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:31.119719028 CET44349818188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:31.235475063 CET49824443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:31.235498905 CET44349824188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:31.235578060 CET49824443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:31.235842943 CET49824443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:31.235853910 CET44349824188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:32.712637901 CET44349824188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:32.713275909 CET49824443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:32.756953955 CET49824443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:32.756963015 CET44349824188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:32.757112980 CET49824443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:32.757117033 CET44349824188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:33.411359072 CET44349824188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:33.411405087 CET44349824188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:33.411422014 CET49824443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:33.411473989 CET49824443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:33.411664009 CET49824443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:33.411673069 CET44349824188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:33.516685009 CET49830443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:33.516712904 CET44349830188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:33.516777992 CET49830443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:33.517039061 CET49830443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:33.517052889 CET44349830188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:35.236550093 CET44349830188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:35.236620903 CET49830443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:35.317919970 CET49830443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:35.317928076 CET44349830188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:35.318187952 CET49830443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:35.318192959 CET44349830188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:35.945890903 CET44349830188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:35.945935965 CET44349830188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:35.945980072 CET49830443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:35.945997953 CET49830443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:35.946317911 CET49830443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:35.946329117 CET44349830188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:36.071296930 CET49837443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:36.071336031 CET44349837188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:36.071408033 CET49837443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:36.071903944 CET49837443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:36.071918964 CET44349837188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:37.887746096 CET44349837188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:37.887804031 CET49837443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:37.888107061 CET49837443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:37.888113976 CET44349837188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:37.889971018 CET49837443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:37.889977932 CET44349837188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:38.598779917 CET44349837188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:38.598828077 CET44349837188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:38.598872900 CET49837443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:38.598900080 CET49837443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:38.599042892 CET49837443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:38.599056959 CET44349837188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:38.719803095 CET49847443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:38.719818115 CET44349847188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:38.719897032 CET49847443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:38.720160961 CET49847443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:38.720170975 CET44349847188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:40.274266005 CET44349847188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:40.274432898 CET49847443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:40.274791956 CET49847443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:40.274796963 CET44349847188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:40.274986029 CET49847443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:40.274988890 CET44349847188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:40.990973949 CET44349847188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:40.991019011 CET44349847188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:40.991034985 CET49847443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:40.991059065 CET49847443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:40.991267920 CET49847443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:40.991276026 CET44349847188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:41.110614061 CET49853443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:41.110641956 CET44349853188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:41.110733986 CET49853443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:41.110985041 CET49853443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:41.110997915 CET44349853188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:42.820810080 CET44349853188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:42.820880890 CET49853443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:42.821291924 CET49853443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:42.821295977 CET44349853188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:42.821485996 CET49853443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:42.821489096 CET44349853188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:43.552942991 CET44349853188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:43.552988052 CET44349853188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:43.553020954 CET49853443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:43.553034067 CET49853443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:43.553272963 CET49853443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:43.553280115 CET44349853188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:43.674329042 CET49859443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:43.674355030 CET44349859188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:43.674421072 CET49859443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:43.674679995 CET49859443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:43.674690962 CET44349859188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:45.136168003 CET44349859188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:45.136394024 CET49859443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:45.136909962 CET49859443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:45.136914015 CET44349859188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:45.137125015 CET49859443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:45.137129068 CET44349859188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:45.829773903 CET44349859188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:45.829849958 CET44349859188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:45.829868078 CET49859443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:45.829901934 CET49859443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:45.830163002 CET49859443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:45.830171108 CET44349859188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:45.964548111 CET49865443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:45.964592934 CET44349865188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:45.964668036 CET49865443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:45.964921951 CET49865443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:45.964940071 CET44349865188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:47.520622015 CET44349865188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:47.520703077 CET49865443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:47.521157026 CET49865443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:47.521166086 CET44349865188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:47.521337032 CET49865443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:47.521342039 CET44349865188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:48.236042976 CET44349865188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:48.236088991 CET44349865188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:48.236110926 CET49865443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:48.236134052 CET49865443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:48.236318111 CET49865443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:48.236336946 CET44349865188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:48.360591888 CET49871443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:48.360632896 CET44349871188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:48.360713959 CET49871443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:48.360939980 CET49871443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:48.360956907 CET44349871188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:49.868794918 CET44349871188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:49.868905067 CET49871443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:49.869357109 CET49871443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:49.869362116 CET44349871188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:49.869548082 CET49871443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:49.869553089 CET44349871188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:50.595347881 CET44349871188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:50.595387936 CET44349871188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:50.595407009 CET49871443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:50.595442057 CET49871443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:50.595684052 CET49871443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:50.595700026 CET44349871188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:50.704143047 CET49877443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:50.704164028 CET44349877188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:50.704257011 CET49877443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:50.704476118 CET49877443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:50.704485893 CET44349877188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:52.211045027 CET44349877188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:52.211200953 CET49877443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:52.220362902 CET49877443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:52.220369101 CET44349877188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:52.220571041 CET49877443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:52.220575094 CET44349877188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:52.922899961 CET44349877188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:52.922951937 CET49877443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:52.922964096 CET44349877188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:52.923005104 CET44349877188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:52.923022032 CET49877443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:52.923053980 CET49877443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:52.923223972 CET49877443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:52.923232079 CET44349877188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:53.047859907 CET49883443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:53.047893047 CET44349883188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:53.047970057 CET49883443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:53.048202038 CET49883443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:53.048213959 CET44349883188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:54.562740088 CET44349883188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:54.562824965 CET49883443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:54.563844919 CET49883443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:54.563851118 CET44349883188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:54.564038992 CET49883443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:54.564043045 CET44349883188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:55.284609079 CET44349883188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:55.284657001 CET44349883188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:55.284670115 CET49883443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:55.284701109 CET49883443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:55.284904003 CET49883443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:55.284915924 CET44349883188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:55.391980886 CET49889443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:55.392004967 CET44349889188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:55.392096996 CET49889443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:55.392330885 CET49889443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:55.392342091 CET44349889188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:56.910017014 CET44349889188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:56.910094023 CET49889443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:56.910481930 CET49889443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:56.910487890 CET44349889188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:56.910667896 CET49889443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:56.910671949 CET44349889188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:57.615516901 CET44349889188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:57.615566015 CET44349889188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:57.615612984 CET49889443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:57.615638971 CET49889443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:57.615808010 CET49889443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:57.615818977 CET44349889188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:57.735605955 CET49894443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:57.735641956 CET44349894188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:57.735728025 CET49894443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:57.736063957 CET49894443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:57.736077070 CET44349894188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:59.292007923 CET44349894188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:59.292068005 CET49894443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:59.292478085 CET49894443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:59.292489052 CET44349894188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:25:59.292674065 CET49894443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:25:59.292680025 CET44349894188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:00.041651964 CET44349894188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:00.041714907 CET49894443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:00.041733027 CET44349894188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:00.041776896 CET49894443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:00.041784048 CET44349894188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:00.041809082 CET44349894188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:00.041825056 CET49894443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:00.041856050 CET49894443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:00.041963100 CET49894443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:00.041977882 CET44349894188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:00.157716990 CET49899443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:00.157748938 CET44349899188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:00.157829046 CET49899443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:00.158173084 CET49899443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:00.158185005 CET44349899188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:01.666450024 CET44349899188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:01.666511059 CET49899443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:01.676995039 CET49899443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:01.677002907 CET44349899188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:01.680775881 CET49899443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:01.680780888 CET44349899188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:02.372855902 CET44349899188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:02.373008013 CET49899443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:02.373018980 CET44349899188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:02.373178005 CET49899443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:02.373436928 CET49899443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:02.373462915 CET44349899188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:02.373569965 CET49899443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:02.485445976 CET49905443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:02.485466003 CET44349905188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:02.485552073 CET49905443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:02.485817909 CET49905443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:02.485826969 CET44349905188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:03.992870092 CET44349905188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:03.992973089 CET49905443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:03.996015072 CET49905443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:03.996020079 CET44349905188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:03.996232033 CET44349905188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:03.997356892 CET49905443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:03.997765064 CET49905443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:04.043328047 CET44349905188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:04.696021080 CET44349905188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:04.696078062 CET44349905188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:04.696110964 CET49905443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:04.696145058 CET49905443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:04.696373940 CET49905443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:04.696384907 CET44349905188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:04.831605911 CET49910443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:04.831617117 CET44349910188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:04.831831932 CET49910443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:04.832187891 CET49910443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:04.832197905 CET44349910188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:06.545706987 CET44349910188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:06.549448013 CET49910443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:06.551513910 CET49910443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:06.551513910 CET49910443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:06.551522017 CET44349910188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:06.551534891 CET44349910188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:07.253051043 CET44349910188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:07.253098011 CET44349910188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:07.253123999 CET49910443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:07.253406048 CET49910443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:07.253406048 CET49910443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:07.416912079 CET49918443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:07.416930914 CET44349918188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:07.416997910 CET49918443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:07.417407036 CET49918443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:07.417417049 CET44349918188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:07.561556101 CET49910443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:07.561570883 CET44349910188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:08.972758055 CET44349918188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:08.972915888 CET49918443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:08.974138021 CET49918443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:08.974145889 CET44349918188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:08.976505041 CET49918443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:08.976510048 CET44349918188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:09.784514904 CET44349918188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:09.784558058 CET44349918188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:09.784605980 CET49918443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:09.784842968 CET49918443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:09.784849882 CET44349918188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:09.894284010 CET49926443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:09.894295931 CET44349926188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:09.894360065 CET49926443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:09.894608974 CET49926443192.168.2.4188.119.66.185
                                                Dec 2, 2024 07:26:09.894618034 CET44349926188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:11.405706882 CET44349926188.119.66.185192.168.2.4
                                                Dec 2, 2024 07:26:11.405790091 CET49926443192.168.2.4188.119.66.185

                                                HTTP Request Dependency Graph

                                                • 188.119.66.185

                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.449742188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:01 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:02 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:02 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:02 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.449748188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:03 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:04 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:04 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:04 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.449755188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:06 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:07 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:06 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:07 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.449766188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:08 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:09 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:09 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:09 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.449772188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:11 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:11 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:11 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:11 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.449778188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:13 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:14 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:13 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:14 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.449784188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:15 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:16 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:16 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:16 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                7192.168.2.449789188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:18 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:18 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:18 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:18 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                8192.168.2.449794188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:20 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:21 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:21 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:21 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                9192.168.2.449800188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:23 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:23 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:23 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:23 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                10192.168.2.449806188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:25 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:26 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:25 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:26 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                11192.168.2.449812188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:28 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:28 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:28 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:28 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                12192.168.2.449818188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:30 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:31 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:30 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:31 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                13192.168.2.449824188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:32 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:33 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:33 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:33 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                14192.168.2.449830188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:35 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:35 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:35 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:35 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                15192.168.2.449837188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:37 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:38 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:38 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:38 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                16192.168.2.449847188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:40 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:40 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:40 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:40 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                17192.168.2.449853188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:42 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:43 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:43 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:43 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                18192.168.2.449859188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:45 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:45 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:45 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:45 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                19192.168.2.449865188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:47 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:48 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:48 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:48 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                20192.168.2.449871188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:49 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:50 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:50 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:50 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                21192.168.2.449877188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:52 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:52 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:52 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:52 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                22192.168.2.449883188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:54 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:55 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:55 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:55 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                23192.168.2.449889188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:56 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:25:57 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:57 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:25:57 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                24192.168.2.449894188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:25:59 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:26:00 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:25:59 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:26:00 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                25192.168.2.449899188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:26:01 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:26:02 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:26:02 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:26:02 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                26192.168.2.449905188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:26:03 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:26:04 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:26:04 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:26:04 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                27192.168.2.449910188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:26:06 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:26:07 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:26:07 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:26:07 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                28192.168.2.449918188.119.66.1854435324C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                TimestampBytes transferredDirectionData
                                                2024-12-02 06:26:08 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021ddd322619d4308a HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                Host: 188.119.66.185
                                                2024-12-02 06:26:09 UTC200INHTTP/1.1 200 OK
                                                Server: nginx/1.18.0 (Ubuntu)
                                                Date: Mon, 02 Dec 2024 06:26:09 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/7.4.33
                                                2024-12-02 06:26:09 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: e8b723663ec13250


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:01:24:04
                                                Start date:02/12/2024
                                                Path:C:\Users\user\Desktop\AUCHKVG4Ic.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\AUCHKVG4Ic.exe"
                                                Imagebase:0x400000
                                                File size:3'655'965 bytes
                                                MD5 hash:AE76CB8BA0C29ACF348B81F607C81312
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:1
                                                Start time:01:24:04
                                                Start date:02/12/2024
                                                Path:C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-1LPNT.tmp\AUCHKVG4Ic.tmp" /SL5="$20450,3407737,54272,C:\Users\user\Desktop\AUCHKVG4Ic.exe"
                                                Imagebase:0x400000
                                                File size:704'000 bytes
                                                MD5 hash:40B10288749DE20BB477384387D5FB8A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.3008599168.0000000005BB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:2
                                                Start time:01:24:06
                                                Start date:02/12/2024
                                                Path:C:\Windows\SysWOW64\net.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\system32\net.exe" pause darel_video_studio_1215
                                                Imagebase:0x440000
                                                File size:47'104 bytes
                                                MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:01:24:06
                                                Start date:02/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:01:24:06
                                                Start date:02/12/2024
                                                Path:C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe" -i
                                                Imagebase:0x400000
                                                File size:3'955'723 bytes
                                                MD5 hash:E883A0F90D0EBC036ED3C6C494AD5073
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000004.00000002.3008595636.0000000002E01000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.1771386321.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000004.00000002.3008446756.0000000002D56000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Darel VideoStudio 1.0.7.7\darelvideostudio32.exe, Author: Joe Security
                                                Antivirus matches:
                                                • Detection: 100%, Avira
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 29%, ReversingLabs
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:5
                                                Start time:01:24:06
                                                Start date:02/12/2024
                                                Path:C:\Windows\SysWOW64\net1.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\system32\net1 pause darel_video_studio_1215
                                                Imagebase:0xb90000
                                                File size:139'776 bytes
                                                MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:21%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:2.4%
                                                  Total number of Nodes:1497
                                                  Total number of Limit Nodes:22
                                                  execution_graph 4990 409c40 5031 4030dc 4990->5031 4992 409c56 5034 4042e8 4992->5034 4994 409c5b 5037 40457c GetModuleHandleA GetProcAddress 4994->5037 5000 409c6a 5054 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5000->5054 5017 409d43 5116 4074a0 5017->5116 5019 409d05 5019->5017 5149 409aa0 5019->5149 5020 409d84 5120 407a28 5020->5120 5021 409d69 5021->5020 5022 409aa0 4 API calls 5021->5022 5022->5020 5024 409da9 5130 408b08 5024->5130 5028 409def 5029 408b08 21 API calls 5028->5029 5030 409e28 5028->5030 5029->5028 5159 403094 5031->5159 5033 4030e1 GetModuleHandleA GetCommandLineA 5033->4992 5036 404323 5034->5036 5160 403154 5034->5160 5036->4994 5038 404598 5037->5038 5039 40459f GetProcAddress 5037->5039 5038->5039 5040 4045b5 GetProcAddress 5039->5040 5041 4045ae 5039->5041 5042 4045c4 SetProcessDEPPolicy 5040->5042 5043 4045c8 5040->5043 5041->5040 5042->5043 5044 4065b8 5043->5044 5173 405c98 5044->5173 5053 406604 6F551CD0 5053->5000 5055 4090f7 5054->5055 5300 406fa0 SetErrorMode 5055->5300 5060 403198 4 API calls 5061 40913c 5060->5061 5062 409b30 GetSystemInfo VirtualQuery 5061->5062 5063 409be4 5062->5063 5066 409b5a 5062->5066 5068 409768 5063->5068 5064 409bc5 VirtualQuery 5064->5063 5064->5066 5065 409b84 VirtualProtect 5065->5066 5066->5063 5066->5064 5066->5065 5067 409bb3 VirtualProtect 5066->5067 5067->5064 5310 406bd0 GetCommandLineA 5068->5310 5070 409825 5072 4031b8 4 API calls 5070->5072 5071 406c2c 6 API calls 5075 409785 5071->5075 5073 40983f 5072->5073 5076 406c2c 5073->5076 5074 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5074->5075 5075->5070 5075->5071 5075->5074 5077 406c53 GetModuleFileNameA 5076->5077 5078 406c77 GetCommandLineA 5076->5078 5079 403278 4 API calls 5077->5079 5080 406c7c 5078->5080 5081 406c75 5079->5081 5082 406c81 5080->5082 5083 406af0 4 API calls 5080->5083 5086 406c89 5080->5086 5084 406ca4 5081->5084 5085 403198 4 API calls 5082->5085 5083->5080 5087 403198 4 API calls 5084->5087 5085->5086 5088 40322c 4 API calls 5086->5088 5089 406cb9 5087->5089 5088->5084 5090 4031e8 5089->5090 5092 4031ec 5090->5092 5094 4031fc 5090->5094 5091 403228 5096 4074e0 5091->5096 5093 403254 4 API calls 5092->5093 5092->5094 5093->5094 5094->5091 5095 4025ac 4 API calls 5094->5095 5095->5091 5097 4074ea 5096->5097 5331 407576 5097->5331 5334 407578 5097->5334 5098 407516 5099 40752a 5098->5099 5337 40748c GetLastError 5098->5337 5103 409bec FindResourceA 5099->5103 5104 409c01 5103->5104 5105 409c06 SizeofResource 5103->5105 5106 409aa0 4 API calls 5104->5106 5107 409c13 5105->5107 5108 409c18 LoadResource 5105->5108 5106->5105 5111 409aa0 4 API calls 5107->5111 5109 409c26 5108->5109 5110 409c2b LockResource 5108->5110 5112 409aa0 4 API calls 5109->5112 5113 409c37 5110->5113 5114 409c3c 5110->5114 5111->5108 5112->5110 5115 409aa0 4 API calls 5113->5115 5114->5019 5146 407918 5114->5146 5115->5114 5117 4074b4 5116->5117 5118 4074c4 5117->5118 5119 4073ec 20 API calls 5117->5119 5118->5021 5119->5118 5121 407a35 5120->5121 5122 405880 4 API calls 5121->5122 5123 407a89 5121->5123 5122->5123 5124 407918 InterlockedExchange 5123->5124 5125 407a9b 5124->5125 5126 407ab1 5125->5126 5127 405880 4 API calls 5125->5127 5128 407af4 5126->5128 5129 405880 4 API calls 5126->5129 5127->5126 5128->5024 5129->5128 5132 408b39 5130->5132 5135 408b82 5130->5135 5131 408bcd 5445 407cb8 5131->5445 5132->5135 5141 403420 4 API calls 5132->5141 5142 4031e8 4 API calls 5132->5142 5145 407cb8 21 API calls 5132->5145 5436 4034f0 5132->5436 5134 407cb8 21 API calls 5134->5135 5135->5131 5135->5134 5138 4034f0 4 API calls 5135->5138 5143 403420 4 API calls 5135->5143 5144 4031e8 4 API calls 5135->5144 5137 408be4 5139 4031b8 4 API calls 5137->5139 5138->5135 5140 408bfe 5139->5140 5156 404c10 5140->5156 5141->5132 5142->5132 5143->5135 5144->5135 5145->5132 5471 4078c4 5146->5471 5150 409ac1 5149->5150 5151 409aa9 5149->5151 5153 405880 4 API calls 5150->5153 5152 405880 4 API calls 5151->5152 5154 409abb 5152->5154 5155 409ad2 5153->5155 5154->5017 5155->5017 5157 402594 4 API calls 5156->5157 5158 404c1b 5157->5158 5158->5028 5159->5033 5161 403164 5160->5161 5162 40318c TlsGetValue 5160->5162 5161->5036 5163 403196 5162->5163 5164 40316f 5162->5164 5163->5036 5168 40310c 5164->5168 5166 403174 TlsGetValue 5167 403184 5166->5167 5167->5036 5169 403120 LocalAlloc 5168->5169 5170 403116 5168->5170 5171 403132 5169->5171 5172 40313e TlsSetValue 5169->5172 5170->5169 5171->5166 5172->5171 5245 405930 5173->5245 5176 405270 GetSystemDefaultLCID 5180 4052a6 5176->5180 5177 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5177->5180 5178 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5178->5180 5179 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5179->5180 5180->5177 5180->5178 5180->5179 5184 405308 5180->5184 5181 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5181->5184 5182 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5182->5184 5183 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5183->5184 5184->5181 5184->5182 5184->5183 5185 40538b 5184->5185 5278 4031b8 5185->5278 5188 4053b4 GetSystemDefaultLCID 5282 4051fc GetLocaleInfoA 5188->5282 5191 4031e8 4 API calls 5192 4053f4 5191->5192 5193 4051fc 5 API calls 5192->5193 5194 405409 5193->5194 5195 4051fc 5 API calls 5194->5195 5196 40542d 5195->5196 5288 405248 GetLocaleInfoA 5196->5288 5199 405248 GetLocaleInfoA 5200 40545d 5199->5200 5201 4051fc 5 API calls 5200->5201 5202 405477 5201->5202 5203 405248 GetLocaleInfoA 5202->5203 5204 405494 5203->5204 5205 4051fc 5 API calls 5204->5205 5206 4054ae 5205->5206 5207 4031e8 4 API calls 5206->5207 5208 4054bb 5207->5208 5209 4051fc 5 API calls 5208->5209 5210 4054d0 5209->5210 5211 4031e8 4 API calls 5210->5211 5212 4054dd 5211->5212 5213 405248 GetLocaleInfoA 5212->5213 5214 4054eb 5213->5214 5215 4051fc 5 API calls 5214->5215 5216 405505 5215->5216 5217 4031e8 4 API calls 5216->5217 5218 405512 5217->5218 5219 4051fc 5 API calls 5218->5219 5220 405527 5219->5220 5221 4031e8 4 API calls 5220->5221 5222 405534 5221->5222 5223 4051fc 5 API calls 5222->5223 5224 405549 5223->5224 5225 405566 5224->5225 5226 405557 5224->5226 5227 40322c 4 API calls 5225->5227 5296 40322c 5226->5296 5229 405564 5227->5229 5230 4051fc 5 API calls 5229->5230 5231 405588 5230->5231 5232 4055a5 5231->5232 5233 405596 5231->5233 5235 403198 4 API calls 5232->5235 5234 40322c 4 API calls 5233->5234 5236 4055a3 5234->5236 5235->5236 5290 4033b4 5236->5290 5238 4055c7 5239 4033b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5238->5239 5240 4055e1 5239->5240 5241 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5240->5241 5242 4055fb 5241->5242 5243 405ce4 GetVersionExA 5242->5243 5244 405cfb 5243->5244 5244->5053 5246 40593c 5245->5246 5253 404ccc LoadStringA 5246->5253 5249 4031e8 4 API calls 5250 40596d 5249->5250 5256 403198 5250->5256 5260 403278 5253->5260 5257 4031b7 5256->5257 5258 40319e 5256->5258 5257->5176 5258->5257 5274 4025ac 5258->5274 5265 403254 5260->5265 5262 403288 5263 403198 4 API calls 5262->5263 5264 4032a0 5263->5264 5264->5249 5266 403274 5265->5266 5267 403258 5265->5267 5266->5262 5270 402594 5267->5270 5271 402598 5270->5271 5273 4025a2 5270->5273 5272 403154 4 API calls 5271->5272 5271->5273 5272->5273 5273->5262 5275 4025b0 5274->5275 5276 4025ba 5274->5276 5275->5276 5277 403154 4 API calls 5275->5277 5276->5257 5276->5276 5277->5276 5279 4031be 5278->5279 5280 4031e3 5279->5280 5281 4025ac 4 API calls 5279->5281 5280->5188 5281->5279 5283 405223 5282->5283 5284 405235 5282->5284 5285 403278 4 API calls 5283->5285 5286 40322c 4 API calls 5284->5286 5287 405233 5285->5287 5286->5287 5287->5191 5289 405264 5288->5289 5289->5199 5291 4033bc 5290->5291 5292 403254 4 API calls 5291->5292 5293 4033cf 5292->5293 5294 4031e8 4 API calls 5293->5294 5295 4033f7 5294->5295 5297 403230 5296->5297 5298 403252 5297->5298 5299 4025ac 4 API calls 5297->5299 5298->5229 5299->5298 5308 403414 5300->5308 5303 406fee 5304 407284 FormatMessageA 5303->5304 5305 4072aa 5304->5305 5306 403278 4 API calls 5305->5306 5307 4072c7 5306->5307 5307->5060 5309 403418 LoadLibraryA 5308->5309 5309->5303 5317 406af0 5310->5317 5312 406bf3 5313 406c05 5312->5313 5314 406af0 4 API calls 5312->5314 5315 403198 4 API calls 5313->5315 5314->5312 5316 406c1a 5315->5316 5316->5075 5318 406b1c 5317->5318 5319 403278 4 API calls 5318->5319 5320 406b29 5319->5320 5327 403420 5320->5327 5322 406b31 5323 4031e8 4 API calls 5322->5323 5324 406b49 5323->5324 5325 403198 4 API calls 5324->5325 5326 406b6b 5325->5326 5326->5312 5328 403426 5327->5328 5330 403437 5327->5330 5329 403254 4 API calls 5328->5329 5328->5330 5329->5330 5330->5322 5332 407578 5331->5332 5333 4075b7 CreateFileA 5332->5333 5333->5098 5335 403414 5334->5335 5336 4075b7 CreateFileA 5335->5336 5336->5098 5340 4073ec 5337->5340 5341 407284 5 API calls 5340->5341 5342 407414 5341->5342 5343 407434 5342->5343 5349 405184 5342->5349 5352 405880 5343->5352 5346 407443 5347 403198 4 API calls 5346->5347 5348 407460 5347->5348 5348->5099 5356 405198 5349->5356 5353 405887 5352->5353 5354 4031e8 4 API calls 5353->5354 5355 40589f 5354->5355 5355->5346 5357 4051b5 5356->5357 5364 404e48 5357->5364 5360 4051e1 5362 403278 4 API calls 5360->5362 5363 405193 5362->5363 5363->5343 5367 404e63 5364->5367 5365 404e75 5365->5360 5369 404bd4 5365->5369 5367->5365 5372 404f6a 5367->5372 5379 404e3c 5367->5379 5370 405930 5 API calls 5369->5370 5371 404be5 5370->5371 5371->5360 5373 404f7b 5372->5373 5376 404fc9 5372->5376 5375 40504f 5373->5375 5373->5376 5378 404fe7 5375->5378 5386 404e28 5375->5386 5376->5378 5382 404de4 5376->5382 5378->5367 5380 403198 4 API calls 5379->5380 5381 404e46 5380->5381 5381->5367 5383 404df2 5382->5383 5389 404bec 5383->5389 5385 404e20 5385->5376 5402 4039a4 5386->5402 5392 4059a0 5389->5392 5391 404c05 5391->5385 5393 4059ae 5392->5393 5394 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5393->5394 5395 4059d8 5394->5395 5396 405184 19 API calls 5395->5396 5397 4059e6 5396->5397 5398 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5397->5398 5399 4059f1 5398->5399 5400 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5399->5400 5401 405a0b 5400->5401 5401->5391 5403 4039ab 5402->5403 5408 4038b4 5403->5408 5405 4039cb 5406 403198 4 API calls 5405->5406 5407 4039d2 5406->5407 5407->5378 5409 4038d5 5408->5409 5410 4038c8 5408->5410 5411 403934 5409->5411 5412 4038db 5409->5412 5413 403780 6 API calls 5410->5413 5417 403993 5411->5417 5418 40393b 5411->5418 5415 4038e1 5412->5415 5416 4038ee 5412->5416 5414 4038d0 5413->5414 5414->5405 5421 403894 6 API calls 5415->5421 5422 403894 6 API calls 5416->5422 5423 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5417->5423 5419 403941 5418->5419 5420 40394b 5418->5420 5424 403864 9 API calls 5419->5424 5425 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5420->5425 5421->5414 5426 4038fc 5422->5426 5423->5414 5424->5414 5427 40395d 5425->5427 5428 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5426->5428 5429 403864 9 API calls 5427->5429 5430 403917 5428->5430 5431 403976 5429->5431 5432 40374c VariantClear 5430->5432 5433 40374c VariantClear 5431->5433 5434 40392c 5432->5434 5435 40398b 5433->5435 5434->5405 5435->5405 5438 4034fd 5436->5438 5444 40352d 5436->5444 5437 403198 4 API calls 5440 403517 5437->5440 5439 403526 5438->5439 5441 403509 5438->5441 5442 403254 4 API calls 5439->5442 5440->5132 5451 4025c4 5441->5451 5442->5444 5444->5437 5446 407cd3 5445->5446 5450 407cc8 5445->5450 5455 407c5c 5446->5455 5449 405880 4 API calls 5449->5450 5450->5137 5452 4025ca 5451->5452 5453 4025dc 5452->5453 5454 403154 4 API calls 5452->5454 5453->5440 5453->5453 5454->5453 5456 407c70 5455->5456 5457 407caf 5455->5457 5456->5457 5459 407bac 5456->5459 5457->5449 5457->5450 5460 407bb7 5459->5460 5461 407bc8 5459->5461 5462 405880 4 API calls 5460->5462 5463 4074a0 20 API calls 5461->5463 5462->5461 5464 407bdc 5463->5464 5465 4074a0 20 API calls 5464->5465 5466 407bfd 5465->5466 5467 407918 InterlockedExchange 5466->5467 5468 407c12 5467->5468 5469 407c28 5468->5469 5470 405880 4 API calls 5468->5470 5469->5456 5470->5469 5472 4078d6 5471->5472 5473 4078e7 5471->5473 5474 4078db InterlockedExchange 5472->5474 5473->5019 5474->5473 6247 409e47 6248 409e6c 6247->6248 6249 4098f4 15 API calls 6248->6249 6253 409e71 6249->6253 6250 409ec4 6281 4026c4 GetSystemTime 6250->6281 6252 409ec9 6254 409330 32 API calls 6252->6254 6253->6250 6256 408dd8 4 API calls 6253->6256 6255 409ed1 6254->6255 6257 4031e8 4 API calls 6255->6257 6258 409ea0 6256->6258 6259 409ede 6257->6259 6260 409ea8 MessageBoxA 6258->6260 6261 406928 5 API calls 6259->6261 6260->6250 6262 409eb5 6260->6262 6263 409eeb 6261->6263 6264 405854 5 API calls 6262->6264 6265 4066c0 5 API calls 6263->6265 6264->6250 6266 409efb 6265->6266 6267 406638 5 API calls 6266->6267 6268 409f0c 6267->6268 6269 403340 4 API calls 6268->6269 6270 409f1a 6269->6270 6271 4031e8 4 API calls 6270->6271 6272 409f2a 6271->6272 6273 4074e0 23 API calls 6272->6273 6274 409f69 6273->6274 6275 402594 4 API calls 6274->6275 6276 409f89 6275->6276 6277 407a28 5 API calls 6276->6277 6278 409fcb 6277->6278 6279 407cb8 21 API calls 6278->6279 6280 409ff2 6279->6280 6281->6252 6208 407548 6209 407554 CloseHandle 6208->6209 6210 40755d 6208->6210 6209->6210 6660 402b48 RaiseException 6211 407749 6212 4076dc WriteFile 6211->6212 6218 407724 6211->6218 6213 4076e8 6212->6213 6214 4076ef 6212->6214 6215 40748c 21 API calls 6213->6215 6216 407700 6214->6216 6217 4073ec 20 API calls 6214->6217 6215->6214 6217->6216 6218->6211 6219 4077e0 6218->6219 6220 4078db InterlockedExchange 6219->6220 6222 407890 6219->6222 6221 4078e7 6220->6221 6661 40294a 6664 402952 6661->6664 6662 403554 4 API calls 6662->6664 6663 402967 6664->6662 6664->6663 6665 403f4a 6666 403f53 6665->6666 6667 403f5c 6665->6667 6669 403f07 6666->6669 6670 403f09 6669->6670 6673 403154 4 API calls 6670->6673 6675 403e9c 6670->6675 6680 403f3d 6670->6680 6692 403e9c 6670->6692 6672 403f3c 6672->6667 6673->6670 6674 403ef2 6676 402674 4 API calls 6674->6676 6675->6672 6675->6674 6679 403ea9 6675->6679 6683 403e8e 6675->6683 6678 403ecf 6676->6678 6678->6667 6679->6678 6682 402674 4 API calls 6679->6682 6680->6667 6682->6678 6684 403e4c 6683->6684 6685 403e62 6684->6685 6686 403e7b 6684->6686 6687 403e67 6684->6687 6689 403cc8 4 API calls 6685->6689 6688 402674 4 API calls 6686->6688 6690 403e78 6687->6690 6691 402674 4 API calls 6687->6691 6688->6690 6689->6687 6690->6674 6690->6679 6691->6690 6693 403ed7 6692->6693 6698 403ea9 6692->6698 6694 403ef2 6693->6694 6696 403e8e 4 API calls 6693->6696 6695 402674 4 API calls 6694->6695 6700 403ecf 6695->6700 6697 403ee6 6696->6697 6697->6694 6697->6698 6699 402674 4 API calls 6698->6699 6698->6700 6699->6700 6700->6670 6709 405150 6710 405163 6709->6710 6711 404e48 19 API calls 6710->6711 6712 405177 6711->6712 6282 403a52 6283 403a74 6282->6283 6284 403a5a WriteFile 6282->6284 6284->6283 6285 403a78 GetLastError 6284->6285 6285->6283 6286 402654 6287 403154 4 API calls 6286->6287 6288 402614 6287->6288 6289 402632 6288->6289 6290 403154 4 API calls 6288->6290 6289->6289 6290->6289 5657 409e62 5658 409aa0 4 API calls 5657->5658 5659 409e67 5658->5659 5660 409e6c 5659->5660 5760 402f24 5659->5760 5694 4098f4 5660->5694 5663 409ec4 5699 4026c4 GetSystemTime 5663->5699 5665 409ec9 5700 409330 5665->5700 5666 409e71 5666->5663 5765 408dd8 5666->5765 5670 4031e8 4 API calls 5672 409ede 5670->5672 5671 409ea0 5673 409ea8 MessageBoxA 5671->5673 5718 406928 5672->5718 5673->5663 5675 409eb5 5673->5675 5768 405854 5675->5768 5681 409f0c 5745 403340 5681->5745 5683 409f1a 5684 4031e8 4 API calls 5683->5684 5685 409f2a 5684->5685 5686 4074e0 23 API calls 5685->5686 5687 409f69 5686->5687 5688 402594 4 API calls 5687->5688 5689 409f89 5688->5689 5690 407a28 5 API calls 5689->5690 5691 409fcb 5690->5691 5692 407cb8 21 API calls 5691->5692 5693 409ff2 5692->5693 5772 40953c 5694->5772 5699->5665 5703 409350 5700->5703 5704 409375 CreateDirectoryA 5703->5704 5709 408dd8 4 API calls 5703->5709 5714 407284 5 API calls 5703->5714 5717 405880 4 API calls 5703->5717 5864 406cf4 5703->5864 5887 409224 5703->5887 5906 404c84 5703->5906 5909 408da8 5703->5909 5705 4093ed 5704->5705 5706 40937f GetLastError 5704->5706 5707 40322c 4 API calls 5705->5707 5706->5703 5708 4093f7 5707->5708 5710 4031b8 4 API calls 5708->5710 5709->5703 5712 409411 5710->5712 5713 4031b8 4 API calls 5712->5713 5715 40941e 5713->5715 5714->5703 5715->5670 5717->5703 6019 406820 5718->6019 5721 403454 4 API calls 5722 40694a 5721->5722 5723 4066c0 5722->5723 6024 4068e4 5723->6024 5726 4066f0 5729 403340 4 API calls 5726->5729 5727 4066fe 5728 403454 4 API calls 5727->5728 5730 406711 5728->5730 5731 4066fc 5729->5731 5732 403340 4 API calls 5730->5732 5733 403198 4 API calls 5731->5733 5732->5731 5734 406733 5733->5734 5735 406638 5734->5735 5736 406642 5735->5736 5737 406665 5735->5737 6030 406950 5736->6030 5739 40322c 4 API calls 5737->5739 5741 40666e 5739->5741 5740 406649 5740->5737 5742 406654 5740->5742 5741->5681 5743 403340 4 API calls 5742->5743 5744 406662 5743->5744 5744->5681 5746 403344 5745->5746 5747 4033a5 5745->5747 5750 40334c 5746->5750 5751 4031e8 5746->5751 5748 403228 5748->5683 5749 40335b 5753 403254 4 API calls 5749->5753 5750->5747 5750->5749 5752 4031e8 4 API calls 5750->5752 5754 403254 4 API calls 5751->5754 5755 4031fc 5751->5755 5752->5749 5757 403375 5753->5757 5754->5755 5755->5748 5756 4025ac 4 API calls 5755->5756 5756->5748 5758 4031e8 4 API calls 5757->5758 5759 4033a1 5758->5759 5759->5683 5761 403154 4 API calls 5760->5761 5762 402f29 5761->5762 6036 402bcc 5762->6036 5764 402f51 5764->5764 5766 408da8 4 API calls 5765->5766 5767 408df4 5766->5767 5767->5671 5769 405859 5768->5769 5770 405930 5 API calls 5769->5770 5771 40586b 5770->5771 5771->5771 5779 40955b 5772->5779 5773 409590 5775 40959d GetUserDefaultLangID 5773->5775 5780 409592 5773->5780 5774 409594 5790 407024 GetModuleHandleA GetProcAddress 5774->5790 5775->5780 5778 40956f 5784 409884 5778->5784 5779->5773 5779->5774 5779->5778 5780->5778 5781 4095cb GetACP 5780->5781 5782 4095ef 5780->5782 5781->5778 5781->5780 5782->5778 5783 409615 GetACP 5782->5783 5783->5778 5783->5782 5785 40988c 5784->5785 5789 4098c6 5784->5789 5786 403420 4 API calls 5785->5786 5785->5789 5787 4098c0 5786->5787 5848 408e80 5787->5848 5789->5666 5791 407067 5790->5791 5792 40705e 5790->5792 5793 407070 5791->5793 5794 4070a8 5791->5794 5803 403198 4 API calls 5792->5803 5811 406f68 5793->5811 5796 406f68 RegOpenKeyExA 5794->5796 5798 4070c1 5796->5798 5797 407089 5799 4070de 5797->5799 5814 406f5c 5797->5814 5798->5799 5800 406f5c 6 API calls 5798->5800 5801 40322c 4 API calls 5799->5801 5804 4070d5 RegCloseKey 5800->5804 5805 4070eb 5801->5805 5807 407120 5803->5807 5804->5799 5817 4032fc 5805->5817 5809 403198 4 API calls 5807->5809 5810 407128 5809->5810 5810->5780 5812 406f73 5811->5812 5813 406f79 RegOpenKeyExA 5811->5813 5812->5813 5813->5797 5831 406e10 5814->5831 5818 403300 5817->5818 5819 40333f 5817->5819 5820 40330a 5818->5820 5825 4031e8 5818->5825 5819->5792 5821 403334 5820->5821 5822 40331d 5820->5822 5826 4034f0 4 API calls 5821->5826 5824 4034f0 4 API calls 5822->5824 5823 403228 5823->5792 5830 403322 5824->5830 5827 403254 4 API calls 5825->5827 5828 4031fc 5825->5828 5826->5830 5827->5828 5828->5823 5829 4025ac 4 API calls 5828->5829 5829->5823 5830->5792 5832 406e36 RegQueryValueExA 5831->5832 5833 406e7b 5832->5833 5838 406e59 5832->5838 5835 403198 4 API calls 5833->5835 5834 406e73 5836 403198 4 API calls 5834->5836 5837 406f47 RegCloseKey 5835->5837 5836->5833 5837->5799 5838->5833 5838->5834 5839 403278 4 API calls 5838->5839 5840 403420 4 API calls 5838->5840 5839->5838 5841 406eb0 RegQueryValueExA 5840->5841 5841->5832 5842 406ecc 5841->5842 5842->5833 5843 4034f0 4 API calls 5842->5843 5844 406f0e 5843->5844 5845 406f20 5844->5845 5847 403420 4 API calls 5844->5847 5846 4031e8 4 API calls 5845->5846 5846->5833 5847->5845 5849 408e8e 5848->5849 5851 408ea6 5849->5851 5861 408e18 5849->5861 5852 408e18 4 API calls 5851->5852 5853 408eca 5851->5853 5852->5853 5854 407918 InterlockedExchange 5853->5854 5855 408ee5 5854->5855 5856 408e18 4 API calls 5855->5856 5858 408ef8 5855->5858 5856->5858 5857 408e18 4 API calls 5857->5858 5858->5857 5859 403278 4 API calls 5858->5859 5860 408f27 5858->5860 5859->5858 5860->5789 5862 405880 4 API calls 5861->5862 5863 408e29 5862->5863 5863->5851 5913 406a58 5864->5913 5867 406d26 5868 406a58 5 API calls 5867->5868 5871 406d72 5867->5871 5870 406d36 5868->5870 5873 406a34 7 API calls 5870->5873 5875 406d42 5870->5875 5921 406888 5871->5921 5873->5875 5874 406d67 5874->5871 5933 406cc8 GetWindowsDirectoryA 5874->5933 5875->5871 5875->5874 5877 406a58 5 API calls 5875->5877 5880 406d5b 5877->5880 5879 406638 5 API calls 5881 406d87 5879->5881 5880->5874 5883 406a34 7 API calls 5880->5883 5882 40322c 4 API calls 5881->5882 5884 406d91 5882->5884 5883->5874 5885 4031b8 4 API calls 5884->5885 5886 406dab 5885->5886 5886->5703 5888 409244 5887->5888 5889 406638 5 API calls 5888->5889 5890 40925d 5889->5890 5891 40322c 4 API calls 5890->5891 5898 409268 5891->5898 5893 406978 6 API calls 5893->5898 5894 4033b4 4 API calls 5894->5898 5895 408dd8 4 API calls 5895->5898 5897 405880 4 API calls 5897->5898 5898->5893 5898->5894 5898->5895 5898->5897 5899 4092e4 5898->5899 5973 4091b0 5898->5973 5981 409034 5898->5981 5900 40322c 4 API calls 5899->5900 5901 4092ef 5900->5901 5902 4031b8 4 API calls 5901->5902 5903 409309 5902->5903 5904 403198 4 API calls 5903->5904 5905 409311 5904->5905 5905->5703 5907 405198 19 API calls 5906->5907 5908 404ca2 5907->5908 5908->5703 5910 408dc8 5909->5910 6009 408c80 5910->6009 5914 4034f0 4 API calls 5913->5914 5915 406a6b 5914->5915 5916 406a82 GetEnvironmentVariableA 5915->5916 5920 406a95 5915->5920 5935 406dec 5915->5935 5916->5915 5917 406a8e 5916->5917 5918 403198 4 API calls 5917->5918 5918->5920 5920->5867 5930 406a34 5920->5930 5922 403414 5921->5922 5923 4068ab GetFullPathNameA 5922->5923 5924 4068b7 5923->5924 5925 4068ce 5923->5925 5924->5925 5927 4068bf 5924->5927 5926 40322c 4 API calls 5925->5926 5928 4068cc 5926->5928 5929 403278 4 API calls 5927->5929 5928->5879 5929->5928 5939 4069dc 5930->5939 5934 406ce9 5933->5934 5934->5871 5936 406dfa 5935->5936 5937 4034f0 4 API calls 5936->5937 5938 406e08 5937->5938 5938->5915 5946 406978 5939->5946 5941 4069fe 5942 406a06 GetFileAttributesA 5941->5942 5943 406a1b 5942->5943 5944 403198 4 API calls 5943->5944 5945 406a23 5944->5945 5945->5867 5956 406744 5946->5956 5948 4069b0 5951 4069c6 5948->5951 5952 4069bb 5948->5952 5950 406989 5950->5948 5963 406970 CharPrevA 5950->5963 5964 403454 5951->5964 5954 40322c 4 API calls 5952->5954 5955 4069c4 5954->5955 5955->5941 5960 406755 5956->5960 5957 4067b9 5958 4067b4 5957->5958 5959 406680 IsDBCSLeadByte 5957->5959 5958->5950 5959->5958 5960->5957 5962 406773 5960->5962 5962->5958 5971 406680 IsDBCSLeadByte 5962->5971 5963->5950 5965 403486 5964->5965 5966 403459 5964->5966 5967 403198 4 API calls 5965->5967 5966->5965 5969 40346d 5966->5969 5968 40347c 5967->5968 5968->5955 5970 403278 4 API calls 5969->5970 5970->5968 5972 406694 5971->5972 5972->5962 5974 403198 4 API calls 5973->5974 5976 4091d1 5974->5976 5978 4091fe 5976->5978 5990 4032a8 5976->5990 5993 403494 5976->5993 5979 403198 4 API calls 5978->5979 5980 409213 5979->5980 5980->5898 5997 408f70 5981->5997 5983 40904a 5984 40904e 5983->5984 6003 406a48 5983->6003 5984->5898 5987 409081 6006 408fac 5987->6006 5991 403278 4 API calls 5990->5991 5992 4032b5 5991->5992 5992->5976 5994 4034c3 5993->5994 5995 403498 5993->5995 5994->5976 5996 4034f0 4 API calls 5995->5996 5996->5994 5998 408f7a 5997->5998 5999 408f7e 5997->5999 5998->5983 6000 408fa0 SetLastError 5999->6000 6001 408f87 Wow64DisableWow64FsRedirection 5999->6001 6002 408f9b 6000->6002 6001->6002 6002->5983 6004 4069dc 7 API calls 6003->6004 6005 406a52 GetLastError 6004->6005 6005->5987 6007 408fb1 Wow64RevertWow64FsRedirection 6006->6007 6008 408fbb 6006->6008 6007->6008 6008->5898 6010 403198 4 API calls 6009->6010 6011 408cb1 6009->6011 6010->6011 6013 408cc8 6011->6013 6015 403278 4 API calls 6011->6015 6017 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6011->6017 6018 408cdc 6011->6018 6012 4031b8 4 API calls 6014 408d69 6012->6014 6016 4032fc 4 API calls 6013->6016 6014->5703 6015->6011 6016->6018 6017->6011 6018->6012 6020 406744 IsDBCSLeadByte 6019->6020 6022 406835 6020->6022 6021 40687f 6021->5721 6022->6021 6023 406680 IsDBCSLeadByte 6022->6023 6023->6022 6025 4068f3 6024->6025 6026 406820 IsDBCSLeadByte 6025->6026 6029 4068fe 6026->6029 6027 4066ea 6027->5726 6027->5727 6028 406680 IsDBCSLeadByte 6028->6029 6029->6027 6029->6028 6031 406957 6030->6031 6032 40695b 6030->6032 6031->5740 6035 406970 CharPrevA 6032->6035 6034 40696c 6034->5740 6035->6034 6037 402bd5 RaiseException 6036->6037 6038 402be6 6036->6038 6037->6038 6038->5764 6291 402e64 6292 402e69 6291->6292 6293 402e7a RtlUnwind 6292->6293 6294 402e5e 6292->6294 6295 402e9d 6293->6295 6312 40667c IsDBCSLeadByte 6313 406694 6312->6313 6725 403f7d 6727 403fa2 6725->6727 6730 403f84 6725->6730 6726 403f8c 6728 403e8e 4 API calls 6727->6728 6727->6730 6728->6730 6729 402674 4 API calls 6731 403fca 6729->6731 6730->6726 6730->6729 6738 403d02 6740 403d12 6738->6740 6739 403ddf ExitProcess 6740->6739 6741 403db8 6740->6741 6745 403dea 6740->6745 6748 403da4 6740->6748 6749 403d8f MessageBoxA 6740->6749 6742 403cc8 4 API calls 6741->6742 6743 403dc2 6742->6743 6744 403cc8 4 API calls 6743->6744 6746 403dcc 6744->6746 6758 4019dc 6746->6758 6754 403fe4 6748->6754 6749->6741 6750 403dd1 6750->6739 6750->6745 6755 403fe8 6754->6755 6756 403f07 4 API calls 6755->6756 6757 404006 6756->6757 6759 401abb 6758->6759 6760 4019ed 6758->6760 6759->6750 6761 401a04 RtlEnterCriticalSection 6760->6761 6762 401a0e LocalFree 6760->6762 6761->6762 6763 401a41 6762->6763 6764 401a2f VirtualFree 6763->6764 6765 401a49 6763->6765 6764->6763 6766 401a70 LocalFree 6765->6766 6767 401a87 6765->6767 6766->6766 6766->6767 6768 401aa9 RtlDeleteCriticalSection 6767->6768 6769 401a9f RtlLeaveCriticalSection 6767->6769 6768->6750 6769->6768 6322 404206 6323 4041cc 6322->6323 6326 40420a 6322->6326 6324 404282 6325 403154 4 API calls 6327 404323 6325->6327 6326->6324 6326->6325 6328 402c08 6331 402c82 6328->6331 6332 402c19 6328->6332 6329 402c56 RtlUnwind 6330 403154 4 API calls 6329->6330 6330->6331 6332->6329 6332->6331 6335 402b28 6332->6335 6336 402b31 RaiseException 6335->6336 6337 402b47 6335->6337 6336->6337 6337->6329 6338 408c10 6339 408c17 6338->6339 6340 403198 4 API calls 6339->6340 6347 408cb1 6340->6347 6341 408cdc 6342 4031b8 4 API calls 6341->6342 6344 408d69 6342->6344 6343 408cc8 6346 4032fc 4 API calls 6343->6346 6345 403278 4 API calls 6345->6347 6346->6341 6347->6341 6347->6343 6347->6345 6348 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6347->6348 6348->6347 6349 40a011 6350 40a036 6349->6350 6351 407918 InterlockedExchange 6350->6351 6353 40a060 6351->6353 6352 40a070 6359 4076ac SetEndOfFile 6352->6359 6353->6352 6354 409aa0 4 API calls 6353->6354 6354->6352 6356 40a08c 6357 4025ac 4 API calls 6356->6357 6358 40a0c3 6357->6358 6360 4076c3 6359->6360 6361 4076bc 6359->6361 6360->6356 6362 40748c 21 API calls 6361->6362 6362->6360 6774 409916 6775 409918 6774->6775 6776 409956 CallWindowProcA 6775->6776 6777 40993a 6775->6777 6776->6777 6090 407017 6091 407008 SetErrorMode 6090->6091 6367 403018 6368 403070 6367->6368 6369 403025 6367->6369 6370 40302a RtlUnwind 6369->6370 6371 40304e 6370->6371 6373 402f78 6371->6373 6374 402be8 6371->6374 6375 402bf1 RaiseException 6374->6375 6376 402c04 6374->6376 6375->6376 6376->6368 6784 409918 6785 40993a 6784->6785 6787 409927 6784->6787 6786 409956 CallWindowProcA 6786->6785 6787->6785 6787->6786 6381 40901e 6382 409010 6381->6382 6383 408fac Wow64RevertWow64FsRedirection 6382->6383 6384 409018 6383->6384 6385 409020 SetLastError 6386 409029 6385->6386 6397 403a28 ReadFile 6398 403a46 6397->6398 6399 403a49 GetLastError 6397->6399 6228 40762c ReadFile 6229 407663 6228->6229 6230 40764c 6228->6230 6231 407652 GetLastError 6230->6231 6232 40765c 6230->6232 6231->6229 6231->6232 6233 40748c 21 API calls 6232->6233 6233->6229 6404 40a02c 6405 409aa0 4 API calls 6404->6405 6406 40a031 6405->6406 6407 40a036 6406->6407 6408 402f24 5 API calls 6406->6408 6409 407918 InterlockedExchange 6407->6409 6408->6407 6410 40a060 6409->6410 6411 40a070 6410->6411 6412 409aa0 4 API calls 6410->6412 6413 4076ac 22 API calls 6411->6413 6412->6411 6414 40a08c 6413->6414 6415 4025ac 4 API calls 6414->6415 6416 40a0c3 6415->6416 6788 40712e 6789 407118 6788->6789 6790 403198 4 API calls 6789->6790 6791 407120 6790->6791 6792 403198 4 API calls 6791->6792 6793 407128 6792->6793 6794 408f30 6797 408dfc 6794->6797 6798 408e05 6797->6798 6799 403198 4 API calls 6798->6799 6800 408e13 6798->6800 6799->6798 6801 403932 6802 403924 6801->6802 6805 40374c 6802->6805 6804 40392c 6806 403766 6805->6806 6807 403759 6805->6807 6806->6804 6807->6806 6808 403779 VariantClear 6807->6808 6808->6804 6039 4075c4 SetFilePointer 6040 4075f7 6039->6040 6041 4075e7 GetLastError 6039->6041 6041->6040 6042 4075f0 6041->6042 6043 40748c 21 API calls 6042->6043 6043->6040 6417 405ac4 6418 405ad4 6417->6418 6419 405acc 6417->6419 6420 405ad2 6419->6420 6421 405adb 6419->6421 6424 405a3c 6420->6424 6422 405930 5 API calls 6421->6422 6422->6418 6425 405a44 6424->6425 6426 405a5e 6425->6426 6427 403154 4 API calls 6425->6427 6428 405a63 6426->6428 6429 405a7a 6426->6429 6427->6425 6431 405930 5 API calls 6428->6431 6430 403154 4 API calls 6429->6430 6432 405a7f 6430->6432 6433 405a76 6431->6433 6434 4059a0 19 API calls 6432->6434 6435 403154 4 API calls 6433->6435 6434->6433 6436 405aa8 6435->6436 6437 403154 4 API calls 6436->6437 6438 405ab6 6437->6438 6438->6418 6439 4076c8 WriteFile 6440 4076e8 6439->6440 6441 4076ef 6439->6441 6442 40748c 21 API calls 6440->6442 6443 407700 6441->6443 6444 4073ec 20 API calls 6441->6444 6442->6441 6444->6443 6445 40a2ca 6454 4096fc 6445->6454 6448 402f24 5 API calls 6449 40a2d4 6448->6449 6450 403198 4 API calls 6449->6450 6451 40a2f3 6450->6451 6452 403198 4 API calls 6451->6452 6453 40a2fb 6452->6453 6463 40569c 6454->6463 6456 409745 6460 403198 4 API calls 6456->6460 6457 409717 6457->6456 6469 40720c 6457->6469 6459 409735 6462 40973d MessageBoxA 6459->6462 6461 40975a 6460->6461 6461->6448 6462->6456 6464 403154 4 API calls 6463->6464 6465 4056a1 6464->6465 6466 4056b9 6465->6466 6467 403154 4 API calls 6465->6467 6466->6457 6468 4056af 6467->6468 6468->6457 6470 40569c 4 API calls 6469->6470 6471 40721b 6470->6471 6472 407221 6471->6472 6473 40722f 6471->6473 6474 40322c 4 API calls 6472->6474 6476 40724b 6473->6476 6477 40723f 6473->6477 6475 40722d 6474->6475 6475->6459 6487 4032b8 6476->6487 6480 4071d0 6477->6480 6481 40322c 4 API calls 6480->6481 6482 4071df 6481->6482 6483 4071fc 6482->6483 6484 406950 CharPrevA 6482->6484 6483->6475 6485 4071eb 6484->6485 6485->6483 6486 4032fc 4 API calls 6485->6486 6486->6483 6488 403278 4 API calls 6487->6488 6489 4032c2 6488->6489 6489->6475 6490 402ccc 6491 402cdd 6490->6491 6495 402cfe 6490->6495 6492 402d88 RtlUnwind 6491->6492 6494 402b28 RaiseException 6491->6494 6491->6495 6493 403154 4 API calls 6492->6493 6493->6495 6496 402d7f 6494->6496 6496->6492 6817 403fcd 6818 403f07 4 API calls 6817->6818 6819 403fd6 6818->6819 6820 403e9c 4 API calls 6819->6820 6821 403fe2 6820->6821 5475 4024d0 5476 4024e4 5475->5476 5477 4024f7 5475->5477 5514 401918 RtlInitializeCriticalSection 5476->5514 5479 402518 5477->5479 5480 40250e RtlEnterCriticalSection 5477->5480 5491 402300 5479->5491 5480->5479 5483 4024ed 5485 402525 5488 402581 5485->5488 5489 402577 RtlLeaveCriticalSection 5485->5489 5487 402531 5487->5485 5521 40215c 5487->5521 5489->5488 5492 402314 5491->5492 5493 402335 5492->5493 5495 4023b8 5492->5495 5494 402344 5493->5494 5535 401b74 5493->5535 5494->5485 5501 401fd4 5494->5501 5495->5494 5499 402455 5495->5499 5538 401d80 5495->5538 5546 401e84 5495->5546 5499->5494 5542 401d00 5499->5542 5502 401fe8 5501->5502 5503 401ffb 5501->5503 5504 401918 4 API calls 5502->5504 5505 402012 RtlEnterCriticalSection 5503->5505 5508 40201c 5503->5508 5506 401fed 5504->5506 5505->5508 5506->5503 5507 401ff1 5506->5507 5511 402052 5507->5511 5508->5511 5628 401ee0 5508->5628 5511->5487 5512 402147 5512->5487 5513 40213d RtlLeaveCriticalSection 5513->5512 5515 40193c RtlEnterCriticalSection 5514->5515 5516 401946 5514->5516 5515->5516 5517 401964 LocalAlloc 5516->5517 5518 40197e 5517->5518 5519 4019c3 RtlLeaveCriticalSection 5518->5519 5520 4019cd 5518->5520 5519->5520 5520->5477 5520->5483 5522 40217a 5521->5522 5523 402175 5521->5523 5525 4021ab RtlEnterCriticalSection 5522->5525 5527 4021b5 5522->5527 5529 40217e 5522->5529 5524 401918 4 API calls 5523->5524 5524->5522 5525->5527 5526 4021c1 5530 4022e3 RtlLeaveCriticalSection 5526->5530 5531 4022ed 5526->5531 5527->5526 5528 402244 5527->5528 5533 402270 5527->5533 5528->5529 5532 401d80 7 API calls 5528->5532 5529->5485 5530->5531 5531->5485 5532->5529 5533->5526 5534 401d00 7 API calls 5533->5534 5534->5526 5536 40215c 9 API calls 5535->5536 5537 401b95 5536->5537 5537->5494 5539 401d92 5538->5539 5540 401d89 5538->5540 5539->5495 5540->5539 5541 401b74 9 API calls 5540->5541 5541->5539 5543 401d4e 5542->5543 5544 401d1e 5542->5544 5543->5544 5551 401c68 5543->5551 5544->5494 5606 401768 5546->5606 5548 401e99 5549 401ea6 5548->5549 5617 401dcc 5548->5617 5549->5495 5552 401c7a 5551->5552 5553 401c9d 5552->5553 5554 401caf 5552->5554 5564 40188c 5553->5564 5555 40188c 3 API calls 5554->5555 5557 401cad 5555->5557 5558 401cc5 5557->5558 5574 401b44 5557->5574 5558->5544 5560 401cd4 5561 401cee 5560->5561 5579 401b98 5560->5579 5584 4013a0 5561->5584 5565 4018b2 5564->5565 5573 40190b 5564->5573 5588 401658 5565->5588 5570 4018e6 5572 4013a0 LocalAlloc 5570->5572 5570->5573 5572->5573 5573->5557 5575 401b61 5574->5575 5576 401b52 5574->5576 5575->5560 5577 401d00 9 API calls 5576->5577 5578 401b5f 5577->5578 5578->5560 5580 401b9d 5579->5580 5581 401bab 5579->5581 5582 401b74 9 API calls 5580->5582 5581->5561 5583 401baa 5582->5583 5583->5561 5585 4013ab 5584->5585 5586 4012e4 LocalAlloc 5585->5586 5587 4013c6 5585->5587 5586->5587 5587->5558 5591 40168f 5588->5591 5589 4016cf 5592 40132c 5589->5592 5590 4016a9 VirtualFree 5590->5591 5591->5589 5591->5590 5593 401348 5592->5593 5600 4012e4 5593->5600 5596 40150c 5599 40153b 5596->5599 5597 401594 5597->5570 5598 401568 VirtualFree 5598->5599 5599->5597 5599->5598 5603 40128c 5600->5603 5604 401298 LocalAlloc 5603->5604 5605 4012aa 5603->5605 5604->5605 5605->5570 5605->5596 5608 401787 5606->5608 5607 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5607->5608 5608->5607 5609 40183b 5608->5609 5610 40132c LocalAlloc 5608->5610 5612 401821 5608->5612 5613 4017d6 5608->5613 5616 4017e7 5609->5616 5624 4015c4 5609->5624 5610->5608 5614 40150c VirtualFree 5612->5614 5615 40150c VirtualFree 5613->5615 5614->5616 5615->5616 5616->5548 5618 401d80 9 API calls 5617->5618 5619 401de0 5618->5619 5620 40132c LocalAlloc 5619->5620 5621 401df0 5620->5621 5622 401df8 5621->5622 5623 401b44 9 API calls 5621->5623 5622->5549 5623->5622 5626 40160a 5624->5626 5625 40163a 5625->5616 5626->5625 5627 401626 VirtualAlloc 5626->5627 5627->5625 5627->5626 5631 401ef0 5628->5631 5629 401f1c 5630 401d00 9 API calls 5629->5630 5633 401f40 5629->5633 5630->5633 5631->5629 5631->5633 5634 401e58 5631->5634 5633->5512 5633->5513 5639 4016d8 5634->5639 5637 401e75 5637->5631 5638 401dcc 9 API calls 5638->5637 5642 4016f4 5639->5642 5641 4016fe 5643 4015c4 VirtualAlloc 5641->5643 5642->5641 5644 40175b 5642->5644 5645 40132c LocalAlloc 5642->5645 5646 40174f 5642->5646 5649 401430 5642->5649 5647 40170a 5643->5647 5644->5637 5644->5638 5645->5642 5648 40150c VirtualFree 5646->5648 5647->5644 5648->5644 5650 40143f VirtualAlloc 5649->5650 5652 40146c 5650->5652 5653 40148f 5650->5653 5654 4012e4 LocalAlloc 5652->5654 5653->5642 5655 401478 5654->5655 5655->5653 5656 40147c VirtualFree 5655->5656 5656->5653 6497 4028d2 6498 4028da 6497->6498 6499 403554 4 API calls 6498->6499 6500 4028ef 6498->6500 6499->6498 6501 4025ac 4 API calls 6500->6501 6502 4028f4 6501->6502 6822 4019d3 6823 4019ba 6822->6823 6824 4019c3 RtlLeaveCriticalSection 6823->6824 6825 4019cd 6823->6825 6824->6825 6044 407fd4 6045 407fe6 6044->6045 6047 407fed 6044->6047 6055 407f10 6045->6055 6049 408017 6047->6049 6051 408015 6047->6051 6053 408021 6047->6053 6048 40804e 6066 407d7c 6049->6066 6050 407d7c 19 API calls 6050->6048 6069 407e2c 6051->6069 6053->6048 6053->6050 6056 407f25 6055->6056 6057 407d7c 19 API calls 6056->6057 6058 407f34 6056->6058 6057->6058 6059 407f6e 6058->6059 6060 407d7c 19 API calls 6058->6060 6061 407f82 6059->6061 6062 407d7c 19 API calls 6059->6062 6060->6059 6065 407fae 6061->6065 6076 407eb8 6061->6076 6062->6061 6065->6047 6079 4058b4 6066->6079 6068 407d9e 6068->6053 6070 405184 19 API calls 6069->6070 6071 407e57 6070->6071 6087 407de4 6071->6087 6073 407e5f 6074 403198 4 API calls 6073->6074 6075 407e74 6074->6075 6075->6053 6077 407ec7 VirtualFree 6076->6077 6078 407ed9 VirtualAlloc 6076->6078 6077->6078 6078->6065 6080 4058c0 6079->6080 6081 405184 19 API calls 6080->6081 6082 4058ed 6081->6082 6083 4031e8 4 API calls 6082->6083 6084 4058f8 6083->6084 6085 403198 4 API calls 6084->6085 6086 40590d 6085->6086 6086->6068 6088 4058b4 19 API calls 6087->6088 6089 407e06 6088->6089 6089->6073 6507 40a0d5 6508 40a105 6507->6508 6509 40a10f CreateWindowExA SetWindowLongA 6508->6509 6510 405184 19 API calls 6509->6510 6511 40a192 6510->6511 6512 4032fc 4 API calls 6511->6512 6513 40a1a0 6512->6513 6514 4032fc 4 API calls 6513->6514 6515 40a1ad 6514->6515 6516 406b7c 5 API calls 6515->6516 6517 40a1b9 6516->6517 6518 4032fc 4 API calls 6517->6518 6519 40a1c2 6518->6519 6520 4099a4 29 API calls 6519->6520 6521 40a1d4 6520->6521 6522 409884 5 API calls 6521->6522 6523 40a1e7 6521->6523 6522->6523 6524 40a220 6523->6524 6525 4094d8 9 API calls 6523->6525 6526 40a239 6524->6526 6529 40a233 RemoveDirectoryA 6524->6529 6525->6524 6527 40a242 73A25CF0 6526->6527 6528 40a24d 6526->6528 6527->6528 6530 40a275 6528->6530 6531 40357c 4 API calls 6528->6531 6529->6526 6532 40a26b 6531->6532 6533 4025ac 4 API calls 6532->6533 6533->6530 6092 40a0e7 6093 40a0eb SetLastError 6092->6093 6124 409648 GetLastError 6093->6124 6096 40a105 6098 40a10f CreateWindowExA SetWindowLongA 6096->6098 6097 402f24 5 API calls 6097->6096 6099 405184 19 API calls 6098->6099 6100 40a192 6099->6100 6101 4032fc 4 API calls 6100->6101 6102 40a1a0 6101->6102 6103 4032fc 4 API calls 6102->6103 6104 40a1ad 6103->6104 6137 406b7c GetCommandLineA 6104->6137 6107 4032fc 4 API calls 6108 40a1c2 6107->6108 6142 4099a4 6108->6142 6111 409884 5 API calls 6112 40a1e7 6111->6112 6113 40a220 6112->6113 6114 40a207 6112->6114 6116 40a239 6113->6116 6119 40a233 RemoveDirectoryA 6113->6119 6158 4094d8 6114->6158 6117 40a242 73A25CF0 6116->6117 6118 40a24d 6116->6118 6117->6118 6120 40a275 6118->6120 6166 40357c 6118->6166 6119->6116 6122 40a26b 6123 4025ac 4 API calls 6122->6123 6123->6120 6125 404c84 19 API calls 6124->6125 6126 40968f 6125->6126 6127 407284 5 API calls 6126->6127 6128 40969f 6127->6128 6129 408da8 4 API calls 6128->6129 6130 4096b4 6129->6130 6131 405880 4 API calls 6130->6131 6132 4096c3 6131->6132 6133 4031b8 4 API calls 6132->6133 6134 4096e2 6133->6134 6135 403198 4 API calls 6134->6135 6136 4096ea 6135->6136 6136->6096 6136->6097 6138 406af0 4 API calls 6137->6138 6139 406ba1 6138->6139 6140 403198 4 API calls 6139->6140 6141 406bbf 6140->6141 6141->6107 6143 4033b4 4 API calls 6142->6143 6144 4099df 6143->6144 6145 409a11 CreateProcessA 6144->6145 6146 409a24 CloseHandle 6145->6146 6147 409a1d 6145->6147 6149 409a2d 6146->6149 6148 409648 21 API calls 6147->6148 6148->6146 6179 409978 6149->6179 6152 409a49 6153 409978 3 API calls 6152->6153 6154 409a4e GetExitCodeProcess CloseHandle 6153->6154 6155 409a6e 6154->6155 6156 403198 4 API calls 6155->6156 6157 409a76 6156->6157 6157->6111 6157->6112 6159 409532 6158->6159 6162 4094eb 6158->6162 6159->6113 6160 4094f3 Sleep 6160->6162 6161 409503 Sleep 6161->6162 6162->6159 6162->6160 6162->6161 6164 40951a GetLastError 6162->6164 6183 408fbc 6162->6183 6164->6159 6165 409524 GetLastError 6164->6165 6165->6159 6165->6162 6167 403591 6166->6167 6168 4035a0 6166->6168 6171 4035d0 6167->6171 6172 40359b 6167->6172 6176 4035b6 6167->6176 6169 4035b1 6168->6169 6170 4035b8 6168->6170 6173 403198 4 API calls 6169->6173 6174 4031b8 4 API calls 6170->6174 6171->6176 6177 40357c 4 API calls 6171->6177 6172->6168 6175 4035ec 6172->6175 6173->6176 6174->6176 6175->6176 6191 403554 6175->6191 6176->6122 6177->6171 6180 40998c PeekMessageA 6179->6180 6181 409980 TranslateMessage DispatchMessageA 6180->6181 6182 40999e MsgWaitForMultipleObjects 6180->6182 6181->6180 6182->6149 6182->6152 6184 408f70 2 API calls 6183->6184 6185 408fd2 6184->6185 6186 408fd6 6185->6186 6187 408ff2 DeleteFileA GetLastError 6185->6187 6186->6162 6188 409010 6187->6188 6189 408fac Wow64RevertWow64FsRedirection 6188->6189 6190 409018 6189->6190 6190->6162 6192 403566 6191->6192 6194 403578 6192->6194 6195 403604 6192->6195 6194->6175 6196 40357c 6195->6196 6197 4035a0 6196->6197 6200 40359b 6196->6200 6204 4035b6 6196->6204 6205 4035d0 6196->6205 6198 4035b1 6197->6198 6199 4035b8 6197->6199 6201 403198 4 API calls 6198->6201 6202 4031b8 4 API calls 6199->6202 6200->6197 6207 4035ec 6200->6207 6201->6204 6202->6204 6203 40357c 4 API calls 6203->6205 6204->6192 6205->6203 6205->6204 6206 403554 4 API calls 6206->6207 6207->6204 6207->6206 6829 402be9 RaiseException 6830 402c04 6829->6830 6540 402af2 6541 402afe 6540->6541 6544 402ed0 6541->6544 6545 403154 4 API calls 6544->6545 6547 402ee0 6545->6547 6546 402b03 6547->6546 6549 402b0c 6547->6549 6550 402b25 6549->6550 6551 402b15 RaiseException 6549->6551 6550->6546 6551->6550 6831 402dfa 6832 402e26 6831->6832 6833 402e0d 6831->6833 6835 402ba4 6833->6835 6836 402bc9 6835->6836 6837 402bad 6835->6837 6836->6832 6838 402bb5 RaiseException 6837->6838 6838->6836 6839 4075fa GetFileSize 6840 407626 6839->6840 6841 407616 GetLastError 6839->6841 6841->6840 6842 40761f 6841->6842 6843 40748c 21 API calls 6842->6843 6843->6840 6844 406ffb 6845 407008 SetErrorMode 6844->6845 6556 403a80 CloseHandle 6557 403a90 6556->6557 6558 403a91 GetLastError 6556->6558 6559 40a282 6561 40a1f4 6559->6561 6560 40a220 6563 40a239 6560->6563 6566 40a233 RemoveDirectoryA 6560->6566 6561->6560 6562 4094d8 9 API calls 6561->6562 6562->6560 6564 40a242 73A25CF0 6563->6564 6565 40a24d 6563->6565 6564->6565 6567 40a275 6565->6567 6568 40357c 4 API calls 6565->6568 6566->6563 6569 40a26b 6568->6569 6570 4025ac 4 API calls 6569->6570 6570->6567 6571 404283 6572 4042c3 6571->6572 6573 403154 4 API calls 6572->6573 6574 404323 6573->6574 6846 404185 6847 4041ff 6846->6847 6848 4041cc 6847->6848 6849 403154 4 API calls 6847->6849 6850 404323 6849->6850 6575 40a287 6576 40a290 6575->6576 6577 40a2bb 6575->6577 6585 409448 6576->6585 6580 403198 4 API calls 6577->6580 6579 40a295 6579->6577 6582 40a2b3 MessageBoxA 6579->6582 6581 40a2f3 6580->6581 6583 403198 4 API calls 6581->6583 6582->6577 6584 40a2fb 6583->6584 6586 409454 GetCurrentProcess OpenProcessToken 6585->6586 6587 4094af ExitWindowsEx 6585->6587 6588 409466 6586->6588 6589 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6586->6589 6587->6588 6588->6579 6589->6587 6589->6588 6590 403e87 6591 403e4c 6590->6591 6592 403e62 6591->6592 6593 403e7b 6591->6593 6596 403e67 6591->6596 6599 403cc8 6592->6599 6594 402674 4 API calls 6593->6594 6597 403e78 6594->6597 6596->6597 6603 402674 6596->6603 6600 403cd6 6599->6600 6601 402674 4 API calls 6600->6601 6602 403ceb 6600->6602 6601->6602 6602->6596 6604 403154 4 API calls 6603->6604 6605 40267a 6604->6605 6605->6597 6610 407e90 6611 407eb8 VirtualFree 6610->6611 6612 407e9d 6611->6612 6859 403991 6860 403983 6859->6860 6861 40374c VariantClear 6860->6861 6862 40398b 6861->6862 6863 405b92 6865 405b94 6863->6865 6864 405bd0 6868 405930 5 API calls 6864->6868 6865->6864 6866 405be7 6865->6866 6867 405bca 6865->6867 6871 404ccc 5 API calls 6866->6871 6867->6864 6869 405c3c 6867->6869 6876 405be3 6868->6876 6870 4059a0 19 API calls 6869->6870 6870->6876 6873 405c10 6871->6873 6872 403198 4 API calls 6874 405c76 6872->6874 6875 4059a0 19 API calls 6873->6875 6875->6876 6876->6872 6615 403e95 6616 403e4c 6615->6616 6617 403e67 6616->6617 6618 403e62 6616->6618 6619 403e7b 6616->6619 6622 403e78 6617->6622 6623 402674 4 API calls 6617->6623 6621 403cc8 4 API calls 6618->6621 6620 402674 4 API calls 6619->6620 6620->6622 6621->6617 6623->6622 6624 403a97 6625 403aac 6624->6625 6626 403bbc GetStdHandle 6625->6626 6627 403b0e CreateFileA 6625->6627 6635 403ab2 6625->6635 6628 403c17 GetLastError 6626->6628 6641 403bba 6626->6641 6627->6628 6629 403b2c 6627->6629 6628->6635 6631 403b3b GetFileSize 6629->6631 6629->6641 6631->6628 6632 403b4e SetFilePointer 6631->6632 6632->6628 6637 403b6a ReadFile 6632->6637 6633 403be7 GetFileType 6634 403c02 CloseHandle 6633->6634 6633->6635 6634->6635 6637->6628 6638 403b8c 6637->6638 6639 403b9f SetFilePointer 6638->6639 6638->6641 6639->6628 6640 403bb0 SetEndOfFile 6639->6640 6640->6628 6640->6641 6641->6633 6641->6635 6895 4011aa 6896 4011ac GetStdHandle 6895->6896 6234 4076ac SetEndOfFile 6235 4076c3 6234->6235 6236 4076bc 6234->6236 6237 40748c 21 API calls 6236->6237 6237->6235 6645 4028ac 6646 402594 4 API calls 6645->6646 6647 4028b6 6646->6647 6648 401ab9 6649 401a96 6648->6649 6650 401aa9 RtlDeleteCriticalSection 6649->6650 6651 401a9f RtlLeaveCriticalSection 6649->6651 6651->6650

                                                  Executed Functions

                                                  Function 00409B30 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 116 409b30-409b54 GetSystemInfo VirtualQuery 117 409be4-409beb 116->117 118 409b5a 116->118 119 409bd9-409bde 118->119 119->117 120 409b5c-409b63 119->120 121 409bc5-409bd7 VirtualQuery 120->121 122 409b65-409b69 120->122 121->117 121->119 122->121 123 409b6b-409b73 122->123 124 409b84-409b95 VirtualProtect 123->124 125 409b75-409b78 123->125 126 409b97 124->126 127 409b99-409b9b 124->127 125->124 128 409b7a-409b7d 125->128 126->127 129 409baa-409bad 127->129 128->124 130 409b7f-409b82 128->130 131 409b9d-409ba6 call 409b28 129->131 132 409baf-409bb1 129->132 130->124 130->127 131->129 132->121 134 409bb3-409bc0 VirtualProtect 132->134 134->121
                                                  APIs
                                                  • GetSystemInfo.KERNEL32(?), ref: 00409B42
                                                  • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B4D
                                                  • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B8E
                                                  • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BC0
                                                  • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BD0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Virtual$ProtectQuery$InfoSystem
                                                  • String ID:
                                                  • API String ID: 2441996862-0
                                                  • Opcode ID: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                  • Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
                                                  • Opcode Fuzzy Hash: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                  • Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669
                                                  Function 004051FC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID:
                                                  • API String ID: 2299586839-0
                                                  • Opcode ID: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                  • Instruction ID: f5e54e9283223dc3068d295e9d46a059fb55c29f9ef527c49189185961fa2cd4
                                                  • Opcode Fuzzy Hash: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                  • Instruction Fuzzy Hash: 42E0927170021426D710A9A99C86AEB735CEB58310F4002BFB908E73C6EDB49E844AEE
                                                  Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C60), ref: 00404582
                                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                  • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                  • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                  • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00409C60), ref: 004045C6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$HandleModulePolicyProcess
                                                  • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                  • API String ID: 3256987805-3653653586
                                                  • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                  • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                  • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                  • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E
                                                  Function 0040A0E7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 111COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • SetLastError.KERNEL32 ref: 0040A0F4
                                                    • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,02082394), ref: 0040966C
                                                  • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                  • SetWindowLongA.USER32(00020450,000000FC,00409918), ref: 0040A148
                                                  • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                  • 73A25CF0.USER32(00020450,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastWindow$CreateDirectoryLongRemove
                                                  • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                  • API String ID: 3341979996-3001827809
                                                  • Opcode ID: 1a4f1778be80c46942aa9f98cae2169e0a6230f8324263ff29803b7c5577a5a1
                                                  • Instruction ID: a1ec2b29f79e5ff862fc4fad7e4f310b8339f10a1453332cc6b7faa73b6a426b
                                                  • Opcode Fuzzy Hash: 1a4f1778be80c46942aa9f98cae2169e0a6230f8324263ff29803b7c5577a5a1
                                                  • Instruction Fuzzy Hash: C2411F71600205DFD710EBA9EE8AB9977A4EB45304F10467EF514B73E2CBB8A811CB9D
                                                  Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                  • API String ID: 1646373207-2130885113
                                                  • Opcode ID: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                  • Instruction ID: 4a4222b704d734fa8d0781b40c04fe9f9c76e7b4f133337d95099c0c8a01123f
                                                  • Opcode Fuzzy Hash: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                  • Instruction Fuzzy Hash: 20017170748342AEFB00BB72DD4AB163A68E785704F50457BF5407A2D3DABD4C04DA6D
                                                  Function 0040A0D5 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                  • SetWindowLongA.USER32(00020450,000000FC,00409918), ref: 0040A148
                                                    • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040A1B9,?), ref: 00406B94
                                                    • Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02082394,00409A90,00000000,00409A77), ref: 00409A14
                                                    • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02082394,00409A90,00000000), ref: 00409A28
                                                    • Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                    • Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                    • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02082394,00409A90), ref: 00409A5C
                                                  • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                  • 73A25CF0.USER32(00020450,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                                  • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                  • API String ID: 978128352-3001827809
                                                  • Opcode ID: abb3e52ba2d34a87c951cbeec188d4c3ff7361d17d45cb79fe2b458f8c7fb345
                                                  • Instruction ID: f39d198f6ca78f9e57da3cbf677d536b45cc778db879de651171db1d1b5627bc
                                                  • Opcode Fuzzy Hash: abb3e52ba2d34a87c951cbeec188d4c3ff7361d17d45cb79fe2b458f8c7fb345
                                                  • Instruction Fuzzy Hash: 07411A71604204DFD714EBA9EE86B5A77A4EB49304F10427EE514B73E1CBB8A810CB9D
                                                  Function 004099A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02082394,00409A90,00000000,00409A77), ref: 00409A14
                                                  • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02082394,00409A90,00000000), ref: 00409A28
                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                  • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                  • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02082394,00409A90), ref: 00409A5C
                                                    • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,02082394), ref: 0040966C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                  • String ID: D
                                                  • API String ID: 3356880605-2746444292
                                                  • Opcode ID: ad223a4d496df5c95c16f58257358154d13b00c0811500baad5b3d8f4e498b4c
                                                  • Instruction ID: 6ea97129cf5aa135a7f7046e3a99eae43c862e8aca722617c6144c18eae127a8
                                                  • Opcode Fuzzy Hash: ad223a4d496df5c95c16f58257358154d13b00c0811500baad5b3d8f4e498b4c
                                                  • Instruction Fuzzy Hash: 3A1142B17442486EDB10EBE68C42FAEB7ACEF49714F50017BB604F72C2DA785D048A69
                                                  Function 00409E47 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Message
                                                  • String ID: .tmp$y@
                                                  • API String ID: 2030045667-2396523267
                                                  • Opcode ID: 68ca499064e88ad8d4bc1f4a2fd3397b1c963b2c890da41c2fdfea5cc663c78d
                                                  • Instruction ID: eba11cc0b212557bcf85e4c41764595d0d3f2f842990b0293eb01d0c1562b25b
                                                  • Opcode Fuzzy Hash: 68ca499064e88ad8d4bc1f4a2fd3397b1c963b2c890da41c2fdfea5cc663c78d
                                                  • Instruction Fuzzy Hash: 9841BD30600200DFC711EF25DE96A5A77A5EB49304B50463AF804B73E2CBB9AC05CBED
                                                  Function 00409E62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Message
                                                  • String ID: .tmp$y@
                                                  • API String ID: 2030045667-2396523267
                                                  • Opcode ID: b92571b7798fdf1738320cf5764acc74050170256781880fb7a821db28d3127f
                                                  • Instruction ID: fef9de22095f7e51d457e3baefdda2d393bbfb66a144e2f6f14d312cbfdc2d61
                                                  • Opcode Fuzzy Hash: b92571b7798fdf1738320cf5764acc74050170256781880fb7a821db28d3127f
                                                  • Instruction Fuzzy Hash: 3A418D70610204DFC711EF25DED6A5A77A5EB49308B50463AF804B73E2CBB9AC05CBAD
                                                  Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                  • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectoryErrorLast
                                                  • String ID: .tmp
                                                  • API String ID: 1375471231-2986845003
                                                  • Opcode ID: 8228534b5fce36e17f8a1a4f12b5018fbfc2097e6833105d4f39ac42e8c6f43b
                                                  • Instruction ID: a1094b0e4056d8a2da25745c6e48f9a4b2523a9a3c4edc503687ab74cbc79d39
                                                  • Opcode Fuzzy Hash: 8228534b5fce36e17f8a1a4f12b5018fbfc2097e6833105d4f39ac42e8c6f43b
                                                  • Instruction Fuzzy Hash: 3A213674A002099BDB05FFA1C9429DEB7B9EF48304F50457BE901B73C2DA7C9E059AA5
                                                  Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 321 407749-40774a 322 4076dc-4076e6 WriteFile 321->322 323 40774c-40776f 321->323 324 4076e8-4076ea call 40748c 322->324 325 4076ef-4076f2 322->325 326 407770-407785 323->326 324->325 328 407700-407704 325->328 329 4076f4-4076fb call 4073ec 325->329 330 407787 326->330 331 4077f9 326->331 329->328 333 40778a-40778f 330->333 334 4077fd-407802 330->334 335 40783b-40783d 331->335 336 4077fb 331->336 337 407803-407819 333->337 340 407791-407792 333->340 334->337 338 407841-407843 335->338 336->334 341 40785b-40785c 337->341 348 40781b 337->348 338->341 342 407724-407741 340->342 343 407794-4077b4 340->343 345 4078d6-4078eb call 407890 InterlockedExchange 341->345 346 40785e-40788c 341->346 347 4077b5 342->347 349 407743 342->349 343->347 366 407912-407917 345->366 367 4078ed-407910 345->367 359 407820-407823 346->359 360 407890-407893 346->360 353 4077b6-4077b7 347->353 354 4077f7-4077f8 347->354 355 40781e-40781f 348->355 356 407746-407747 349->356 357 4077b9 349->357 353->357 354->331 355->359 356->321 361 4077bb-4077cd 356->361 357->361 363 407824 359->363 364 407898 359->364 360->364 361->338 365 4077cf-4077d4 361->365 368 40789a 363->368 369 407825 363->369 364->368 365->335 374 4077d6-4077de 365->374 367->366 367->367 371 40789f 368->371 372 407896-407897 369->372 373 407826-40782d 369->373 375 4078a1 371->375 372->364 373->375 376 40782f 373->376 374->326 384 4077e0 374->384 378 4078a3 375->378 379 4078ac 375->379 380 407832-407833 376->380 381 4078a5-4078aa 376->381 378->381 383 4078ae-4078af 379->383 380->335 380->355 381->383 383->371 385 4078b1-4078bd 383->385 384->354 385->364 386 4078bf-4078c0 385->386
                                                  APIs
                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                  • Instruction ID: ef7112967ca92329f6454244f41010afd6781152a6d2bd16d4b387d8db15cd6b
                                                  • Opcode Fuzzy Hash: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                  • Instruction Fuzzy Hash: F951D12294D2910FC7126B7849685A53FE0FE5331532E92FBC5C1AB1A3D27CA847D35B
                                                  Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 387 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                  • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLibraryLoadMode
                                                  • String ID:
                                                  • API String ID: 2987862817-0
                                                  • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                  • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                  • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                  • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                  Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 397 40766c-407691 SetFilePointer 398 4076a3-4076a8 397->398 399 407693-40769a GetLastError 397->399 399->398 400 40769c-40769e call 40748c 399->400 400->398
                                                  APIs
                                                  • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                  • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                    • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020803AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$FilePointer
                                                  • String ID:
                                                  • API String ID: 1156039329-0
                                                  • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                  • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                  • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                  • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776
                                                  Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 391 40762c-40764a ReadFile 392 407663-40766a 391->392 393 40764c-407650 391->393 394 407652-40765a GetLastError 393->394 395 40765c-40765e call 40748c 393->395 394->392 394->395 395->392
                                                  APIs
                                                  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                  • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastRead
                                                  • String ID:
                                                  • API String ID: 1948546556-0
                                                  • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                  • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                  • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                  • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                  Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 402 4075c4-4075e5 SetFilePointer 403 4075f7-4075f9 402->403 404 4075e7-4075ee GetLastError 402->404 404->403 405 4075f0-4075f2 call 40748c 404->405 405->403
                                                  APIs
                                                  • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                  • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                    • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020803AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$FilePointer
                                                  • String ID:
                                                  • API String ID: 1156039329-0
                                                  • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                  • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                  • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                  • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                  Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Virtual$AllocFree
                                                  • String ID:
                                                  • API String ID: 2087232378-0
                                                  • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                  • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                  • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                  • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                  Function 00405270 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDefaultLCID.KERNEL32(00000000,004053A6), ref: 0040528F
                                                    • Part of subcall function 00404CCC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CE9
                                                    • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: DefaultInfoLoadLocaleStringSystem
                                                  • String ID:
                                                  • API String ID: 1658689577-0
                                                  • Opcode ID: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                  • Instruction ID: 2407abf821673f044c2d0b48b7a4a38d2d1f2757cafa01d062fe92b1f2c090cc
                                                  • Opcode Fuzzy Hash: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                  • Instruction Fuzzy Hash: 73314D75E0010AABCB00DF95C8C19EEB379FF84304F158977E815BB285E739AE059B98
                                                  Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                  • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                  • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                  • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                  Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                  • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                  • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                  • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                  Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                  • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                  • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                  • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                  Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                    • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020803AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastWrite
                                                  • String ID:
                                                  • API String ID: 442123175-0
                                                  • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                  • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                  • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                  • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                  Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: FormatMessage
                                                  • String ID:
                                                  • API String ID: 1306739567-0
                                                  • Opcode ID: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                  • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                  • Opcode Fuzzy Hash: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                  • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                  Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEndOfFile.KERNEL32(?,02098000,0040A08C,00000000), ref: 004076B3
                                                    • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020803AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLast
                                                  • String ID:
                                                  • API String ID: 734332943-0
                                                  • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                  • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                  • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                  • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                  Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                  • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                  • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                  • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                  Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                  • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                  • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                  • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                  Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CharPrev
                                                  • String ID:
                                                  • API String ID: 122130370-0
                                                  • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                  • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                  • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                  • Instruction Fuzzy Hash:
                                                  Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                  • Instruction ID: 20a67eb23ea55951ef5110b519d4bcc97d420124264edb02c1094051c82f9398
                                                  • Opcode Fuzzy Hash: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                  • Instruction Fuzzy Hash: D2117571A042059BDB00EF19C881B5B7794AF44359F05807EF958AB3C6DB38EC00CBAA
                                                  Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: FreeVirtual
                                                  • String ID:
                                                  • API String ID: 1263568516-0
                                                  • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                  • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                  • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                  • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                  Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle
                                                  • String ID:
                                                  • API String ID: 2962429428-0
                                                  • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                  • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                  • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                  • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                  Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: FreeVirtual
                                                  • String ID:
                                                  • API String ID: 1263568516-0
                                                  • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                  • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                  • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                  • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654

                                                  Non-executed Functions

                                                  Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                  • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040949D
                                                  • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004094A2
                                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                  • String ID: SeShutdownPrivilege
                                                  • API String ID: 107509674-3733053543
                                                  • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                  • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                  • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                  • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                  Function 00409BEC Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
                                                  • SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
                                                  • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
                                                  • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Resource$FindLoadLockSizeof
                                                  • String ID:
                                                  • API String ID: 3473537107-0
                                                  • Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                  • Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
                                                  • Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                  • Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E
                                                  Function 004026C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: SystemTime
                                                  • String ID: %~s
                                                  • API String ID: 2656138-2456064962
                                                  • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                  • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                  • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                  • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                  Function 00405248 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID:
                                                  • API String ID: 2299586839-0
                                                  • Opcode ID: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                  • Instruction ID: 297a7c39c0825e6b478cba46507f56ab37b47465b1590baa0f4eee863dd3b982
                                                  • Opcode Fuzzy Hash: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                  • Instruction Fuzzy Hash: AED05EA630E6502AE21051AB2D85EBB4A9CCEC5BA4F18407FF648D7242D6248C069B76
                                                  Function 00405CE4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetVersionExA.KERNEL32(?,004065E0,00000000,004065EE,?,?,?,?,?,00409C65), ref: 00405CF2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Version
                                                  • String ID:
                                                  • API String ID: 1889659487-0
                                                  • Opcode ID: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                  • Instruction ID: 3c95a3e10eaf3ff9c271e05f7503c1a51fdcfb4de7972086e3eff1de8b037954
                                                  • Opcode Fuzzy Hash: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                  • Instruction Fuzzy Hash: FDC012A040070186D7109B31EC02B1672D4AB44310F440539AEA4953C2E73C80018A5A
                                                  Function 0040840C Relevance: .5, Instructions: 545COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                  • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                  • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                  • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                  Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 0040704D
                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 004070A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressCloseHandleModuleProc
                                                  • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                  • API String ID: 4190037839-2401316094
                                                  • Opcode ID: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                  • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                  • Opcode Fuzzy Hash: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                  • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                  Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                  • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                  • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                  • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                  • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                  • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                  • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                  • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                  • String ID:
                                                  • API String ID: 1694776339-0
                                                  • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                  • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                  • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                  • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                  Function 004019DC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                  • LocalFree.KERNEL32(00600938,00000000,00401AB4), ref: 00401A1B
                                                  • VirtualFree.KERNEL32(?,00000000,00008000,00600938,00000000,00401AB4), ref: 00401A3A
                                                  • LocalFree.KERNEL32(00601938,?,00000000,00008000,00600938,00000000,00401AB4), ref: 00401A79
                                                  • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                  • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                  • String ID: 8`
                                                  • API String ID: 3782394904-1229567787
                                                  • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                  • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                  • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                  • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                  Function 004053B4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDefaultLCID.KERNEL32(00000000,004055FC,?,?,?,?,00000000,00000000,00000000,?,004065DB,00000000,004065EE), ref: 004053CE
                                                    • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                    • Part of subcall function 00405248: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: InfoLocale$DefaultSystem
                                                  • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                  • API String ID: 1044490935-665933166
                                                  • Opcode ID: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                  • Instruction ID: af1252b4c964b6680b9f9af4a0d1ea0fc67f86ffa9d2e4d8722b1cefb330e960
                                                  • Opcode Fuzzy Hash: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                  • Instruction Fuzzy Hash: 25515334B04548ABDB00EBA59C91A9F776AEB89304F50947BB504BB3C6CA3DCE059B5C
                                                  Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                  • ExitProcess.KERNEL32 ref: 00403DE5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ExitMessageProcess
                                                  • String ID: Error$Runtime error at 00000000$9@
                                                  • API String ID: 1220098344-1503883590
                                                  • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                  • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                  • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                  • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                  Function 00401918 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                  • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                  • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                  • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                  • String ID: 8`
                                                  • API String ID: 730355536-1229567787
                                                  • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                  • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                  • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                  • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                  Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                  • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                  • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$AllocString
                                                  • String ID:
                                                  • API String ID: 262959230-0
                                                  • Opcode ID: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                  • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                  • Opcode Fuzzy Hash: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                  • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                  Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
                                                  • GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CommandHandleLineModule
                                                  • String ID: U1hd.@$%^
                                                  • API String ID: 2123368496-4141759093
                                                  • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                  • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                  • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                  • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                  Function 00401FD4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017
                                                    • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                    • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                    • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                    • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                  • String ID: 8`
                                                  • API String ID: 296031713-1229567787
                                                  • Opcode ID: 7fb1eb0f84356cbd506eb136cbf63f21b878f195235fcb7eb6ef10a759da64aa
                                                  • Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
                                                  • Opcode Fuzzy Hash: 7fb1eb0f84356cbd506eb136cbf63f21b878f195235fcb7eb6ef10a759da64aa
                                                  • Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48
                                                  Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,004098D0,00000000), ref: 00406E4C
                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID: )q@
                                                  • API String ID: 3660427363-2284170586
                                                  • Opcode ID: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                  • Instruction ID: 7350e5e82036d2c0193b98364cdb321f9e6d5b5bf7e48a12e03045d443e4f3bd
                                                  • Opcode Fuzzy Hash: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                  • Instruction Fuzzy Hash: DC414C31D0021AAFDB21DF95C881BAFB7B8EB05704F56457AE901B7280D738AF108B99
                                                  Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
                                                  • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409507
                                                  • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
                                                  • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3007256488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.3007235788.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007287170.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3007325144.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastSleep
                                                  • String ID:
                                                  • API String ID: 1458359878-0
                                                  • Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                  • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                  • Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                  • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                  Execution Graph

                                                  Execution Coverage:16.1%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:4.4%
                                                  Total number of Nodes:2000
                                                  Total number of Limit Nodes:74
                                                  execution_graph 49752 402584 49753 402598 49752->49753 49754 4025ab 49752->49754 49782 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 49753->49782 49756 4025c2 RtlEnterCriticalSection 49754->49756 49757 4025cc 49754->49757 49756->49757 49768 4023b4 13 API calls 49757->49768 49758 40259d 49758->49754 49760 4025a1 49758->49760 49761 4025d5 49762 4025d9 49761->49762 49769 402088 49761->49769 49764 402635 49762->49764 49765 40262b RtlLeaveCriticalSection 49762->49765 49765->49764 49766 4025e5 49766->49762 49783 402210 9 API calls 49766->49783 49768->49761 49770 40209c 49769->49770 49771 4020af 49769->49771 49790 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 49770->49790 49772 4020c6 RtlEnterCriticalSection 49771->49772 49774 4020d0 49771->49774 49772->49774 49779 402106 49774->49779 49784 401f94 49774->49784 49775 4020a1 49775->49771 49776 4020a5 49775->49776 49776->49779 49779->49766 49780 4021f1 RtlLeaveCriticalSection 49781 4021fb 49780->49781 49781->49766 49782->49758 49783->49762 49787 401fa4 49784->49787 49785 401fd0 49789 401ff4 49785->49789 49796 401db4 49785->49796 49787->49785 49787->49789 49791 401f0c 49787->49791 49789->49780 49789->49781 49790->49775 49800 40178c 49791->49800 49794 401f29 49794->49787 49797 401dd2 49796->49797 49798 401e02 49796->49798 49797->49789 49798->49797 49823 401d1c 49798->49823 49804 4017a8 49800->49804 49801 4017b2 49819 401678 VirtualAlloc 49801->49819 49804->49801 49805 40180f 49804->49805 49808 401803 49804->49808 49811 4014e4 49804->49811 49820 4013e0 LocalAlloc 49804->49820 49805->49794 49810 401e80 9 API calls 49805->49810 49807 4017be 49807->49805 49821 4015c0 VirtualFree 49808->49821 49810->49794 49812 4014f3 VirtualAlloc 49811->49812 49814 401520 49812->49814 49815 401543 49812->49815 49822 401398 LocalAlloc 49814->49822 49815->49804 49817 40152c 49817->49815 49818 401530 VirtualFree 49817->49818 49818->49815 49819->49807 49820->49804 49821->49805 49822->49817 49824 401d2e 49823->49824 49825 401d51 49824->49825 49826 401d63 49824->49826 49836 401940 49825->49836 49827 401940 3 API calls 49826->49827 49829 401d61 49827->49829 49830 401d79 49829->49830 49846 401bf8 9 API calls 49829->49846 49830->49797 49832 401d88 49833 401da2 49832->49833 49847 401c4c 9 API calls 49832->49847 49848 401454 LocalAlloc 49833->49848 49837 401966 49836->49837 49845 4019bf 49836->49845 49849 40170c 49837->49849 49841 401983 49843 40199a 49841->49843 49854 4015c0 VirtualFree 49841->49854 49843->49845 49855 401454 LocalAlloc 49843->49855 49845->49829 49846->49832 49847->49833 49848->49830 49851 401743 49849->49851 49850 401783 49853 4013e0 LocalAlloc 49850->49853 49851->49850 49852 40175d VirtualFree 49851->49852 49852->49851 49853->49841 49854->49843 49855->49845 49856 44138c 49857 4413a3 WriteFile 49856->49857 49858 441395 49856->49858 49859 4413ae 49857->49859 49858->49857 49858->49858 49860 416408 49861 41641a 49860->49861 49862 41645a GetClassInfoA 49861->49862 49880 408d1c 19 API calls 49861->49880 49863 416486 49862->49863 49865 4164a8 RegisterClassA 49863->49865 49866 416498 UnregisterClassA 49863->49866 49870 4164e1 49863->49870 49867 4164d0 49865->49867 49865->49870 49866->49865 49881 408cac 49867->49881 49868 416455 49868->49862 49871 41650f 49870->49871 49872 4164fe 49870->49872 49889 407534 49871->49889 49872->49870 49873 408cac 5 API calls 49872->49873 49873->49871 49877 416528 49894 41a1e0 49877->49894 49879 416532 49880->49868 49882 408cb8 49881->49882 49902 406ddc LoadStringA 49882->49902 49890 407542 49889->49890 49891 407538 49889->49891 49893 41837c 7 API calls 49890->49893 49892 402660 4 API calls 49891->49892 49892->49890 49893->49877 49895 41a2a7 49894->49895 49896 41a20b 49894->49896 49897 403400 4 API calls 49895->49897 49935 403520 49896->49935 49898 41a2bf 49897->49898 49898->49879 49900 41a263 49901 41a29b CreateFontIndirectA 49900->49901 49901->49895 49915 4034e0 49902->49915 49905 403450 49906 403454 49905->49906 49909 403464 49905->49909 49908 4034bc 4 API calls 49906->49908 49906->49909 49907 403490 49911 403400 49907->49911 49908->49909 49909->49907 49930 402660 49909->49930 49912 403406 49911->49912 49913 40341f 49911->49913 49912->49913 49914 402660 4 API calls 49912->49914 49913->49870 49914->49913 49920 4034bc 49915->49920 49917 4034f0 49918 403400 4 API calls 49917->49918 49919 403508 49918->49919 49919->49905 49921 4034c0 49920->49921 49922 4034dc 49920->49922 49925 402648 49921->49925 49922->49917 49924 4034c9 49924->49917 49926 40264c 49925->49926 49927 402656 49925->49927 49926->49927 49929 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49926->49929 49927->49924 49927->49927 49929->49927 49931 402664 49930->49931 49932 40266e 49930->49932 49931->49932 49934 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49931->49934 49932->49907 49932->49932 49934->49932 49936 4034e0 4 API calls 49935->49936 49937 40352a 49936->49937 49937->49900 49938 490f80 49939 490fba 49938->49939 49940 490fbc 49939->49940 49941 490fc6 49939->49941 50138 409088 MessageBeep 49940->50138 49943 490ffe 49941->49943 49944 490fd5 49941->49944 49949 49100d 49943->49949 49950 491036 49943->49950 49946 446ff0 18 API calls 49944->49946 49948 490fe2 49946->49948 50139 406ba0 49948->50139 49953 446ff0 18 API calls 49949->49953 49959 49106e 49950->49959 49960 491045 49950->49960 49951 403400 4 API calls 49954 49161a 49951->49954 49956 49101a 49953->49956 50147 406bf0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49956->50147 49966 49107d 49959->49966 49967 491096 49959->49967 49962 446ff0 18 API calls 49960->49962 49961 491025 50148 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49961->50148 49963 491052 49962->49963 50149 406c24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49963->50149 50151 407270 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 49966->50151 49972 4910ca 49967->49972 49973 4910a5 49967->49973 49968 49105d 50150 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49968->50150 49971 491085 50152 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49971->50152 49978 4910d9 49972->49978 49979 491102 49972->49979 49975 446ff0 18 API calls 49973->49975 49976 4910b2 49975->49976 50153 407298 49976->50153 49981 446ff0 18 API calls 49978->49981 49984 49113a 49979->49984 49985 491111 49979->49985 49980 4910ba 50156 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49980->50156 49983 4910e6 49981->49983 50157 42c7fc 49983->50157 49992 491149 49984->49992 49993 491186 49984->49993 49987 446ff0 18 API calls 49985->49987 49989 49111e 49987->49989 50167 4071e8 8 API calls 49989->50167 49995 446ff0 18 API calls 49992->49995 49999 4911be 49993->49999 50000 491195 49993->50000 49994 491129 50168 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49994->50168 49996 491158 49995->49996 49998 446ff0 18 API calls 49996->49998 50001 491169 49998->50001 50006 4911cd 49999->50006 50007 4911f6 49999->50007 50002 446ff0 18 API calls 50000->50002 50169 490c84 8 API calls 50001->50169 50004 4911a2 50002->50004 50171 42c89c 50004->50171 50005 491175 50170 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50005->50170 50010 446ff0 18 API calls 50006->50010 50015 49122e 50007->50015 50016 491205 50007->50016 50012 4911da 50010->50012 50177 42c8c4 50012->50177 50022 49123d 50015->50022 50023 491266 50015->50023 50018 446ff0 18 API calls 50016->50018 50019 491212 50018->50019 50186 42c8f4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 50019->50186 50025 446ff0 18 API calls 50022->50025 50028 49129e 50023->50028 50029 491275 50023->50029 50024 49121d 50187 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50024->50187 50027 49124a 50025->50027 50188 42c924 50027->50188 50036 4912ea 50028->50036 50037 4912ad 50028->50037 50031 446ff0 18 API calls 50029->50031 50033 491282 50031->50033 50194 42c94c 50033->50194 50042 4912f9 50036->50042 50043 49133c 50036->50043 50039 446ff0 18 API calls 50037->50039 50041 4912bc 50039->50041 50044 446ff0 18 API calls 50041->50044 50046 446ff0 18 API calls 50042->50046 50050 49134b 50043->50050 50051 4913af 50043->50051 50045 4912cd 50044->50045 50200 42c4f0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 50045->50200 50048 49130c 50046->50048 50052 446ff0 18 API calls 50048->50052 50049 4912d9 50201 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50049->50201 50126 446ff0 50050->50126 50059 4913ee 50051->50059 50060 4913be 50051->50060 50055 49131d 50052->50055 50202 490e7c 12 API calls 50055->50202 50056 490fc1 50233 403420 50056->50233 50069 49142d 50059->50069 50070 4913fd 50059->50070 50063 446ff0 18 API calls 50060->50063 50062 49132b 50203 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50062->50203 50066 4913cb 50063->50066 50064 491366 50067 49136a 50064->50067 50068 49139f 50064->50068 50206 4528dc Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 50066->50206 50073 446ff0 18 API calls 50067->50073 50205 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50068->50205 50081 49146c 50069->50081 50082 49143c 50069->50082 50074 446ff0 18 API calls 50070->50074 50076 491379 50073->50076 50077 49140a 50074->50077 50075 4913d8 50207 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50075->50207 50131 452c54 50076->50131 50208 452744 50077->50208 50090 49147b 50081->50090 50091 4914b4 50081->50091 50086 446ff0 18 API calls 50082->50086 50083 4913e9 50083->50056 50084 491389 50204 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50084->50204 50085 491417 50215 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50085->50215 50089 491449 50086->50089 50216 452de4 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 50089->50216 50093 446ff0 18 API calls 50090->50093 50097 4914fc 50091->50097 50098 4914c3 50091->50098 50095 49148a 50093->50095 50094 491456 50217 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50094->50217 50099 446ff0 18 API calls 50095->50099 50104 49150f 50097->50104 50109 4915c5 50097->50109 50100 446ff0 18 API calls 50098->50100 50101 49149b 50099->50101 50102 4914d2 50100->50102 50218 447270 50101->50218 50103 446ff0 18 API calls 50102->50103 50105 4914e3 50103->50105 50107 446ff0 18 API calls 50104->50107 50113 447270 5 API calls 50105->50113 50108 49153c 50107->50108 50110 446ff0 18 API calls 50108->50110 50109->50056 50227 446f94 18 API calls 50109->50227 50111 491553 50110->50111 50224 407dcc 7 API calls 50111->50224 50113->50056 50114 4915de 50228 42e8c0 FormatMessageA 50114->50228 50119 491575 50120 446ff0 18 API calls 50119->50120 50121 491589 50120->50121 50225 4084f8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50121->50225 50123 491594 50226 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50123->50226 50125 4915a0 50127 446ff8 50126->50127 50237 436070 50127->50237 50129 447017 50130 42c600 7 API calls 50129->50130 50130->50064 50267 4526f8 50131->50267 50133 452c71 50133->50084 50134 452c6d 50134->50133 50135 452c95 MoveFileA GetLastError 50134->50135 50273 452734 50135->50273 50138->50056 50140 406baf 50139->50140 50141 406bd1 50140->50141 50142 406bc8 50140->50142 50276 403778 50141->50276 50143 403400 4 API calls 50142->50143 50144 406bcf 50143->50144 50146 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50144->50146 50146->50056 50147->49961 50148->50056 50149->49968 50150->50056 50151->49971 50152->50056 50283 403738 50153->50283 50156->50056 50158 403738 50157->50158 50159 42c81f GetFullPathNameA 50158->50159 50160 42c842 50159->50160 50161 42c82b 50159->50161 50163 403494 4 API calls 50160->50163 50161->50160 50162 42c833 50161->50162 50164 4034e0 4 API calls 50162->50164 50165 42c840 50163->50165 50164->50165 50166 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50165->50166 50166->50056 50167->49994 50168->50056 50169->50005 50170->50056 50285 42c794 50171->50285 50174 403778 4 API calls 50175 42c8bd 50174->50175 50176 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50175->50176 50176->50056 50300 42c66c 50177->50300 50180 42c8e1 50183 403778 4 API calls 50180->50183 50181 42c8d8 50182 403400 4 API calls 50181->50182 50184 42c8df 50182->50184 50183->50184 50185 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50184->50185 50185->50056 50186->50024 50187->50056 50189 42c794 IsDBCSLeadByte 50188->50189 50190 42c934 50189->50190 50191 403778 4 API calls 50190->50191 50192 42c946 50191->50192 50193 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50192->50193 50193->50056 50195 42c794 IsDBCSLeadByte 50194->50195 50196 42c95c 50195->50196 50197 403778 4 API calls 50196->50197 50198 42c96d 50197->50198 50199 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50198->50199 50199->50056 50200->50049 50201->50056 50202->50062 50203->50056 50204->50056 50205->50056 50206->50075 50207->50083 50209 4526f8 2 API calls 50208->50209 50210 45275a 50209->50210 50211 45275e 50210->50211 50212 45277c CreateDirectoryA GetLastError 50210->50212 50211->50085 50213 452734 Wow64RevertWow64FsRedirection 50212->50213 50214 4527a2 50213->50214 50214->50085 50215->50056 50216->50094 50217->50056 50219 447278 50218->50219 50303 4363d8 VariantClear 50219->50303 50221 44729b 50223 4472b2 50221->50223 50304 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50221->50304 50223->50056 50224->50119 50225->50123 50226->50125 50227->50114 50229 42e8e6 50228->50229 50230 4034e0 4 API calls 50229->50230 50231 42e903 50230->50231 50232 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50231->50232 50232->50056 50235 403426 50233->50235 50234 40344b 50234->49951 50235->50234 50236 402660 4 API calls 50235->50236 50236->50235 50238 43607c 50237->50238 50240 43609e 50237->50240 50238->50240 50257 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50238->50257 50239 436121 50266 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50239->50266 50240->50239 50242 4360f1 50240->50242 50243 4360e5 50240->50243 50244 436115 50240->50244 50245 436109 50240->50245 50250 4360fd 50240->50250 50249 403510 4 API calls 50242->50249 50258 403510 50243->50258 50265 4040e8 18 API calls 50244->50265 50261 403494 50245->50261 50247 436132 50247->50129 50254 4360fa 50249->50254 50250->50129 50254->50129 50256 43611e 50256->50129 50257->50240 50259 4034e0 4 API calls 50258->50259 50260 40351d 50259->50260 50260->50129 50262 403498 50261->50262 50263 4034ba 50262->50263 50264 402660 4 API calls 50262->50264 50263->50129 50264->50263 50265->50256 50266->50247 50268 452706 50267->50268 50269 452702 50267->50269 50270 45270f Wow64DisableWow64FsRedirection 50268->50270 50271 452728 SetLastError 50268->50271 50269->50134 50272 452723 50270->50272 50271->50272 50272->50134 50274 452743 50273->50274 50275 452739 Wow64RevertWow64FsRedirection 50273->50275 50274->50084 50275->50274 50277 4037aa 50276->50277 50279 40377d 50276->50279 50278 403400 4 API calls 50277->50278 50282 4037a0 50278->50282 50279->50277 50280 403791 50279->50280 50281 4034e0 4 API calls 50280->50281 50281->50282 50282->50144 50284 40373c SetCurrentDirectoryA 50283->50284 50284->49980 50290 42c674 50285->50290 50287 42c7f3 50287->50174 50289 42c7a9 50289->50287 50297 42c43c IsDBCSLeadByte 50289->50297 50293 42c685 50290->50293 50291 42c6e9 50294 42c6e4 50291->50294 50299 42c43c IsDBCSLeadByte 50291->50299 50293->50291 50295 42c6a3 50293->50295 50294->50289 50295->50294 50298 42c43c IsDBCSLeadByte 50295->50298 50297->50289 50298->50295 50299->50294 50301 42c674 IsDBCSLeadByte 50300->50301 50302 42c673 50301->50302 50302->50180 50302->50181 50303->50221 50304->50223 50305 480002 50306 48000b 50305->50306 50308 480036 50305->50308 50307 480028 50306->50307 50306->50308 50713 4766e4 189 API calls 50307->50713 50309 480075 50308->50309 50715 47eaec LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50308->50715 50310 480099 50309->50310 50313 48008c 50309->50313 50314 48008e 50309->50314 50318 4800d5 50310->50318 50319 4800b7 50310->50319 50323 47eb30 42 API calls 50313->50323 50717 47ebc4 42 API calls 50314->50717 50315 48002d 50315->50308 50714 408bd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50315->50714 50316 480068 50716 47eb54 42 API calls 50316->50716 50720 47e984 24 API calls 50318->50720 50324 4800cc 50319->50324 50718 47eb54 42 API calls 50319->50718 50323->50310 50719 47e984 24 API calls 50324->50719 50326 4800d3 50328 4800eb 50326->50328 50329 4800e5 50326->50329 50330 4800e9 50328->50330 50331 47eb30 42 API calls 50328->50331 50329->50330 50431 47eb30 50329->50431 50436 47bf1c 50330->50436 50331->50330 50789 47e618 42 API calls 50431->50789 50433 47eb4b 50790 408bd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50433->50790 50791 42d890 GetWindowsDirectoryA 50436->50791 50438 47bf3a 50439 403450 4 API calls 50438->50439 50440 47bf47 50439->50440 50793 42d8bc GetSystemDirectoryA 50440->50793 50442 47bf4f 50443 403450 4 API calls 50442->50443 50444 47bf5c 50443->50444 50795 42d8e8 50444->50795 50446 47bf64 50447 403450 4 API calls 50446->50447 50448 47bf71 50447->50448 50449 47bf96 50448->50449 50450 47bf7a 50448->50450 50452 403400 4 API calls 50449->50452 50851 42d200 50450->50851 50454 47bf94 50452->50454 50456 47bfdb 50454->50456 50458 42c8c4 5 API calls 50454->50458 50455 403450 4 API calls 50455->50454 50799 47bda4 50456->50799 50459 47bfb6 50458->50459 50461 403450 4 API calls 50459->50461 50464 47bfc3 50461->50464 50462 403450 4 API calls 50463 47bff7 50462->50463 50465 47c015 50463->50465 50467 4035c0 4 API calls 50463->50467 50464->50456 50466 403450 4 API calls 50464->50466 50468 47bda4 8 API calls 50465->50468 50466->50456 50467->50465 50469 47c024 50468->50469 50470 403450 4 API calls 50469->50470 50471 47c031 50470->50471 50472 47c059 50471->50472 50473 42c3f4 5 API calls 50471->50473 50474 47c0c0 50472->50474 50478 47bda4 8 API calls 50472->50478 50475 47c047 50473->50475 50476 47c0ea 50474->50476 50477 47c0c9 50474->50477 50479 4035c0 4 API calls 50475->50479 50810 42c3f4 50476->50810 50480 42c3f4 5 API calls 50477->50480 50481 47c071 50478->50481 50479->50472 50483 47c0d6 50480->50483 50484 403450 4 API calls 50481->50484 50487 47c07e 50484->50487 50713->50315 50715->50316 50716->50309 50717->50310 50718->50324 50719->50326 50720->50326 50789->50433 50792 42d8b1 50791->50792 50792->50438 50794 42d8dd 50793->50794 50794->50442 50796 403400 4 API calls 50795->50796 50797 42d8f8 GetModuleHandleA GetProcAddress 50796->50797 50798 42d911 50797->50798 50798->50446 50861 42de14 50799->50861 50801 47bdca 50802 47bdf0 50801->50802 50803 47bdce 50801->50803 50804 403400 4 API calls 50802->50804 50864 42dd44 50803->50864 50806 47bdf7 50804->50806 50806->50462 50808 47bde5 RegCloseKey 50808->50806 50809 403400 4 API calls 50809->50808 50811 42c421 50810->50811 50812 42c3fe 50810->50812 50852 4038a4 4 API calls 50851->50852 50853 42d213 50852->50853 50854 42d22a GetEnvironmentVariableA 50853->50854 50858 42d23d 50853->50858 50899 42dbc8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50853->50899 50854->50853 50855 42d236 50854->50855 50856 403400 4 API calls 50855->50856 50856->50858 50858->50455 50862 42de25 RegOpenKeyExA 50861->50862 50863 42de1f 50861->50863 50862->50801 50863->50862 50867 42dbf8 50864->50867 50868 42dc1e RegQueryValueExA 50867->50868 50874 42dc41 50868->50874 50883 42dc63 50868->50883 50869 403400 4 API calls 50870 42dd2f 50869->50870 50870->50808 50870->50809 50871 42dc5b 50872 403400 4 API calls 50871->50872 50872->50883 50873 4034e0 4 API calls 50873->50874 50874->50871 50874->50873 50874->50883 50884 403744 50874->50884 50876 42dc98 RegQueryValueExA 50876->50868 50877 42dcb4 50876->50877 50877->50883 50888 4038a4 50877->50888 50880 42dd08 50881 403450 4 API calls 50880->50881 50881->50883 50882 403744 4 API calls 50882->50880 50883->50869 50885 40374a 50884->50885 50887 40375b 50884->50887 50886 4034bc 4 API calls 50885->50886 50885->50887 50886->50887 50887->50876 50889 4038b1 50888->50889 50896 4038e1 50888->50896 50890 4038da 50889->50890 50892 4038bd 50889->50892 50893 4034bc 4 API calls 50890->50893 50891 403400 4 API calls 50895 4038cb 50891->50895 50897 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50892->50897 50893->50896 50895->50880 50895->50882 50896->50891 50897->50895 50899->50853 52961 491d44 52962 491d78 52961->52962 52963 491d7a 52962->52963 52964 491d8e 52962->52964 53097 446f94 18 API calls 52963->53097 52967 491dca 52964->52967 52968 491d9d 52964->52968 52966 491d83 Sleep 53024 491dc5 52966->53024 52973 491dd9 52967->52973 52974 491e06 52967->52974 52970 446ff0 18 API calls 52968->52970 52969 403420 4 API calls 52971 492238 52969->52971 52972 491dac 52970->52972 52976 491db4 FindWindowA 52972->52976 52975 446ff0 18 API calls 52973->52975 52979 491e5c 52974->52979 52980 491e15 52974->52980 52977 491de6 52975->52977 52978 447270 5 API calls 52976->52978 52981 491dee FindWindowA 52977->52981 52978->53024 52985 491eb8 52979->52985 52986 491e6b 52979->52986 53098 446f94 18 API calls 52980->53098 52983 447270 5 API calls 52981->52983 53039 491e01 52983->53039 52984 491e21 53099 446f94 18 API calls 52984->53099 52993 491f14 52985->52993 52994 491ec7 52985->52994 53102 446f94 18 API calls 52986->53102 52989 491e2e 53100 446f94 18 API calls 52989->53100 52990 491e77 53103 446f94 18 API calls 52990->53103 52992 491e3b 53101 446f94 18 API calls 52992->53101 53003 491f4e 52993->53003 53004 491f23 52993->53004 53107 446f94 18 API calls 52994->53107 52998 491e84 53104 446f94 18 API calls 52998->53104 52999 491e46 SendMessageA 53002 447270 5 API calls 52999->53002 53000 491ed3 53108 446f94 18 API calls 53000->53108 53002->53039 53015 491f5d 53003->53015 53021 491f9c 53003->53021 53007 446ff0 18 API calls 53004->53007 53006 491e91 53105 446f94 18 API calls 53006->53105 53011 491f30 53007->53011 53008 491ee0 53109 446f94 18 API calls 53008->53109 53010 491e9c PostMessageA 53106 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53010->53106 53016 491f38 RegisterClipboardFormatA 53011->53016 53014 491eed 53110 446f94 18 API calls 53014->53110 53112 446f94 18 API calls 53015->53112 53020 447270 5 API calls 53016->53020 53019 491f69 53113 446f94 18 API calls 53019->53113 53020->53024 53025 491fab 53021->53025 53026 491ff0 53021->53026 53022 491ef8 SendNotifyMessageA 53111 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53022->53111 53024->52969 53115 446f94 18 API calls 53025->53115 53033 491fff 53026->53033 53034 492044 53026->53034 53028 491f76 53114 446f94 18 API calls 53028->53114 53031 491fb7 53116 446f94 18 API calls 53031->53116 53032 491f81 SendMessageA 53036 447270 5 API calls 53032->53036 53119 446f94 18 API calls 53033->53119 53043 492053 53034->53043 53044 4920a6 53034->53044 53036->53039 53038 491fc4 53117 446f94 18 API calls 53038->53117 53039->53024 53040 49200b 53120 446f94 18 API calls 53040->53120 53042 491fcf PostMessageA 53118 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53042->53118 53047 446ff0 18 API calls 53043->53047 53051 49212d 53044->53051 53052 4920b5 53044->53052 53049 492060 53047->53049 53048 492018 53121 446f94 18 API calls 53048->53121 53053 42e38c 2 API calls 53049->53053 53062 49213c 53051->53062 53063 492162 53051->53063 53055 446ff0 18 API calls 53052->53055 53056 49206d 53053->53056 53054 492023 SendNotifyMessageA 53122 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53054->53122 53058 4920c4 53055->53058 53059 492083 GetLastError 53056->53059 53060 492073 53056->53060 53123 446f94 18 API calls 53058->53123 53064 447270 5 API calls 53059->53064 53061 447270 5 API calls 53060->53061 53065 492081 53061->53065 53128 446f94 18 API calls 53062->53128 53070 492171 53063->53070 53071 492194 53063->53071 53064->53065 53069 447270 5 API calls 53065->53069 53068 492146 FreeLibrary 53129 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53068->53129 53069->53024 53074 446ff0 18 API calls 53070->53074 53080 4921a3 53071->53080 53086 4921d7 53071->53086 53072 4920d7 GetProcAddress 53075 49211d 53072->53075 53076 4920e3 53072->53076 53077 49217d 53074->53077 53127 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53075->53127 53124 446f94 18 API calls 53076->53124 53082 492185 CreateMutexA 53077->53082 53130 48c174 18 API calls 53080->53130 53081 4920ef 53125 446f94 18 API calls 53081->53125 53082->53024 53085 4920fc 53088 447270 5 API calls 53085->53088 53086->53024 53132 48c174 18 API calls 53086->53132 53091 49210d 53088->53091 53089 4921af 53090 4921c0 OemToCharBuffA 53089->53090 53131 48c18c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53090->53131 53126 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53091->53126 53094 4921f2 53095 492203 CharToOemBuffA 53094->53095 53133 48c18c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53095->53133 53097->52966 53098->52984 53099->52989 53100->52992 53101->52999 53102->52990 53103->52998 53104->53006 53105->53010 53106->53039 53107->53000 53108->53008 53109->53014 53110->53022 53111->53024 53112->53019 53113->53028 53114->53032 53115->53031 53116->53038 53117->53042 53118->53039 53119->53040 53120->53048 53121->53054 53122->53024 53123->53072 53124->53081 53125->53085 53126->53039 53127->53039 53128->53068 53129->53024 53130->53089 53131->53024 53132->53094 53133->53024 53134 41ee4c 53135 41ee91 53134->53135 53136 41ee5b IsWindowVisible 53134->53136 53136->53135 53137 41ee65 IsWindowEnabled 53136->53137 53137->53135 53138 41ee6f 53137->53138 53139 402648 4 API calls 53138->53139 53140 41ee79 EnableWindow 53139->53140 53140->53135 53141 41fb50 53142 41fb59 53141->53142 53145 41fdf4 53142->53145 53144 41fb66 53146 41fee6 53145->53146 53147 41fe0b 53145->53147 53146->53144 53147->53146 53166 41f9b4 GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53147->53166 53149 41fe41 53150 41fe45 53149->53150 53151 41fe6b 53149->53151 53167 41fb94 53150->53167 53176 41f9b4 GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53151->53176 53155 41fe79 53157 41fea3 53155->53157 53158 41fe7d 53155->53158 53156 41fb94 10 API calls 53165 41fe69 53156->53165 53160 41fb94 10 API calls 53157->53160 53159 41fb94 10 API calls 53158->53159 53161 41fe8f 53159->53161 53162 41feb5 53160->53162 53163 41fb94 10 API calls 53161->53163 53164 41fb94 10 API calls 53162->53164 53163->53165 53164->53165 53165->53144 53166->53149 53168 41fbaf 53167->53168 53169 41f934 4 API calls 53168->53169 53170 41fbc5 53168->53170 53169->53170 53177 41f934 53170->53177 53172 41fc0d 53173 41fc30 SetScrollInfo 53172->53173 53185 41fa94 53173->53185 53176->53155 53196 4181d8 53177->53196 53179 41f951 GetWindowLongA 53180 41f98e 53179->53180 53181 41f96e 53179->53181 53199 41f8c0 GetWindowLongA GetSystemMetrics GetSystemMetrics 53180->53199 53198 41f8c0 GetWindowLongA GetSystemMetrics GetSystemMetrics 53181->53198 53184 41f97a 53184->53172 53186 41faa2 53185->53186 53187 41faaa 53185->53187 53186->53156 53188 41fae9 53187->53188 53189 41fad9 53187->53189 53195 41fae7 53187->53195 53201 417e40 IsWindowVisible ScrollWindow SetWindowPos 53188->53201 53200 417e40 IsWindowVisible ScrollWindow SetWindowPos 53189->53200 53190 41fb29 GetScrollPos 53190->53186 53193 41fb34 53190->53193 53194 41fb43 SetScrollPos 53193->53194 53194->53186 53195->53190 53197 4181e2 53196->53197 53197->53179 53198->53184 53199->53184 53200->53195 53201->53195 53202 420590 53203 4205a3 53202->53203 53223 415b28 53203->53223 53205 4206ea 53206 420701 53205->53206 53230 4146cc KiUserCallbackDispatcher 53205->53230 53207 420718 53206->53207 53231 414710 KiUserCallbackDispatcher 53206->53231 53213 42073a 53207->53213 53232 420058 12 API calls 53207->53232 53208 4205de 53208->53205 53209 420649 53208->53209 53216 42063a MulDiv 53208->53216 53228 420840 20 API calls 53209->53228 53214 420662 53214->53205 53229 420058 12 API calls 53214->53229 53227 41a2fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 53216->53227 53219 42067f 53220 42069b MulDiv 53219->53220 53221 4206be 53219->53221 53220->53221 53221->53205 53222 4206c7 MulDiv 53221->53222 53222->53205 53224 415b3a 53223->53224 53233 414468 53224->53233 53226 415b52 53226->53208 53227->53209 53228->53214 53229->53219 53230->53206 53231->53207 53232->53213 53234 414482 53233->53234 53237 410640 53234->53237 53236 414498 53236->53226 53240 40de8c 53237->53240 53239 410646 53239->53236 53241 40deee 53240->53241 53242 40de9f 53240->53242 53247 40defc 53241->53247 53245 40defc 19 API calls 53242->53245 53246 40dec9 53245->53246 53246->53239 53248 40df0c 53247->53248 53250 40df22 53248->53250 53259 40e284 53248->53259 53275 40d7c8 53248->53275 53278 40e134 53250->53278 53253 40d7c8 5 API calls 53254 40df2a 53253->53254 53254->53253 53255 40df96 53254->53255 53281 40dd48 53254->53281 53257 40e134 5 API calls 53255->53257 53258 40def8 53257->53258 53258->53239 53295 40eb54 53259->53295 53261 403778 4 API calls 53262 40e2bf 53261->53262 53262->53261 53263 40e375 53262->53263 53357 40d95c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53262->53357 53358 40e268 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53262->53358 53264 40e390 53263->53264 53265 40e39f 53263->53265 53304 40e5a8 53264->53304 53354 40bc0c 53265->53354 53271 40e39d 53272 403400 4 API calls 53271->53272 53273 40e444 53272->53273 53273->53248 53276 40ebf0 5 API calls 53275->53276 53277 40d7d2 53276->53277 53277->53248 53391 40d6a4 53278->53391 53400 40e13c 53281->53400 53284 40eb54 5 API calls 53285 40dd86 53284->53285 53286 40eb54 5 API calls 53285->53286 53287 40dd91 53286->53287 53288 40dda3 53287->53288 53289 40ddac 53287->53289 53294 40dda9 53287->53294 53410 40dcb0 19 API calls 53288->53410 53407 40dbc0 53289->53407 53292 403420 4 API calls 53293 40de77 53292->53293 53293->53254 53294->53292 53360 40d968 53295->53360 53298 4034e0 4 API calls 53299 40eb77 53298->53299 53300 403744 4 API calls 53299->53300 53301 40eb7e 53300->53301 53302 40d968 5 API calls 53301->53302 53303 40eb8c 53302->53303 53303->53262 53305 40e5d4 53304->53305 53306 40e5de 53304->53306 53365 40d628 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53305->53365 53308 40e620 53306->53308 53309 40e6c1 53306->53309 53310 40e651 53306->53310 53311 40e6a3 53306->53311 53312 40e6f9 53306->53312 53313 40e67d 53306->53313 53314 40e6de 53306->53314 53315 40e75e 53306->53315 53347 40e644 53306->53347 53366 40d94c 53308->53366 53376 40eb90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53309->53376 53310->53347 53372 40da00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53310->53372 53375 40dfcc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53311->53375 53316 40d94c 5 API calls 53312->53316 53373 40e00c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53313->53373 53378 40ea78 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53314->53378 53322 40d94c 5 API calls 53315->53322 53325 40e701 53316->53325 53318 403400 4 API calls 53326 40e7d3 53318->53326 53329 40e766 53322->53329 53333 40e70b 53325->53333 53341 40e705 53325->53341 53326->53271 53327 40e6cc 53377 409f20 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53327->53377 53328 40e688 53374 40d658 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53328->53374 53336 40e783 53329->53336 53337 40e76a 53329->53337 53331 40e649 53371 40e0c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53331->53371 53332 40e62c 53369 40e00c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53332->53369 53379 40ebf0 53333->53379 53385 40e00c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53336->53385 53344 40ebf0 5 API calls 53337->53344 53342 40e709 53341->53342 53346 40ebf0 5 API calls 53341->53346 53342->53347 53383 40e00c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53342->53383 53344->53347 53345 40e637 53370 40e454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53345->53370 53350 40e72c 53346->53350 53347->53318 53382 40da88 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53350->53382 53351 40e74e 53384 40e4bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53351->53384 53386 40bbb8 53354->53386 53357->53262 53358->53262 53359 40d95c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53359->53271 53363 40d973 53360->53363 53361 40d9ad 53361->53298 53363->53361 53364 40d9b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53363->53364 53364->53363 53365->53306 53367 40ebf0 5 API calls 53366->53367 53368 40d956 53367->53368 53368->53331 53368->53332 53369->53345 53370->53347 53371->53310 53372->53347 53373->53328 53374->53347 53375->53347 53376->53327 53377->53347 53378->53347 53380 40d968 5 API calls 53379->53380 53381 40ebfd 53380->53381 53381->53347 53382->53342 53383->53351 53384->53347 53385->53347 53387 40bbef 53386->53387 53388 40bbca 53386->53388 53387->53271 53387->53359 53388->53387 53390 40bc6c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53388->53390 53390->53387 53392 40ebf0 5 API calls 53391->53392 53393 40d6b1 53392->53393 53394 40d6c4 53393->53394 53398 40ecf4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53393->53398 53394->53254 53396 40d6bf 53399 40d640 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53396->53399 53398->53396 53399->53394 53401 40d94c 5 API calls 53400->53401 53402 40e153 53401->53402 53403 40ebf0 5 API calls 53402->53403 53406 40dd7b 53402->53406 53404 40e160 53403->53404 53404->53406 53411 40e0c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53404->53411 53406->53284 53412 40ad64 19 API calls 53407->53412 53409 40dbe8 53409->53294 53410->53294 53411->53406 53412->53409 53413 42f518 53414 42f523 53413->53414 53415 42f527 NtdllDefWindowProc_A 53413->53415 53415->53414 53416 4358d8 53417 4358ed 53416->53417 53421 435907 53417->53421 53422 4352c0 53417->53422 53426 4352f0 53422->53426 53432 43530a 53422->53432 53423 403400 4 API calls 53424 43570f 53423->53424 53424->53421 53435 435720 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53424->53435 53425 446d9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53425->53426 53426->53425 53427 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53426->53427 53428 402648 4 API calls 53426->53428 53429 431c98 4 API calls 53426->53429 53430 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53426->53430 53426->53432 53433 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53426->53433 53436 4343a8 53426->53436 53448 434b6c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53426->53448 53427->53426 53428->53426 53429->53426 53430->53426 53432->53423 53433->53426 53435->53421 53437 434465 53436->53437 53438 4343d5 53436->53438 53467 434308 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53437->53467 53440 403494 4 API calls 53438->53440 53441 4343e3 53440->53441 53442 403778 4 API calls 53441->53442 53446 434404 53442->53446 53443 403400 4 API calls 53444 4344b5 53443->53444 53444->53426 53445 434457 53445->53443 53446->53445 53449 493e50 53446->53449 53448->53426 53450 493e88 53449->53450 53451 493f20 53449->53451 53453 403494 4 API calls 53450->53453 53468 448928 53451->53468 53454 493e93 53453->53454 53457 493ea3 53454->53457 53458 4037b8 4 API calls 53454->53458 53455 403400 4 API calls 53456 493f44 53455->53456 53459 403400 4 API calls 53456->53459 53457->53455 53461 493ebc 53458->53461 53460 493f4c 53459->53460 53460->53446 53461->53457 53462 4037b8 4 API calls 53461->53462 53463 493edf 53462->53463 53464 403778 4 API calls 53463->53464 53465 493f10 53464->53465 53466 403634 4 API calls 53465->53466 53466->53451 53467->53445 53469 44894d 53468->53469 53470 448990 53468->53470 53471 403494 4 API calls 53469->53471 53473 4489a4 53470->53473 53480 448524 53470->53480 53472 448958 53471->53472 53477 4037b8 4 API calls 53472->53477 53475 403400 4 API calls 53473->53475 53476 4489d7 53475->53476 53476->53457 53478 448974 53477->53478 53479 4037b8 4 API calls 53478->53479 53479->53470 53481 403494 4 API calls 53480->53481 53482 44855a 53481->53482 53483 4037b8 4 API calls 53482->53483 53484 44856c 53483->53484 53485 403778 4 API calls 53484->53485 53486 44858d 53485->53486 53487 4037b8 4 API calls 53486->53487 53488 4485a5 53487->53488 53489 403778 4 API calls 53488->53489 53490 4485d0 53489->53490 53491 4037b8 4 API calls 53490->53491 53502 4485e8 53491->53502 53492 448620 53494 403420 4 API calls 53492->53494 53493 4486bb 53496 4486c3 GetProcAddress 53493->53496 53497 448700 53494->53497 53495 448655 LoadLibraryA 53495->53502 53499 4486d6 53496->53499 53497->53473 53498 448643 LoadLibraryExA 53498->53502 53499->53492 53500 403b80 4 API calls 53500->53502 53501 403450 4 API calls 53501->53502 53502->53492 53502->53493 53502->53495 53502->53498 53502->53500 53502->53501 53504 43da80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53502->53504 53504->53502 53505 40ce1c 53508 406f00 WriteFile 53505->53508 53509 406f1d 53508->53509 53510 4222dc 53511 4222eb 53510->53511 53516 42126c 53511->53516 53514 42230b 53517 4212db 53516->53517 53531 42127b 53516->53531 53520 4212ec 53517->53520 53541 4124c8 GetMenuItemCount GetMenuStringA GetMenuState 53517->53541 53519 42131a 53523 42138d 53519->53523 53528 421335 53519->53528 53520->53519 53522 4213b2 53520->53522 53521 42138b 53524 4213de 53521->53524 53543 421e24 11 API calls 53521->53543 53522->53521 53526 4213c6 SetMenu 53522->53526 53523->53521 53530 4213a1 53523->53530 53544 4211b4 10 API calls 53524->53544 53526->53521 53528->53521 53534 421358 GetMenu 53528->53534 53529 4213e5 53529->53514 53539 4221e0 10 API calls 53529->53539 53533 4213aa SetMenu 53530->53533 53531->53517 53540 408d1c 19 API calls 53531->53540 53533->53521 53535 421362 53534->53535 53536 42137b 53534->53536 53538 421375 SetMenu 53535->53538 53542 4124c8 GetMenuItemCount GetMenuStringA GetMenuState 53536->53542 53538->53536 53539->53514 53540->53531 53541->53520 53542->53521 53543->53524 53544->53529 53545 40d064 53546 40d06c 53545->53546 53547 40d096 53546->53547 53548 40d09a 53546->53548 53549 40d08f 53546->53549 53551 40d0b0 53548->53551 53552 40d09e 53548->53552 53558 406288 GlobalHandle GlobalUnlock GlobalFree 53549->53558 53559 40626c GlobalHandle GlobalUnlock GlobalReAlloc GlobalLock 53551->53559 53557 40625c GlobalAlloc GlobalLock 53552->53557 53555 40d0ac 53555->53547 53556 408cac 5 API calls 53555->53556 53556->53547 53557->53555 53558->53547 53559->53555 53560 44b4a0 53561 44b4ae 53560->53561 53563 44b4cd 53560->53563 53561->53563 53564 44b384 53561->53564 53565 44b3b7 53564->53565 53575 414ae0 53565->53575 53567 44b3f7 73A1A570 53570 41a1e0 5 API calls 53567->53570 53568 40357c 4 API calls 53568->53567 53569 44b3ca 53569->53567 53569->53568 53571 44b417 SelectObject 53570->53571 53572 44b428 53571->53572 53579 44b0b8 53572->53579 53574 44b43c 73A1A480 53574->53563 53576 414aee 53575->53576 53577 4034e0 4 API calls 53576->53577 53578 414afb 53577->53578 53578->53569 53580 44b0cf 53579->53580 53581 44b162 53580->53581 53582 44b0e2 53580->53582 53583 44b14b 53580->53583 53581->53574 53582->53581 53585 402648 4 API calls 53582->53585 53584 44b15b DrawTextA 53583->53584 53584->53581 53586 44b0f3 53585->53586 53587 44b111 MultiByteToWideChar DrawTextW 53586->53587 53588 402660 4 API calls 53587->53588 53589 44b143 53588->53589 53589->53574 53590 448720 53591 448755 53590->53591 53592 44874e 53590->53592 53593 448769 53591->53593 53594 448524 7 API calls 53591->53594 53596 403400 4 API calls 53592->53596 53593->53592 53595 403494 4 API calls 53593->53595 53594->53593 53598 448782 53595->53598 53597 4488ff 53596->53597 53599 4037b8 4 API calls 53598->53599 53600 44879e 53599->53600 53601 4037b8 4 API calls 53600->53601 53602 4487ba 53601->53602 53602->53592 53603 4487ce 53602->53603 53604 4037b8 4 API calls 53603->53604 53605 4487e8 53604->53605 53606 431bc8 4 API calls 53605->53606 53607 44880a 53606->53607 53608 431c98 4 API calls 53607->53608 53615 44882a 53607->53615 53608->53607 53609 448880 53622 44232c 53609->53622 53610 448868 53610->53609 53634 4435c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53610->53634 53614 4488b4 GetLastError 53635 4484b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53614->53635 53615->53610 53633 4435c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53615->53633 53617 4488c3 53636 443608 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53617->53636 53619 4488d8 53637 443618 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53619->53637 53621 4488e0 53623 442365 53622->53623 53624 44330a 53622->53624 53625 403400 4 API calls 53623->53625 53626 403400 4 API calls 53624->53626 53627 44236d 53625->53627 53628 44331f 53626->53628 53629 431bc8 4 API calls 53627->53629 53628->53614 53631 442379 53629->53631 53630 4432fa 53630->53614 53631->53630 53638 441a04 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53631->53638 53633->53615 53634->53609 53635->53617 53636->53619 53637->53621 53638->53631 53639 4165e4 73A25CF0 53640 42e3e7 SetErrorMode 53641 40cee8 53642 40cef5 53641->53642 53643 40cefa 53641->53643 53645 406f38 CloseHandle 53642->53645 53645->53643 53646 47ff68 53651 450fd8 53646->53651 53648 47ff7c 53661 47f054 53648->53661 53650 47ffa0 53652 450fe5 53651->53652 53654 451039 53652->53654 53670 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53652->53670 53667 450e5c 53654->53667 53658 451061 53660 4510a4 53658->53660 53672 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53658->53672 53660->53648 53677 40b5b0 53661->53677 53663 47f0c1 53663->53650 53665 47f076 53665->53663 53681 4069cc 53665->53681 53684 476428 53665->53684 53673 450e08 53667->53673 53670->53654 53671 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53671->53658 53672->53660 53674 450e2b 53673->53674 53675 450e1a 53673->53675 53674->53658 53674->53671 53676 450e1f InterlockedExchange 53675->53676 53676->53674 53678 40b5bb 53677->53678 53679 40b5db 53678->53679 53700 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53678->53700 53679->53665 53682 402648 4 API calls 53681->53682 53683 4069d7 53682->53683 53683->53665 53697 476459 53684->53697 53698 4764a2 53684->53698 53685 4764ed 53701 451268 53685->53701 53686 451268 21 API calls 53686->53697 53688 476504 53690 403420 4 API calls 53688->53690 53689 4038a4 4 API calls 53689->53697 53692 47651e 53690->53692 53691 4038a4 4 API calls 53691->53698 53692->53665 53693 403744 4 API calls 53693->53697 53694 403450 4 API calls 53694->53697 53695 403744 4 API calls 53695->53698 53696 403450 4 API calls 53696->53698 53697->53686 53697->53689 53697->53693 53697->53694 53697->53698 53698->53685 53698->53691 53698->53695 53698->53696 53699 451268 21 API calls 53698->53699 53699->53698 53700->53679 53702 451283 53701->53702 53703 451278 53701->53703 53707 45120c 21 API calls 53702->53707 53703->53688 53705 45128e 53705->53703 53708 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53705->53708 53707->53705 53708->53703 53709 413634 SetWindowLongA GetWindowLongA 53710 413691 SetPropA SetPropA 53709->53710 53711 413673 GetWindowLongA 53709->53711 53716 41f394 53710->53716 53711->53710 53712 413682 SetWindowLongA 53711->53712 53712->53710 53721 423c04 53716->53721 53815 423a7c 53716->53815 53822 415268 53716->53822 53717 4136e1 53726 423c3a 53721->53726 53724 423ce4 53727 423ceb 53724->53727 53728 423d1f 53724->53728 53725 423c85 53729 423c8b 53725->53729 53730 423d48 53725->53730 53757 423c5b 53726->53757 53829 423b60 53726->53829 53731 423cf1 53727->53731 53766 423fa9 53727->53766 53734 424092 IsIconic 53728->53734 53735 423d2a 53728->53735 53732 423c90 53729->53732 53733 423cbd 53729->53733 53736 423d63 53730->53736 53737 423d5a 53730->53737 53741 423f0b SendMessageA 53731->53741 53742 423cff 53731->53742 53744 423c96 53732->53744 53745 423dee 53732->53745 53755 423cd6 53733->53755 53756 423e37 53733->53756 53733->53757 53743 4240a6 GetFocus 53734->53743 53734->53757 53746 423d33 53735->53746 53747 4240ce 53735->53747 53838 42418c 11 API calls 53736->53838 53738 423d70 53737->53738 53739 423d61 53737->53739 53839 4241d4 IsIconic 53738->53839 53847 423b7c NtdllDefWindowProc_A 53739->53847 53741->53757 53742->53757 53768 423cb8 53742->53768 53796 423f4e 53742->53796 53751 4240b7 53743->53751 53743->53757 53752 423e16 PostMessageA 53744->53752 53753 423c9f 53744->53753 53851 423b7c NtdllDefWindowProc_A 53745->53851 53749 4240e5 53746->53749 53746->53768 53871 424848 WinHelpA PostMessageA 53747->53871 53764 424103 53749->53764 53765 4240ee 53749->53765 53870 41efec GetCurrentThreadId 73A25940 53751->53870 53857 423b7c NtdllDefWindowProc_A 53752->53857 53761 423ca8 53753->53761 53762 423e9d 53753->53762 53767 423e03 53755->53767 53755->53768 53833 423b7c NtdllDefWindowProc_A 53756->53833 53757->53717 53772 423cb1 53761->53772 53773 423dc6 IsIconic 53761->53773 53774 423ea6 53762->53774 53775 423ed7 53762->53775 53763 423e31 53763->53757 53878 424524 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 53764->53878 53872 4244cc 53765->53872 53766->53757 53786 423fcf IsWindowEnabled 53766->53786 53852 424170 53767->53852 53768->53757 53837 423b7c NtdllDefWindowProc_A 53768->53837 53771 4240be 53771->53757 53783 4240c6 SetFocus 53771->53783 53772->53768 53784 423d89 53772->53784 53777 423de2 53773->53777 53778 423dd6 53773->53778 53859 423b0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 53774->53859 53834 423b7c NtdllDefWindowProc_A 53775->53834 53850 423b7c NtdllDefWindowProc_A 53777->53850 53849 423bb8 15 API calls 53778->53849 53782 423e3d 53790 423e7b 53782->53790 53791 423e59 53782->53791 53783->53757 53784->53757 53848 422c44 ShowWindow PostMessageA PostQuitMessage 53784->53848 53786->53757 53794 423fdd 53786->53794 53789 423edd 53795 423ef5 53789->53795 53835 41ee9c GetCurrentThreadId 73A25940 53789->53835 53798 423a7c 6 API calls 53790->53798 53858 423b0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 53791->53858 53792 423eae 53793 423ec0 53792->53793 53860 41ef50 53792->53860 53866 423b7c NtdllDefWindowProc_A 53793->53866 53807 423fe4 IsWindowVisible 53794->53807 53803 423a7c 6 API calls 53795->53803 53796->53757 53804 423f70 IsWindowEnabled 53796->53804 53806 423e83 PostMessageA 53798->53806 53803->53757 53804->53757 53808 423f7e 53804->53808 53805 423e61 PostMessageA 53805->53757 53806->53757 53807->53757 53809 423ff2 GetFocus 53807->53809 53867 412308 7 API calls 53808->53867 53811 4181d8 53809->53811 53812 424007 SetFocus 53811->53812 53868 415238 53812->53868 53816 423b05 53815->53816 53817 423a8c 53815->53817 53816->53717 53817->53816 53818 423a92 EnumWindows 53817->53818 53818->53816 53819 423aae GetWindow GetWindowLongA 53818->53819 53970 423a14 GetWindow 53818->53970 53820 423acd 53819->53820 53820->53816 53821 423af9 SetWindowPos 53820->53821 53821->53816 53821->53820 53823 415275 53822->53823 53824 4152d0 53823->53824 53825 4152db 53823->53825 53828 4152d9 53823->53828 53824->53828 53974 415054 46 API calls 53824->53974 53973 424b84 13 API calls 53825->53973 53828->53717 53830 423b75 53829->53830 53831 423b6a 53829->53831 53830->53724 53830->53725 53831->53830 53879 408710 GetSystemDefaultLCID 53831->53879 53833->53782 53834->53789 53836 41ef21 53835->53836 53836->53795 53837->53757 53838->53757 53840 42421b 53839->53840 53841 4241e5 SetActiveWindow 53839->53841 53840->53757 53942 423644 53841->53942 53845 424202 53845->53840 53846 424215 SetFocus 53845->53846 53846->53840 53847->53757 53848->53757 53849->53757 53850->53757 53851->53757 53955 41db28 53852->53955 53855 424188 53855->53757 53856 42417c LoadIconA 53856->53855 53857->53763 53858->53805 53859->53792 53861 41ef84 53860->53861 53862 41ef58 IsWindow 53860->53862 53861->53793 53863 41ef67 EnableWindow 53862->53863 53865 41ef72 53862->53865 53863->53865 53864 402660 4 API calls 53864->53865 53865->53861 53865->53862 53865->53864 53866->53757 53867->53757 53869 415253 SetFocus 53868->53869 53869->53757 53870->53771 53871->53763 53873 4244f2 53872->53873 53874 4244d8 53872->53874 53877 402648 4 API calls 53873->53877 53875 424507 53874->53875 53876 4244df SendMessageA 53874->53876 53875->53757 53876->53875 53877->53875 53878->53763 53934 408558 GetLocaleInfoA 53879->53934 53882 403450 4 API calls 53883 408750 53882->53883 53884 408558 5 API calls 53883->53884 53885 408765 53884->53885 53886 408558 5 API calls 53885->53886 53887 408789 53886->53887 53940 4085a4 GetLocaleInfoA 53887->53940 53890 4085a4 GetLocaleInfoA 53891 4087b9 53890->53891 53892 408558 5 API calls 53891->53892 53893 4087d3 53892->53893 53894 4085a4 GetLocaleInfoA 53893->53894 53895 4087f0 53894->53895 53896 408558 5 API calls 53895->53896 53897 40880a 53896->53897 53898 403450 4 API calls 53897->53898 53899 408817 53898->53899 53900 408558 5 API calls 53899->53900 53901 40882c 53900->53901 53902 403450 4 API calls 53901->53902 53903 408839 53902->53903 53904 4085a4 GetLocaleInfoA 53903->53904 53905 408847 53904->53905 53906 408558 5 API calls 53905->53906 53907 408861 53906->53907 53908 403450 4 API calls 53907->53908 53909 40886e 53908->53909 53910 408558 5 API calls 53909->53910 53911 408883 53910->53911 53912 403450 4 API calls 53911->53912 53913 408890 53912->53913 53914 408558 5 API calls 53913->53914 53915 4088a5 53914->53915 53916 4088c2 53915->53916 53917 4088b3 53915->53917 53919 403494 4 API calls 53916->53919 53918 403494 4 API calls 53917->53918 53920 4088c0 53918->53920 53919->53920 53921 408558 5 API calls 53920->53921 53935 408591 53934->53935 53936 40857f 53934->53936 53938 403494 4 API calls 53935->53938 53937 4034e0 4 API calls 53936->53937 53939 40858f 53937->53939 53938->53939 53939->53882 53941 4085c0 53940->53941 53941->53890 53951 4235f0 SystemParametersInfoA 53942->53951 53945 42365d ShowWindow 53947 423668 53945->53947 53948 42366f 53945->53948 53954 423620 SystemParametersInfoA 53947->53954 53950 423b0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 53948->53950 53950->53845 53952 42360e 53951->53952 53952->53945 53953 423620 SystemParametersInfoA 53952->53953 53953->53945 53954->53948 53958 41db4c 53955->53958 53959 41db32 53958->53959 53960 41db59 53958->53960 53959->53855 53959->53856 53960->53959 53967 40cc68 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53960->53967 53962 41db76 53962->53959 53963 41db90 53962->53963 53964 41db83 53962->53964 53968 41bd84 11 API calls 53963->53968 53969 41b380 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53964->53969 53967->53962 53968->53959 53969->53959 53971 423a35 GetWindowLongA 53970->53971 53972 423a41 53970->53972 53971->53972 53973->53828 53974->53828 53975 46b930 53976 46b964 53975->53976 54009 46bdcd 53975->54009 53978 46b9a0 53976->53978 53981 46b9fc 53976->53981 53982 46b9da 53976->53982 53983 46b9eb 53976->53983 53984 46b9b8 53976->53984 53985 46b9c9 53976->53985 53977 403400 4 API calls 53980 46be0c 53977->53980 53978->54009 54066 468a9c 53978->54066 53986 403400 4 API calls 53980->53986 54298 46b8c0 45 API calls 53981->54298 54031 46b4f0 53982->54031 54297 46b6b0 67 API calls 53983->54297 54295 46b240 47 API calls 53984->54295 54296 46b3a8 42 API calls 53985->54296 53992 46be14 53986->53992 53993 46b9be 53993->53978 53993->54009 53994 46ba38 53995 4942ac 18 API calls 53994->53995 54004 46ba7b 53994->54004 53994->54009 53995->54004 53997 46bb9e 54299 482b48 123 API calls 53997->54299 54000 42cbb8 6 API calls 54000->54004 54001 46bbb9 54001->54009 54002 46bbf7 54084 469d44 54002->54084 54003 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54003->54004 54004->53997 54004->54000 54004->54002 54004->54003 54005 46ad88 23 API calls 54004->54005 54008 414ae0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54004->54008 54004->54009 54027 46bcbf 54004->54027 54069 4689d8 54004->54069 54077 46aaf4 54004->54077 54222 482648 54004->54222 54308 46affc 19 API calls 54004->54308 54005->54004 54008->54004 54009->53977 54010 46ad88 23 API calls 54010->54009 54012 46bc5d 54013 403450 4 API calls 54012->54013 54014 46bc6d 54013->54014 54015 46bcc9 54014->54015 54016 46bc79 54014->54016 54021 46bd8b 54015->54021 54145 46ad88 54015->54145 54017 457d3c 24 API calls 54016->54017 54018 46bc98 54017->54018 54020 457d3c 24 API calls 54018->54020 54020->54027 54027->54010 54309 46c244 54031->54309 54034 46b672 54036 403420 4 API calls 54034->54036 54035 414ae0 4 API calls 54037 46b53e 54035->54037 54038 46b68c 54036->54038 54039 46b65e 54037->54039 54312 455f58 13 API calls 54037->54312 54040 403400 4 API calls 54038->54040 54039->54034 54042 403450 4 API calls 54039->54042 54043 46b694 54040->54043 54042->54034 54044 403400 4 API calls 54043->54044 54045 46b69c 54044->54045 54045->53978 54046 46b621 54046->54034 54046->54039 54051 42cd40 7 API calls 54046->54051 54047 42cd40 7 API calls 54049 46b5fa 54047->54049 54048 46b5c1 54048->54034 54048->54046 54048->54047 54049->54046 54054 45142c 4 API calls 54049->54054 54050 46b55c 54050->54048 54313 466428 54050->54313 54053 46b637 54051->54053 54053->54039 54058 45142c 4 API calls 54053->54058 54056 46b611 54054->54056 54318 47e618 42 API calls 54056->54318 54057 466428 19 API calls 54060 46b59c 54057->54060 54061 46b64e 54058->54061 54062 4513fc 4 API calls 54060->54062 54319 47e618 42 API calls 54061->54319 54064 46b5b1 54062->54064 54317 47e618 42 API calls 54064->54317 54067 4689d8 19 API calls 54066->54067 54068 468aab 54067->54068 54068->53994 54072 468a07 54069->54072 54070 4078e4 19 API calls 54071 468a40 54070->54071 54439 453318 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54071->54439 54072->54070 54074 468a48 54072->54074 54075 403400 4 API calls 54074->54075 54076 468a60 54075->54076 54076->54004 54078 46ab05 54077->54078 54079 46ab00 54077->54079 54525 4698a8 46 API calls 54078->54525 54083 46ab03 54079->54083 54440 46a560 54079->54440 54081 46ab0d 54081->54004 54083->54004 54085 403400 4 API calls 54084->54085 54086 469d72 54085->54086 54548 47d4e4 54086->54548 54088 469dd5 54089 469df2 54088->54089 54090 469dd9 54088->54090 54091 469de3 54089->54091 54558 49419c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54089->54558 54555 466628 54090->54555 54095 469f11 54091->54095 54096 469f7c 54091->54096 54144 46a086 54091->54144 54094 469e0e 54094->54091 54098 469e16 54094->54098 54099 403494 4 API calls 54095->54099 54100 403494 4 API calls 54096->54100 54097 403420 4 API calls 54101 46a0b0 54097->54101 54102 46ad88 23 API calls 54098->54102 54103 469f1e 54099->54103 54104 469f89 54100->54104 54101->54012 54109 469e23 54102->54109 54105 40357c 4 API calls 54103->54105 54106 40357c 4 API calls 54104->54106 54107 469f2b 54105->54107 54108 469f96 54106->54108 54110 40357c 4 API calls 54107->54110 54111 40357c 4 API calls 54108->54111 54118 469e64 54109->54118 54119 469e4c SetActiveWindow 54109->54119 54113 469f38 54110->54113 54112 469fa3 54111->54112 54115 40357c 4 API calls 54112->54115 54114 40357c 4 API calls 54113->54114 54116 469f45 54114->54116 54117 469fb0 54115->54117 54120 466628 20 API calls 54116->54120 54121 40357c 4 API calls 54117->54121 54559 42f558 54118->54559 54119->54118 54122 469f53 54120->54122 54123 469fbe 54121->54123 54124 40357c 4 API calls 54122->54124 54125 414b10 4 API calls 54123->54125 54128 469f5c 54124->54128 54129 469f7a 54125->54129 54131 40357c 4 API calls 54128->54131 54576 466960 54129->54576 54134 469f69 54131->54134 54133 469eb5 54136 46ac04 21 API calls 54133->54136 54135 414b10 4 API calls 54134->54135 54135->54129 54137 469ee7 54136->54137 54137->54012 54138 469fe0 54139 414b10 4 API calls 54138->54139 54138->54144 54140 46a043 54139->54140 54579 49505c MulDiv 54140->54579 54142 46a060 54143 414b10 4 API calls 54142->54143 54143->54144 54144->54097 54146 468a9c 19 API calls 54145->54146 54147 46ada0 54146->54147 54148 46adc2 54147->54148 54149 4650f4 7 API calls 54147->54149 54665 4650f4 54148->54665 54149->54148 54153 46adda 54154 46ac04 21 API calls 54153->54154 54155 46ae12 54154->54155 54156 414b10 4 API calls 54155->54156 54157 46ae26 54156->54157 54158 46ae32 54157->54158 54159 46ae5c 54157->54159 54160 414b10 4 API calls 54158->54160 54162 46ae7b 54159->54162 54163 46aea5 54159->54163 54161 46ae46 54160->54161 54165 414b10 4 API calls 54161->54165 54166 414b10 4 API calls 54162->54166 54164 414b10 4 API calls 54163->54164 54167 46aeb9 54164->54167 54168 46ae5a 54165->54168 54169 46ae8f 54166->54169 54170 414b10 4 API calls 54167->54170 54682 46ab1c 54168->54682 54171 414b10 4 API calls 54169->54171 54170->54168 54171->54168 54175 468a9c 19 API calls 54177 46af57 54175->54177 54176 46aef7 54176->54175 54178 46afba 54177->54178 54223 46c244 48 API calls 54222->54223 54224 48268b 54223->54224 54225 482694 54224->54225 54924 408bd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54224->54924 54227 414ae0 4 API calls 54225->54227 54228 4826a4 54227->54228 54229 403450 4 API calls 54228->54229 54230 4826b1 54229->54230 54734 46c59c 54230->54734 54233 4826c1 54235 414ae0 4 API calls 54233->54235 54236 4826d1 54235->54236 54237 403450 4 API calls 54236->54237 54238 4826de 54237->54238 54239 469690 SendMessageA 54238->54239 54240 4826f7 54239->54240 54241 482748 54240->54241 54926 4797dc 23 API calls 54240->54926 54243 4241d4 11 API calls 54241->54243 54244 482752 54243->54244 54245 482778 54244->54245 54246 482763 SetActiveWindow 54244->54246 54763 481a78 54245->54763 54246->54245 54295->53993 54296->53978 54297->53978 54298->53978 54299->54001 54308->54004 54320 46c2dc 54309->54320 54312->54050 54314 466442 54313->54314 54315 4078e4 19 API calls 54314->54315 54316 46647d 54315->54316 54316->54057 54317->54048 54318->54046 54319->54039 54321 414ae0 4 API calls 54320->54321 54322 46c310 54321->54322 54381 4666c0 54322->54381 54326 46c322 54327 46c331 54326->54327 54331 46c34a 54326->54331 54415 47e618 42 API calls 54327->54415 54329 403420 4 API calls 54330 46b522 54329->54330 54330->54034 54330->54035 54332 46c391 54331->54332 54333 46c378 54331->54333 54334 46c3f6 54332->54334 54339 46c395 54332->54339 54416 47e618 42 API calls 54333->54416 54418 42cb44 CharNextA 54334->54418 54337 46c405 54338 46c409 54337->54338 54343 46c422 54337->54343 54419 47e618 42 API calls 54338->54419 54341 46c3dd 54339->54341 54339->54343 54417 47e618 42 API calls 54341->54417 54342 46c446 54420 47e618 42 API calls 54342->54420 54343->54342 54395 466830 54343->54395 54348 46c345 54348->54329 54351 46c45f 54352 403778 4 API calls 54351->54352 54353 46c475 54352->54353 54403 42c994 54353->54403 54356 46c486 54421 4668bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54356->54421 54357 46c4b7 54359 42c8c4 5 API calls 54357->54359 54361 46c4c2 54359->54361 54360 46c499 54362 45142c 4 API calls 54360->54362 54363 42c3f4 5 API calls 54361->54363 54364 46c4a6 54362->54364 54365 46c4cd 54363->54365 54422 47e618 42 API calls 54364->54422 54367 42cbb8 6 API calls 54365->54367 54368 46c4d8 54367->54368 54407 46c270 54368->54407 54370 46c4e0 54371 42cd40 7 API calls 54370->54371 54372 46c4e8 54371->54372 54373 46c502 54372->54373 54374 46c4ec 54372->54374 54373->54348 54376 46c50c 54373->54376 54423 47e618 42 API calls 54374->54423 54377 46c514 GetDriveTypeA 54376->54377 54377->54348 54378 46c51f 54377->54378 54384 4666da 54381->54384 54383 42cbb8 6 API calls 54383->54384 54384->54383 54385 403450 4 API calls 54384->54385 54386 406ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54384->54386 54387 466723 54384->54387 54425 42caa4 54384->54425 54385->54384 54386->54384 54388 403420 4 API calls 54387->54388 54389 46673d 54388->54389 54390 414b10 54389->54390 54391 414ae0 4 API calls 54390->54391 54392 414b34 54391->54392 54393 403400 4 API calls 54392->54393 54394 414b65 54393->54394 54394->54326 54396 46683a 54395->54396 54397 46684d 54396->54397 54436 42cb34 CharNextA 54396->54436 54397->54342 54399 466860 54397->54399 54401 46686a 54399->54401 54400 466897 54400->54342 54400->54351 54401->54400 54437 42cb34 CharNextA 54401->54437 54404 42c9ed 54403->54404 54405 42c9aa 54403->54405 54404->54356 54404->54357 54405->54404 54438 42cb34 CharNextA 54405->54438 54408 46c2d5 54407->54408 54409 46c283 54407->54409 54408->54370 54409->54408 54410 41ee9c 2 API calls 54409->54410 54411 46c293 54410->54411 54412 46c2ad SHPathPrepareForWriteA 54411->54412 54413 41ef50 6 API calls 54412->54413 54414 46c2cd 54413->54414 54414->54370 54415->54348 54416->54348 54417->54348 54418->54337 54419->54348 54420->54348 54421->54360 54422->54348 54423->54348 54426 403494 4 API calls 54425->54426 54427 42cab4 54426->54427 54428 403744 4 API calls 54427->54428 54431 42caea 54427->54431 54434 42c43c IsDBCSLeadByte 54427->54434 54428->54427 54430 42cb2e 54430->54384 54431->54430 54433 4037b8 4 API calls 54431->54433 54435 42c43c IsDBCSLeadByte 54431->54435 54433->54431 54434->54427 54435->54431 54436->54396 54437->54401 54438->54405 54439->54074 54442 46a5a7 54440->54442 54441 46aa1f 54444 46aa3a 54441->54444 54445 46aa6b 54441->54445 54442->54441 54443 46a662 54442->54443 54447 403494 4 API calls 54442->54447 54446 46a683 54443->54446 54451 46a6c4 54443->54451 54448 403494 4 API calls 54444->54448 54449 403494 4 API calls 54445->54449 54452 403494 4 API calls 54446->54452 54453 46a5e6 54447->54453 54454 46aa48 54448->54454 54450 46aa79 54449->54450 54544 468f84 12 API calls 54450->54544 54459 403400 4 API calls 54451->54459 54456 46a691 54452->54456 54457 414ae0 4 API calls 54453->54457 54543 468f84 12 API calls 54454->54543 54460 414ae0 4 API calls 54456->54460 54461 46a607 54457->54461 54474 46a6c2 54459->54474 54463 46a6b2 54460->54463 54464 403634 4 API calls 54461->54464 54462 403400 4 API calls 54467 46aa9c 54462->54467 54469 403634 4 API calls 54463->54469 54470 46a617 54464->54470 54465 46aa56 54465->54462 54473 403400 4 API calls 54467->54473 54468 46a830 54471 403400 4 API calls 54468->54471 54469->54474 54475 414ae0 4 API calls 54470->54475 54476 46a82e 54471->54476 54472 46a6e4 54477 46a722 54472->54477 54478 46a6ea 54472->54478 54479 46aaa4 54473->54479 54520 46a7a8 54474->54520 54526 469690 54474->54526 54480 46a62b 54475->54480 54538 469acc 43 API calls 54476->54538 54483 403400 4 API calls 54477->54483 54481 403494 4 API calls 54478->54481 54482 403420 4 API calls 54479->54482 54480->54443 54484 414ae0 4 API calls 54480->54484 54485 46a6f8 54481->54485 54486 46aab1 54482->54486 54488 46a720 54483->54488 54489 46a652 54484->54489 54491 47bb50 43 API calls 54485->54491 54486->54083 54487 46a7ef 54492 403494 4 API calls 54487->54492 54532 469984 54488->54532 54493 403634 4 API calls 54489->54493 54495 46a710 54491->54495 54496 46a7fd 54492->54496 54493->54443 54494 46a859 54502 46a864 54494->54502 54503 46a8ba 54494->54503 54498 403634 4 API calls 54495->54498 54499 414ae0 4 API calls 54496->54499 54498->54488 54501 46a81e 54499->54501 54500 46a749 54507 46a754 54500->54507 54508 46a7aa 54500->54508 54504 403634 4 API calls 54501->54504 54506 403494 4 API calls 54502->54506 54505 403400 4 API calls 54503->54505 54504->54476 54511 46a8c2 54505->54511 54512 46a872 54506->54512 54510 403494 4 API calls 54507->54510 54509 403400 4 API calls 54508->54509 54509->54520 54515 46a762 54510->54515 54524 46a96b 54511->54524 54539 49419c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54511->54539 54512->54511 54516 403634 4 API calls 54512->54516 54518 46a8b8 54512->54518 54514 46a8e5 54514->54524 54540 494448 18 API calls 54514->54540 54519 403634 4 API calls 54515->54519 54515->54520 54516->54512 54518->54511 54519->54515 54520->54468 54520->54487 54522 46aa0c 54542 42913c SendMessageA SendMessageA 54522->54542 54541 4290ec SendMessageA 54524->54541 54525->54081 54545 42a038 SendMessageA 54526->54545 54528 46969f 54529 4696bf 54528->54529 54546 42a038 SendMessageA 54528->54546 54529->54472 54531 4696af 54531->54472 54537 4699b1 54532->54537 54533 469a13 54534 403400 4 API calls 54533->54534 54535 469a28 54534->54535 54535->54500 54537->54533 54547 469908 43 API calls 54537->54547 54538->54494 54539->54514 54540->54524 54541->54522 54542->54441 54543->54465 54544->54465 54545->54528 54546->54531 54547->54537 54549 47d53a 54548->54549 54550 47d4fd 54548->54550 54549->54088 54580 455ce0 54550->54580 54554 47d551 54554->54088 54635 46653c 54555->54635 54558->54094 54560 42f564 54559->54560 54561 42f587 GetActiveWindow GetFocus 54560->54561 54562 41ee9c 2 API calls 54561->54562 54563 42f59e 54562->54563 54564 42f5bb 54563->54564 54565 42f5ab RegisterClassA 54563->54565 54566 42f64a SetFocus 54564->54566 54567 42f5c9 CreateWindowExA 54564->54567 54565->54564 54569 403400 4 API calls 54566->54569 54567->54566 54568 42f5fc 54567->54568 54656 424274 54568->54656 54571 42f666 54569->54571 54575 494448 18 API calls 54571->54575 54572 42f624 54573 42f62c CreateWindowExA 54572->54573 54573->54566 54574 42f642 ShowWindow 54573->54574 54574->54566 54575->54133 54662 44b50c 54576->54662 54578 466967 54578->54138 54579->54142 54581 455cf1 54580->54581 54582 455cf5 54581->54582 54583 455cfe 54581->54583 54606 4559e4 54582->54606 54614 455ac4 29 API calls 54583->54614 54586 455cfb 54586->54549 54587 47d154 54586->54587 54589 47d250 54587->54589 54590 47d194 54587->54590 54588 403420 4 API calls 54591 47d333 54588->54591 54592 4790c4 19 API calls 54589->54592 54596 47d2a1 54589->54596 54602 47d1f3 54589->54602 54590->54589 54594 479368 4 API calls 54590->54594 54599 47bb50 43 API calls 54590->54599 54590->54602 54604 47d1fc 54590->54604 54623 479204 54590->54623 54591->54554 54592->54589 54594->54590 54595 47bb50 43 API calls 54595->54596 54596->54589 54596->54595 54598 4540d4 20 API calls 54596->54598 54601 47d23d 54596->54601 54597 47bb50 43 API calls 54597->54604 54598->54596 54599->54590 54600 42c924 5 API calls 54600->54604 54601->54602 54602->54588 54603 42c94c 5 API calls 54603->54604 54604->54590 54604->54597 54604->54600 54604->54601 54604->54603 54634 47ce60 52 API calls 54604->54634 54607 42de14 RegOpenKeyExA 54606->54607 54608 455a01 54607->54608 54609 455a4f 54608->54609 54615 455918 54608->54615 54609->54586 54612 455918 6 API calls 54613 455a30 RegCloseKey 54612->54613 54613->54586 54614->54586 54620 42dd50 54615->54620 54617 455940 54618 403420 4 API calls 54617->54618 54619 4559ca 54618->54619 54619->54612 54621 42dbf8 6 API calls 54620->54621 54622 42dd59 54621->54622 54622->54617 54624 479216 54623->54624 54625 47921a 54623->54625 54624->54590 54626 403450 4 API calls 54625->54626 54627 479227 54626->54627 54628 479247 54627->54628 54629 47922d 54627->54629 54631 4790c4 19 API calls 54628->54631 54630 4790c4 19 API calls 54629->54630 54632 479243 54630->54632 54631->54632 54633 403400 4 API calls 54632->54633 54633->54624 54634->54604 54636 403494 4 API calls 54635->54636 54637 46656a 54636->54637 54638 42dbc0 5 API calls 54637->54638 54639 46657c 54638->54639 54640 42dbc0 5 API calls 54639->54640 54641 46658e 54640->54641 54642 466428 19 API calls 54641->54642 54643 466598 54642->54643 54644 42dbc0 5 API calls 54643->54644 54645 4665a7 54644->54645 54652 4664a0 54645->54652 54648 42dbc0 5 API calls 54649 4665c0 54648->54649 54650 403400 4 API calls 54649->54650 54651 4665d5 54650->54651 54651->54091 54653 4664c0 54652->54653 54654 4078e4 19 API calls 54653->54654 54655 46650a 54654->54655 54655->54648 54657 4242a6 54656->54657 54658 424286 GetWindowTextA 54656->54658 54660 403494 4 API calls 54657->54660 54659 4034e0 4 API calls 54658->54659 54661 4242a4 54659->54661 54660->54661 54661->54572 54663 44b384 11 API calls 54662->54663 54664 44b51f 54663->54664 54664->54578 54667 4650ff 54665->54667 54666 4651da 54676 466eb4 54666->54676 54667->54666 54671 46514f 54667->54671 54688 421a14 54667->54688 54668 465192 54668->54666 54694 4185b0 7 API calls 54668->54694 54671->54668 54672 465194 54671->54672 54673 465189 54671->54673 54675 421a14 7 API calls 54672->54675 54674 421a14 7 API calls 54673->54674 54674->54668 54675->54668 54677 466ee4 54676->54677 54678 466ec5 54676->54678 54677->54153 54679 414b10 4 API calls 54678->54679 54680 466ed3 54679->54680 54681 414b10 4 API calls 54680->54681 54681->54677 54683 46ab29 54682->54683 54684 421a14 7 API calls 54683->54684 54685 46abb4 54684->54685 54685->54176 54686 466988 18 API calls 54685->54686 54686->54176 54689 421a6c 54688->54689 54692 421a22 54688->54692 54689->54671 54690 421a51 54690->54689 54695 421d20 SetFocus GetFocus 54690->54695 54692->54690 54693 408cac 5 API calls 54692->54693 54693->54690 54694->54666 54695->54689 54735 46c5c5 54734->54735 54736 46c612 54735->54736 54737 414ae0 4 API calls 54735->54737 54739 403420 4 API calls 54736->54739 54738 46c5db 54737->54738 54933 46674c 6 API calls 54738->54933 54741 46c6bc 54739->54741 54741->54233 54925 408bd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54741->54925 54742 46c5e3 54743 414b10 4 API calls 54742->54743 54744 46c5f1 54743->54744 54745 46c5fe 54744->54745 54747 46c617 54744->54747 54934 47e618 42 API calls 54745->54934 54748 46c62f 54747->54748 54749 466830 CharNextA 54747->54749 54935 47e618 42 API calls 54748->54935 54751 46c62b 54749->54751 54751->54748 54752 46c645 54751->54752 54753 46c661 54752->54753 54754 46c64b 54752->54754 54756 42c994 CharNextA 54753->54756 54936 47e618 42 API calls 54754->54936 54757 46c66e 54756->54757 54757->54736 54937 4668bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54757->54937 54759 46c685 54760 45142c 4 API calls 54759->54760 54761 46c692 54760->54761 54938 47e618 42 API calls 54761->54938 54764 481ac9 54763->54764 54765 481a9b 54763->54765 54767 475934 54764->54767 54939 4941f8 18 API calls 54765->54939 54768 457b30 24 API calls 54767->54768 54769 475980 54768->54769 54770 407298 SetCurrentDirectoryA 54769->54770 54771 47598a 54770->54771 54940 46e128 54771->54940 54775 47599a 54948 459f68 54775->54948 54926->54241 54933->54742 54934->54736 54935->54736 54936->54736 54937->54759 54938->54736 54939->54764 54941 46e19b 54940->54941 54943 46e145 54940->54943 54944 46e1a0 54941->54944 54942 479204 19 API calls 54942->54943 54943->54941 54943->54942 54945 46e1c6 54944->54945 55388 44faf0 54945->55388 54947 46e222 54947->54775 55391 44fb04 55388->55391 55392 44fb15 55391->55392 55393 44fb01 55392->55393 55394 44fb3f MulDiv 55392->55394 55393->54947 55395 4181d8 55394->55395 55396 44fb6a SendMessageA 55395->55396 55396->55393 56439 416b3a 56440 416be2 56439->56440 56441 416b52 56439->56441 56458 415314 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56440->56458 56442 416b60 56441->56442 56443 416b6c SendMessageA 56441->56443 56445 416b86 56442->56445 56446 416b6a CallWindowProcA 56442->56446 56454 416bc0 56443->56454 56455 41a050 GetSysColor 56445->56455 56446->56454 56449 416b91 SetTextColor 56450 416ba6 56449->56450 56456 41a050 GetSysColor 56450->56456 56452 416bab SetBkColor 56457 41a6d8 GetSysColor CreateBrushIndirect 56452->56457 56455->56449 56456->56452 56457->56454 56458->56454 56459 4980b4 56517 403344 56459->56517 56461 4980c2 56520 4056a0 56461->56520 56463 4980c7 56523 40631c GetModuleHandleA GetProcAddress 56463->56523 56469 4980d6 56540 41094c 56469->56540 56471 4980db 56544 412920 56471->56544 56473 4980e5 56549 419038 GetVersion 56473->56549 56790 4032fc 56517->56790 56519 403349 GetModuleHandleA GetCommandLineA 56519->56461 56522 4056db 56520->56522 56791 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56520->56791 56522->56463 56524 406338 56523->56524 56525 40633f GetProcAddress 56523->56525 56524->56525 56526 406355 GetProcAddress 56525->56526 56527 40634e 56525->56527 56528 406364 SetProcessDEPPolicy 56526->56528 56529 406368 56526->56529 56527->56526 56528->56529 56530 40993c 56529->56530 56792 409014 56530->56792 56535 408710 7 API calls 56536 40995f 56535->56536 56807 409060 GetVersionExA 56536->56807 56539 409b70 6F551CD0 56539->56469 56541 410956 56540->56541 56542 410995 GetCurrentThreadId 56541->56542 56543 4109b0 56542->56543 56543->56471 56809 40aef4 56544->56809 56548 41294c 56548->56473 56821 41de1c 8 API calls 56549->56821 56551 419051 56823 418f30 GetCurrentProcessId 56551->56823 56790->56519 56791->56522 56793 408cac 5 API calls 56792->56793 56794 409025 56793->56794 56795 4085cc GetSystemDefaultLCID 56794->56795 56797 408602 56795->56797 56796 406ddc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56796->56797 56797->56796 56798 408558 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 56797->56798 56799 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56797->56799 56801 408664 56797->56801 56798->56797 56799->56797 56800 406ddc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56800->56801 56801->56800 56802 408558 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 56801->56802 56803 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56801->56803 56804 4086e7 56801->56804 56802->56801 56803->56801 56805 403420 4 API calls 56804->56805 56806 408701 56805->56806 56806->56535 56808 409077 56807->56808 56808->56539 56811 40aefb 56809->56811 56810 40af1a 56813 411004 56810->56813 56811->56810 56820 40ae2c 19 API calls 56811->56820 56814 411026 56813->56814 56815 406ddc 5 API calls 56814->56815 56816 403450 4 API calls 56814->56816 56817 411045 56814->56817 56815->56814 56816->56814 56818 403400 4 API calls 56817->56818 56819 41105a 56818->56819 56819->56548 56820->56811 56822 41de96 56821->56822 56822->56551 56839 4078b0 56823->56839 58100 41663c 58101 4166a3 58100->58101 58102 416649 58100->58102 58108 4162c2 58102->58108 58112 416548 CreateWindowExA 58102->58112 58103 416650 SetPropA SetPropA 58103->58101 58104 416683 58103->58104 58105 416696 SetWindowPos 58104->58105 58105->58101 58109 4162ee 58108->58109 58110 4162ce GetClassInfoA 58108->58110 58109->58103 58110->58109 58111 4162e2 GetClassInfoA 58110->58111 58111->58109 58112->58103

                                                  Executed Functions

                                                  Function 004704C8 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 956COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470AF0
                                                  • User opted not to overwrite the existing file. Skipping., xrefs: 00470C6D
                                                  • , xrefs: 004709EF, 00470BC0, 00470C3E
                                                  • Will register the file (a type library) later., xrefs: 00471319
                                                  • Incrementing shared file count (32-bit)., xrefs: 004713AB
                                                  • Existing file is a newer version. Skipping., xrefs: 00470A22
                                                  • Non-default bitness: 64-bit, xrefs: 004706CF
                                                  • .tmp, xrefs: 00470DD7
                                                  • Version of existing file: %u.%u.%u.%u, xrefs: 0047099C
                                                  • Same time stamp. Skipping., xrefs: 00470B75
                                                  • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470D1A
                                                  • Stripped read-only attribute., xrefs: 00470CE7
                                                  • Installing the file., xrefs: 00470D29
                                                  • Incrementing shared file count (64-bit)., xrefs: 00471392
                                                  • Time stamp of existing file: %s, xrefs: 0047084B
                                                  • Skipping due to "onlyifdoesntexist" flag., xrefs: 004707EE
                                                  • Existing file has a later time stamp. Skipping., xrefs: 00470BEF
                                                  • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470AE4
                                                  • Same version. Skipping., xrefs: 00470B05
                                                  • -- File entry --, xrefs: 0047051B
                                                  • Version of our file: (none), xrefs: 0047091C
                                                  • Dest file exists., xrefs: 004707DB
                                                  • InUn, xrefs: 00470F65
                                                  • Version of our file: %u.%u.%u.%u, xrefs: 00470910
                                                  • Dest file is protected by Windows File Protection., xrefs: 0047070D
                                                  • Will register the file (a DLL/OCX) later., xrefs: 00471325
                                                  • Dest filename: %s, xrefs: 004706B4
                                                  • Time stamp of our file: (failed to read), xrefs: 004707C7
                                                  • Time stamp of existing file: (failed to read), xrefs: 00470857
                                                  • p%G, xrefs: 0047151A
                                                  • Non-default bitness: 32-bit, xrefs: 004706DB
                                                  • Failed to strip read-only attribute., xrefs: 00470CF3
                                                  • Time stamp of our file: %s, xrefs: 004707BB
                                                  • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470CB6
                                                  • @, xrefs: 004705D0
                                                  • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470C0C
                                                  • Version of existing file: (none), xrefs: 00470B1A
                                                  • Uninstaller requires administrator: %s, xrefs: 00470F95
                                                  • Couldn't read time stamp. Skipping., xrefs: 00470B55
                                                  • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470AD5
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.$p%G
                                                  • API String ID: 0-1519224904
                                                  • Opcode ID: c85e02cee53c90be4c09432cdc1bed37a126afc3c982ec3092a00699d9325f6e
                                                  • Instruction ID: 29ad728ada19ee594bb20a6f10617e7c4442303fd1b73b354b0c7f106615fe65
                                                  • Opcode Fuzzy Hash: c85e02cee53c90be4c09432cdc1bed37a126afc3c982ec3092a00699d9325f6e
                                                  • Instruction Fuzzy Hash: 64928534A0528CDFDB11DFA9C485BDDBBB5AF05308F1480ABE848A7392C7789E45CB59
                                                  Function 0042E094 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1546 42e094-42e0a5 1547 42e0b0-42e0d5 AllocateAndInitializeSid 1546->1547 1548 42e0a7-42e0ab 1546->1548 1549 42e27f-42e287 1547->1549 1550 42e0db-42e0f8 GetVersion 1547->1550 1548->1549 1551 42e111-42e113 1550->1551 1552 42e0fa-42e10f GetModuleHandleA GetProcAddress 1550->1552 1553 42e115-42e123 CheckTokenMembership 1551->1553 1554 42e13a-42e154 GetCurrentThread OpenThreadToken 1551->1554 1552->1551 1555 42e261-42e277 FreeSid 1553->1555 1556 42e129-42e135 1553->1556 1557 42e156-42e160 GetLastError 1554->1557 1558 42e18b-42e1b3 GetTokenInformation 1554->1558 1556->1555 1561 42e162-42e167 call 4031bc 1557->1561 1562 42e16c-42e17f GetCurrentProcess OpenProcessToken 1557->1562 1559 42e1b5-42e1bd GetLastError 1558->1559 1560 42e1ce-42e1f2 call 402648 GetTokenInformation 1558->1560 1559->1560 1563 42e1bf-42e1c9 call 4031bc * 2 1559->1563 1572 42e200-42e208 1560->1572 1573 42e1f4-42e1fe call 4031bc * 2 1560->1573 1561->1549 1562->1558 1566 42e181-42e186 call 4031bc 1562->1566 1563->1549 1566->1549 1575 42e20a-42e20b 1572->1575 1576 42e23b-42e259 call 402660 CloseHandle 1572->1576 1573->1549 1579 42e20d-42e220 EqualSid 1575->1579 1583 42e222-42e22f 1579->1583 1584 42e237-42e239 1579->1584 1583->1584 1587 42e231-42e235 1583->1587 1584->1576 1584->1579 1587->1576
                                                  APIs
                                                  • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0CE
                                                  • GetVersion.KERNEL32(00000000,0042E278,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0EB
                                                  • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E278,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E104
                                                  • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E10A
                                                  • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E278,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E11F
                                                  • FreeSid.ADVAPI32(00000000,0042E27F,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E272
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                  • String ID: CheckTokenMembership$advapi32.dll
                                                  • API String ID: 2252812187-1888249752
                                                  • Opcode ID: a9fe6633055198f43e03035385e24ba146a4a62582313a35ed9699780c9b0276
                                                  • Instruction ID: a71ca61110966f780236f7e78469af046a056b7130da329bb4013a210d9377b5
                                                  • Opcode Fuzzy Hash: a9fe6633055198f43e03035385e24ba146a4a62582313a35ed9699780c9b0276
                                                  • Instruction Fuzzy Hash: 65519371B44615EAEF10EAE69C42FBF77ACEB19304F9404BBB901F7281D57899008A79
                                                  Function 00450294 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 45libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1610 450294-4502a1 1611 4502a7-4502b4 GetVersion 1610->1611 1612 450350-45035a 1610->1612 1611->1612 1613 4502ba-4502d0 LoadLibraryA 1611->1613 1613->1612 1614 4502d2-45034b GetProcAddress * 6 1613->1614 1614->1612
                                                  APIs
                                                  • GetVersion.KERNEL32(00480154), ref: 004502A7
                                                  • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480154), ref: 004502BF
                                                  • GetProcAddress.KERNEL32(6CFC0000,RmStartSession), ref: 004502DD
                                                  • GetProcAddress.KERNEL32(6CFC0000,RmRegisterResources), ref: 004502F2
                                                  • GetProcAddress.KERNEL32(6CFC0000,RmGetList), ref: 00450307
                                                  • GetProcAddress.KERNEL32(6CFC0000,RmShutdown), ref: 0045031C
                                                  • GetProcAddress.KERNEL32(6CFC0000,RmRestart), ref: 00450331
                                                  • GetProcAddress.KERNEL32(6CFC0000,RmEndSession), ref: 00450346
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoadVersion
                                                  • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                  • API String ID: 1968650500-3419246398
                                                  • Opcode ID: f300c04dd650cc6e2fa8790a8e0a5b734cbc62ec7341ff736350933aa5c91be4
                                                  • Instruction ID: 86b2f7b41730535ff8ff974bf0b660ab9cb9644c053cd973342487371e557a0c
                                                  • Opcode Fuzzy Hash: f300c04dd650cc6e2fa8790a8e0a5b734cbc62ec7341ff736350933aa5c91be4
                                                  • Instruction Fuzzy Hash: EF11B3B5510301EBD610FB65BF46A2E37EAE728715B08063FE904962A2CB7C8844CF9C
                                                  Function 00423C04 Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1674 423c04-423c38 1675 423c3a-423c3b 1674->1675 1676 423c6c-423c83 call 423b60 1674->1676 1678 423c3d-423c59 call 40b434 1675->1678 1681 423ce4-423ce9 1676->1681 1682 423c85 1676->1682 1699 423c5b-423c63 1678->1699 1700 423c68-423c6a 1678->1700 1684 423ceb 1681->1684 1685 423d1f-423d24 1681->1685 1686 423c8b-423c8e 1682->1686 1687 423d48-423d58 1682->1687 1688 423cf1-423cf9 1684->1688 1689 423fa9-423fb1 1684->1689 1692 424092-4240a0 IsIconic 1685->1692 1693 423d2a-423d2d 1685->1693 1690 423c90 1686->1690 1691 423cbd-423cc0 1686->1691 1694 423d63-423d6b call 42418c 1687->1694 1695 423d5a-423d5f 1687->1695 1702 423f0b-423f32 SendMessageA 1688->1702 1703 423cff-423d04 1688->1703 1705 42414a-424152 1689->1705 1710 423fb7-423fc2 call 4181d8 1689->1710 1706 423c96-423c99 1690->1706 1707 423dee-423dfe call 423b7c 1690->1707 1711 423da1-423da8 1691->1711 1712 423cc6-423cc7 1691->1712 1704 4240a6-4240b1 GetFocus 1692->1704 1692->1705 1708 423d33-423d34 1693->1708 1709 4240ce-4240e3 call 424848 1693->1709 1694->1705 1697 423d70-423d78 call 4241d4 1695->1697 1698 423d61-423d84 call 423b7c 1695->1698 1697->1705 1698->1705 1715 424169-42416f 1699->1715 1700->1676 1700->1678 1702->1705 1713 424042-42404d 1703->1713 1714 423d0a-423d0b 1703->1714 1704->1705 1722 4240b7-4240c0 call 41efec 1704->1722 1705->1715 1723 423e16-423e32 PostMessageA call 423b7c 1706->1723 1724 423c9f-423ca2 1706->1724 1707->1705 1717 4240e5-4240ec 1708->1717 1718 423d3a-423d3d 1708->1718 1709->1705 1710->1705 1750 423fc8-423fd7 call 4181d8 IsWindowEnabled 1710->1750 1711->1705 1727 423dae-423db5 1711->1727 1728 423f37-423f3e 1712->1728 1729 423ccd-423cd0 1712->1729 1713->1705 1737 424053-424065 1713->1737 1734 423d11-423d14 1714->1734 1735 42406a-424075 1714->1735 1748 424103-424116 call 424524 1717->1748 1749 4240ee-424101 call 4244cc 1717->1749 1738 423d43 1718->1738 1739 424118-42411f 1718->1739 1722->1705 1783 4240c6-4240cc SetFocus 1722->1783 1723->1705 1745 423ca8-423cab 1724->1745 1746 423e9d-423ea4 1724->1746 1727->1705 1731 423dbb-423dc1 1727->1731 1728->1705 1741 423f44-423f49 call 404e54 1728->1741 1732 423cd6-423cd9 1729->1732 1733 423e37-423e57 call 423b7c 1729->1733 1731->1705 1751 423e03-423e11 call 424170 1732->1751 1752 423cdf 1732->1752 1795 423e7b-423e98 call 423a7c PostMessageA 1733->1795 1796 423e59-423e76 call 423b0c PostMessageA 1733->1796 1756 423d1a 1734->1756 1757 423f4e-423f56 1734->1757 1735->1705 1759 42407b-42408d 1735->1759 1737->1705 1758 424143-424144 call 423b7c 1738->1758 1754 424132-424141 1739->1754 1755 424121-424130 1739->1755 1741->1705 1765 423cb1-423cb2 1745->1765 1766 423dc6-423dd4 IsIconic 1745->1766 1767 423ea6-423eb9 call 423b0c 1746->1767 1768 423ed7-423ee8 call 423b7c 1746->1768 1748->1705 1749->1705 1750->1705 1801 423fdd-423fec call 4181d8 IsWindowVisible 1750->1801 1751->1705 1752->1758 1754->1705 1755->1705 1756->1758 1757->1705 1781 423f5c-423f63 1757->1781 1791 424149 1758->1791 1759->1705 1784 423cb8 1765->1784 1785 423d89-423d91 1765->1785 1774 423de2-423de9 call 423b7c 1766->1774 1775 423dd6-423ddd call 423bb8 1766->1775 1799 423ecb-423ed2 call 423b7c 1767->1799 1800 423ebb-423ec5 call 41ef50 1767->1800 1804 423eea-423ef0 call 41ee9c 1768->1804 1805 423efe-423f06 call 423a7c 1768->1805 1774->1705 1775->1705 1781->1705 1794 423f69-423f78 call 4181d8 IsWindowEnabled 1781->1794 1783->1705 1784->1758 1785->1705 1797 423d97-423d9c call 422c44 1785->1797 1791->1705 1794->1705 1824 423f7e-423f94 call 412308 1794->1824 1795->1705 1796->1705 1797->1705 1799->1705 1800->1799 1801->1705 1825 423ff2-42403d GetFocus call 4181d8 SetFocus call 415238 SetFocus 1801->1825 1822 423ef5-423ef8 1804->1822 1805->1705 1822->1805 1824->1705 1830 423f9a-423fa4 1824->1830 1825->1705 1830->1705
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 50d408d7c884e6e1e9eef83812aacce54c36a632f8e4c3c09f50c6ce0f1de6a1
                                                  • Instruction ID: 2c29f6787255d97ab3f4589ac6aadd45d54e60a31d0a4dda1db310adca3c7782
                                                  • Opcode Fuzzy Hash: 50d408d7c884e6e1e9eef83812aacce54c36a632f8e4c3c09f50c6ce0f1de6a1
                                                  • Instruction Fuzzy Hash: 60E18031700124DFD710DF69E989A6E77F4EB54305FA580AAE4059B3A2C73CEE91EB09
                                                  Function 004671CC Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1649windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2185 4671cc-4671e2 2186 4671e4-4671e7 call 402d30 2185->2186 2187 4671ec-4672a3 call 494c88 call 402b30 * 6 2185->2187 2186->2187 2204 4672a5-4672cc call 414634 2187->2204 2205 4672e0-4672f9 2187->2205 2209 4672d1-4672db call 4145f4 2204->2209 2210 4672ce 2204->2210 2211 467336-467344 call 494f90 2205->2211 2212 4672fb-467322 call 414614 2205->2212 2209->2205 2210->2209 2220 467346-467355 call 494dd8 2211->2220 2221 467357-467359 call 494efc 2211->2221 2218 467327-467331 call 4145d4 2212->2218 2219 467324 2212->2219 2218->2211 2219->2218 2226 46735e-4673b1 call 4948ec call 41a3c8 * 2 2220->2226 2221->2226 2233 4673c2-4673d7 call 45142c call 414b10 2226->2233 2234 4673b3-4673c0 call 414b10 2226->2234 2240 4673dc-4673e3 2233->2240 2234->2240 2241 4673e5-467426 call 4146b4 call 4146f8 call 420f90 call 420fbc call 420b60 call 420b8c 2240->2241 2242 46742b-4678b1 call 494d28 call 49504c call 414614 * 3 call 4146b4 call 4145d4 * 3 call 460a24 call 460a3c call 460a48 call 460a90 call 460a24 call 460a3c call 460a48 call 460a90 call 460a3c call 460a90 LoadBitmapA call 41d6a8 call 460a60 call 460a78 call 466fa8 call 468abc call 466628 call 40357c call 414b10 call 466960 call 466968 call 466628 call 40357c * 2 call 414b10 call 468abc call 466628 call 414b10 call 466960 call 466968 call 414b10 * 2 call 468abc call 414b10 * 2 call 466960 call 4145f4 call 466960 call 4145f4 call 468abc call 414b10 call 466960 call 466968 call 468abc call 414b10 call 466960 call 4145f4 * 2 call 414b10 call 466960 call 4145f4 2240->2242 2241->2242 2372 4678b3-46790b call 4145f4 call 414b10 call 466960 call 4145f4 2242->2372 2373 46790d-467926 call 414a3c * 2 2242->2373 2380 46792b-4679dc call 466628 call 468abc call 466628 call 414b10 call 49504c call 466960 2372->2380 2373->2380 2399 467a16-467c4c call 466628 call 414b10 call 49505c * 2 call 42e8b8 call 4145f4 call 466960 call 4145f4 call 4181d8 call 42ed30 call 414b10 call 494d28 call 49504c call 414614 call 466628 call 414b10 call 466960 call 4145f4 call 466628 call 468abc call 466628 call 414b10 call 466960 call 4145f4 call 466968 call 466628 call 414b10 call 466960 2380->2399 2400 4679de-4679f9 2380->2400 2461 467c4e-467c57 2399->2461 2462 467c8d-467d46 call 466628 call 468abc call 466628 call 414b10 call 49504c call 466960 2399->2462 2401 4679fe-467a11 call 4145f4 2400->2401 2402 4679fb 2400->2402 2401->2399 2402->2401 2461->2462 2463 467c59-467c88 call 414a3c call 466968 2461->2463 2480 467d80-4681a1 call 466628 call 414b10 call 49505c * 2 call 42e8b8 call 4145f4 call 466960 call 4145f4 call 414b10 call 494d28 call 49504c call 414614 call 414b10 call 466628 call 468abc call 466628 call 414b10 call 466960 call 466968 call 42bbc8 call 49505c call 44e8a8 call 466628 call 468abc call 466628 call 468abc call 466628 call 468abc * 2 call 414b10 call 466960 call 466968 call 468abc call 4948ec call 41a3c8 call 466628 call 40357c call 414b10 call 466960 call 4145f4 call 414b10 * 2 call 49505c call 403494 call 40357c * 2 call 414b10 2462->2480 2481 467d48-467d63 2462->2481 2463->2462 2580 4681c5-4681cc 2480->2580 2581 4681a3-4681c0 call 44ffb0 call 45010c 2480->2581 2482 467d65 2481->2482 2483 467d68-467d7b call 4145f4 2481->2483 2482->2483 2483->2480 2583 4681f0-4681f7 2580->2583 2584 4681ce-4681eb call 44ffb0 call 45010c 2580->2584 2581->2580 2586 46821b-468261 call 4181d8 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 468bb0 2583->2586 2587 4681f9-468216 call 44ffb0 call 45010c 2583->2587 2584->2583 2601 468263-46826a 2586->2601 2602 46827b 2586->2602 2587->2586 2603 468277-468279 2601->2603 2604 46826c-468275 2601->2604 2605 46827d-46828c 2602->2605 2603->2605 2604->2602 2604->2603 2606 4682a6 2605->2606 2607 46828e-468295 2605->2607 2610 4682a8-4682c2 2606->2610 2608 468297-4682a0 2607->2608 2609 4682a2-4682a4 2607->2609 2608->2606 2608->2609 2609->2610 2611 46836b-468372 2610->2611 2612 4682c8-4682d1 2610->2612 2615 468405-468413 call 414b10 2611->2615 2616 468378-46839b call 47bb50 call 403450 2611->2616 2613 4682d3-46832a call 47bb50 call 414b10 call 47bb50 call 414b10 call 47bb50 call 414b10 2612->2613 2614 46832c-468366 call 414b10 * 3 2612->2614 2613->2611 2614->2611 2622 468418-468421 2615->2622 2635 4683ac-4683c0 call 403494 2616->2635 2636 46839d-4683aa call 47bcf0 2616->2636 2626 468427-46843f call 429fd0 2622->2626 2627 468531-468560 call 42b964 call 44e834 2622->2627 2644 4684b6-4684ba 2626->2644 2645 468441-468445 2626->2645 2661 468566-46856a 2627->2661 2662 46860e-468612 2627->2662 2657 4683d2-468403 call 42c7fc call 42cbb8 call 403494 call 414b10 2635->2657 2658 4683c2-4683cd call 403494 2635->2658 2636->2657 2650 4684bc-4684c5 2644->2650 2651 46850a-46850e 2644->2651 2652 468447-468481 call 40b434 call 47bb50 2645->2652 2650->2651 2659 4684c7-4684d2 2650->2659 2655 468522-46852c call 42a054 2651->2655 2656 468510-468520 call 42a054 2651->2656 2712 468483-46848a 2652->2712 2713 4684b0-4684b4 2652->2713 2655->2627 2656->2627 2657->2622 2658->2657 2659->2651 2671 4684d4-4684d8 2659->2671 2663 46856c-46857e call 40b434 2661->2663 2664 468614-46861b 2662->2664 2665 468691-468695 2662->2665 2691 4685b0-4685e7 call 47bb50 call 44cb04 2663->2691 2692 468580-4685ae call 47bb50 call 44cbd4 2663->2692 2664->2665 2674 46861d-468624 2664->2674 2675 468697-4686ae call 40b434 2665->2675 2676 4686fe-468707 2665->2676 2680 4684da-4684fd call 40b434 call 406ab4 2671->2680 2674->2665 2685 468626-468631 2674->2685 2706 4686b0-4686ec call 40b434 call 469824 * 2 call 4696c4 2675->2706 2707 4686ee-4686fc call 469824 2675->2707 2683 468726-46873b call 466d08 call 466a84 2676->2683 2684 468709-468721 call 40b434 call 469824 2676->2684 2723 468504-468508 2680->2723 2724 4684ff-468502 2680->2724 2737 46878d-468797 call 414a3c 2683->2737 2738 46873d-468760 call 42a038 call 40b434 2683->2738 2684->2683 2685->2683 2694 468637-46863b 2685->2694 2739 4685ec-4685f0 2691->2739 2692->2739 2705 46863d-468653 call 40b434 2694->2705 2734 468686-46868a 2705->2734 2735 468655-468681 call 42a054 call 469824 call 4696c4 2705->2735 2706->2683 2707->2683 2712->2713 2725 46848c-46849e call 406ab4 2712->2725 2713->2644 2713->2652 2723->2651 2723->2680 2724->2651 2725->2713 2748 4684a0-4684aa 2725->2748 2734->2705 2740 46868c 2734->2740 2735->2683 2749 46879c-4687bb call 414a3c 2737->2749 2763 468762-468769 2738->2763 2764 46876b-46877a call 414a3c 2738->2764 2746 4685f2-4685f9 2739->2746 2747 4685fb-4685fd 2739->2747 2740->2683 2746->2747 2753 468604-468608 2746->2753 2747->2753 2748->2713 2754 4684ac 2748->2754 2765 4687e5-468808 call 47bb50 call 403450 2749->2765 2766 4687bd-4687e0 call 42a038 call 469984 2749->2766 2753->2662 2753->2663 2754->2713 2763->2764 2769 46877c-46878b call 414a3c 2763->2769 2764->2749 2782 468824-46882d 2765->2782 2783 46880a-468813 2765->2783 2766->2765 2769->2749 2785 468843-468853 call 403494 2782->2785 2786 46882f-468841 call 403684 2782->2786 2783->2782 2784 468815-468822 call 47bcf0 2783->2784 2793 468865-46887c call 414b10 2784->2793 2785->2793 2786->2785 2794 468855-468860 call 403494 2786->2794 2798 4688b2-4688bc call 414a3c 2793->2798 2799 46887e-468885 2793->2799 2794->2793 2805 4688c1-4688e6 call 403400 * 3 2798->2805 2800 468887-468890 2799->2800 2801 468892-46889c call 42b0dc 2799->2801 2800->2801 2803 4688a1-4688b0 call 414a3c 2800->2803 2801->2803 2803->2805
                                                  APIs
                                                    • Part of subcall function 00494DD8: GetWindowRect.USER32(00000000), ref: 00494DEE
                                                  • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 0046759B
                                                    • Part of subcall function 0041D6A8: GetObjectA.GDI32(?,00000018,004675B5), ref: 0041D6D3
                                                    • Part of subcall function 00466FA8: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046704B
                                                    • Part of subcall function 00466FA8: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467071
                                                    • Part of subcall function 00466FA8: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004670C8
                                                    • Part of subcall function 00466968: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467650,00000000,00000000,00000000,0000000C,00000000), ref: 00466980
                                                    • Part of subcall function 0049505C: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495066
                                                    • Part of subcall function 0042ED30: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA0
                                                    • Part of subcall function 0042ED30: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDBD
                                                    • Part of subcall function 00494D28: 73A1A570.USER32(00000000,?,?,?), ref: 00494D4A
                                                    • Part of subcall function 00494D28: SelectObject.GDI32(?,00000000), ref: 00494D70
                                                    • Part of subcall function 00494D28: 73A1A480.USER32(00000000,?,00494DCE,00494DC7,?,00000000,?,?,?), ref: 00494DC1
                                                    • Part of subcall function 0049504C: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495056
                                                  • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,01FEFADC,01FF183C,?,?,01FF186C,?,?,01FF18BC,?), ref: 00468225
                                                  • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00468236
                                                  • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 0046824E
                                                    • Part of subcall function 0042A054: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A06A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Menu$AppendExtractIconObject$A480A570AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectSelectSendSystemUserWindow
                                                  • String ID: $(Default)$STOPIMAGE
                                                  • API String ID: 3271511185-770201673
                                                  • Opcode ID: 65c14ae30e85822ef60db02fd97b7f4e3efbe6cb128918b96e9feeb284152913
                                                  • Instruction ID: b2f63b4b9f8df581d735fd8ef5c85857eef1c350e3dafc85bc3b179d47d789c4
                                                  • Opcode Fuzzy Hash: 65c14ae30e85822ef60db02fd97b7f4e3efbe6cb128918b96e9feeb284152913
                                                  • Instruction Fuzzy Hash: FCF2D6387005148FCB00EB69D9D5F9973F1BF49304F1582BAE9049B36ADB74AC46CB9A
                                                  Function 00474D70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,00474EDA,?,?,0049C1D0,00000000), ref: 00474DC9
                                                  • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00474EDA,?,?,0049C1D0,00000000), ref: 00474EA6
                                                  • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00474EDA,?,?,0049C1D0,00000000), ref: 00474EB4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNext
                                                  • String ID: unins$unins???.*
                                                  • API String ID: 3541575487-1009660736
                                                  • Opcode ID: 93e32e2715b3a8b7847a0fb832790e1c3976f33889ea765eaf668e4b41fda757
                                                  • Instruction ID: 3bd68598c0aa53c456c144f1316f7d147ab415eaa7c6a73ce12ee5554087e81d
                                                  • Opcode Fuzzy Hash: 93e32e2715b3a8b7847a0fb832790e1c3976f33889ea765eaf668e4b41fda757
                                                  • Instruction Fuzzy Hash: 99316370600118AFCB10EF65C881AEEB7A9EF85314F5084F6E50CA73A2DB389F418F19
                                                  Function 00452A34 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,00452A97,?,?,-00000001,00000000), ref: 00452A71
                                                  • GetLastError.KERNEL32(00000000,?,00000000,00452A97,?,?,-00000001,00000000), ref: 00452A79
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileFindFirstLast
                                                  • String ID:
                                                  • API String ID: 873889042-0
                                                  • Opcode ID: 7ae0723ade0fcfbd8a40aeca515459a75bb89ca97a3748738d7edfd6ae7cd884
                                                  • Instruction ID: 4713bb530a1d6cf0c1be7e5c5fdd45c253cc675fccbb574d3c3c9d841926f9e3
                                                  • Opcode Fuzzy Hash: 7ae0723ade0fcfbd8a40aeca515459a75bb89ca97a3748738d7edfd6ae7cd884
                                                  • Instruction Fuzzy Hash: 44F0F971A04704AB8B21DFA69D4149EB7ACEB86725B5046BBFC14E3282DAB84E054558
                                                  Function 0046DF04 Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetVersion.KERNEL32(0000042D,0046DF9A), ref: 0046DF0E
                                                  • CoCreateInstance.OLE32(00499B84,00000000,00000001,00499B94,?,0000042D,0046DF9A), ref: 0046DF2A
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CreateInstanceVersion
                                                  • String ID:
                                                  • API String ID: 1462612201-0
                                                  • Opcode ID: 5a8033094c1a2ccd5f304b9bf5dd1a9c70433978345ec92e95cfd2b7b8fd1860
                                                  • Instruction ID: 830c4b43a8f201c084d489d1d0538b8be171f1220f730b3634288a605713aaeb
                                                  • Opcode Fuzzy Hash: 5a8033094c1a2ccd5f304b9bf5dd1a9c70433978345ec92e95cfd2b7b8fd1860
                                                  • Instruction Fuzzy Hash: 08F0A031B853009EEB14E7A9DC46B4A37C0BB65328F4000BBF044972D2E3AC8890875F
                                                  Function 00408558 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408623,?,00000000,00408702), ref: 00408576
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID:
                                                  • API String ID: 2299586839-0
                                                  • Opcode ID: 13731be40deedddb1bcfa8ff428b7afeb94bbc36fd170698d9f0ebbe8ddb7d61
                                                  • Instruction ID: c2e77f62f7768c8d819fe5e4f890f04d0c30465c7a0250885ae4f210fddfc08b
                                                  • Opcode Fuzzy Hash: 13731be40deedddb1bcfa8ff428b7afeb94bbc36fd170698d9f0ebbe8ddb7d61
                                                  • Instruction Fuzzy Hash: 9BE0927170021466D311A96A9C86AEAB35C975C314F00427FBA84E73C2EDB89E4146A9
                                                  Function 00423B7C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424149,?,00000000,00424154), ref: 00423BA6
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: NtdllProc_Window
                                                  • String ID:
                                                  • API String ID: 4255912815-0
                                                  • Opcode ID: f802b11f0c681854f79c5f1da5c1baf03ca951e6abaa2e26ef8ced90cdb9169e
                                                  • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                  • Opcode Fuzzy Hash: f802b11f0c681854f79c5f1da5c1baf03ca951e6abaa2e26ef8ced90cdb9169e
                                                  • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                  Function 00455570 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: NameUser
                                                  • String ID:
                                                  • API String ID: 2645101109-0
                                                  • Opcode ID: 1f1a34a7eb901b06f0a61d7cce650584f8c9fe2765f86e1b2240f6bc1b6117e3
                                                  • Instruction ID: 76bfcf8d2b29e22e6d76dcded3dafddf5190573ba102c834aba1eed314c6e9aa
                                                  • Opcode Fuzzy Hash: 1f1a34a7eb901b06f0a61d7cce650584f8c9fe2765f86e1b2240f6bc1b6117e3
                                                  • Instruction Fuzzy Hash: C9D0C27130460467C700AA68DC825AA358E8B84306F00483E3CC5DA2C3FABDDA485756
                                                  Function 0042F518 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F534
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: NtdllProc_Window
                                                  • String ID:
                                                  • API String ID: 4255912815-0
                                                  • Opcode ID: 333668ea2a957bd6a9fe502da343e78d2fcb082c63b96445e07994a194d2f0c0
                                                  • Instruction ID: dfc14921be52f7ae21963fbc3fbcd64f7f6a072f88f97ccbdbccca1c2d2fc057
                                                  • Opcode Fuzzy Hash: 333668ea2a957bd6a9fe502da343e78d2fcb082c63b96445e07994a194d2f0c0
                                                  • Instruction Fuzzy Hash: 9FD09E7220011DBB9B00DE99E840C6B73ADAB88710BD09926F945C7642D634ED9197A5
                                                  Function 0046EE78 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 500registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 406 46ee78-46eeaa 407 46eec7 406->407 408 46eeac-46eeb3 406->408 411 46eece-46ef06 call 403634 call 403738 call 42deb8 407->411 409 46eeb5-46eebc 408->409 410 46eebe-46eec5 408->410 409->407 409->410 410->411 418 46ef21-46ef4a call 403738 call 42dddc 411->418 419 46ef08-46ef1c call 403738 call 42deb8 411->419 427 46ef4c-46ef55 call 46eb48 418->427 428 46ef5a-46ef83 call 46ec64 418->428 419->418 427->428 432 46ef95-46ef98 call 403400 428->432 433 46ef85-46ef93 call 403494 428->433 437 46ef9d-46efe8 call 46ec64 call 42c3f4 call 46ecac call 46ec64 432->437 433->437 446 46effe-46f01f call 455570 call 46ec64 437->446 447 46efea-46effd call 46ecd4 437->447 454 46f075-46f07c 446->454 455 46f021-46f074 call 46ec64 call 4313fc call 46ec64 call 4313fc call 46ec64 446->455 447->446 456 46f07e-46f0bb call 4313fc call 46ec64 call 4313fc call 46ec64 454->456 457 46f0bc-46f0c3 454->457 455->454 456->457 461 46f104-46f129 call 40b434 call 46ec64 457->461 462 46f0c5-46f103 call 46ec64 * 3 457->462 481 46f12b-46f136 call 47bb50 461->481 482 46f138-46f141 call 403494 461->482 462->461 492 46f146-46f151 call 478898 481->492 482->492 496 46f153-46f158 492->496 497 46f15a 492->497 498 46f15f-46f329 call 403778 call 46ec64 call 47bb50 call 46ecac call 403494 call 40357c * 2 call 46ec64 call 403494 call 40357c * 2 call 46ec64 call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 496->498 497->498 561 46f33f-46f34d call 46ecd4 498->561 562 46f32b-46f33d call 46ec64 498->562 566 46f352 561->566 567 46f353-46f39c call 46ecd4 call 46ed08 call 46ec64 call 47bb50 call 46ed6c 562->567 566->567 578 46f3c2-46f3cf 567->578 579 46f39e-46f3c1 call 46ecd4 * 2 567->579 581 46f3d5-46f3dc 578->581 582 46f49e-46f4a5 578->582 579->578 586 46f3de-46f3e5 581->586 587 46f449-46f458 581->587 583 46f4a7-46f4dd call 4941f8 582->583 584 46f4ff-46f515 RegCloseKey 582->584 583->584 586->587 591 46f3e7-46f40b call 430bc4 586->591 590 46f45b-46f468 587->590 594 46f47f-46f498 call 430c00 call 46ecd4 590->594 595 46f46a-46f477 590->595 591->590 601 46f40d-46f40e 591->601 604 46f49d 594->604 595->594 597 46f479-46f47d 595->597 597->582 597->594 603 46f410-46f436 call 40b434 call 4790c4 601->603 609 46f443-46f445 603->609 610 46f438-46f43e call 430bc4 603->610 604->582 609->603 612 46f447 609->612 610->609 612->590
                                                  APIs
                                                    • Part of subcall function 0046EC64: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,r_G,?,0049C1D0,?,0046EF7B,?,00000000,0046F516,?,_is1), ref: 0046EC87
                                                    • Part of subcall function 0046ECD4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F352,?,?,00000000,0046F516,?,_is1,?), ref: 0046ECE7
                                                  • RegCloseKey.ADVAPI32(?,0046F51D,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F568,?,?,0049C1D0,00000000), ref: 0046F510
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Value$Close
                                                  • String ID: " /SILENT$5.5.1 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                  • API String ID: 3391052094-213252641
                                                  • Opcode ID: db2c8a7a7111b7a2256de2528cb94e5858c2f33c6448f5c94e9fc589d623ae97
                                                  • Instruction ID: b1500e3f1927c4d0668730226bdd95c12c24136f653289305a03eef3c2fa698f
                                                  • Opcode Fuzzy Hash: db2c8a7a7111b7a2256de2528cb94e5858c2f33c6448f5c94e9fc589d623ae97
                                                  • Instruction Fuzzy Hash: 40125334A001089BDB04EF56E991ADE73F5FB48304F60807BE8506B765EB78BD45CB5A
                                                  Function 00491D44 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1027 491d44-491d78 call 403684 1030 491d7a-491d89 call 446f94 Sleep 1027->1030 1031 491d8e-491d9b call 403684 1027->1031 1036 49221e-492238 call 403420 1030->1036 1037 491dca-491dd7 call 403684 1031->1037 1038 491d9d-491dc0 call 446ff0 call 403738 FindWindowA call 447270 1031->1038 1045 491dd9-491e01 call 446ff0 call 403738 FindWindowA call 447270 1037->1045 1046 491e06-491e13 call 403684 1037->1046 1057 491dc5 1038->1057 1045->1036 1055 491e5c-491e69 call 403684 1046->1055 1056 491e15-491e57 call 446f94 * 4 SendMessageA call 447270 1046->1056 1065 491eb8-491ec5 call 403684 1055->1065 1066 491e6b-491eb3 call 446f94 * 4 PostMessageA call 4470c8 1055->1066 1056->1036 1057->1036 1075 491f14-491f21 call 403684 1065->1075 1076 491ec7-491f0f call 446f94 * 4 SendNotifyMessageA call 4470c8 1065->1076 1066->1036 1087 491f4e-491f5b call 403684 1075->1087 1088 491f23-491f49 call 446ff0 call 403738 RegisterClipboardFormatA call 447270 1075->1088 1076->1036 1103 491f5d-491f97 call 446f94 * 3 SendMessageA call 447270 1087->1103 1104 491f9c-491fa9 call 403684 1087->1104 1088->1036 1103->1036 1116 491fab-491feb call 446f94 * 3 PostMessageA call 4470c8 1104->1116 1117 491ff0-491ffd call 403684 1104->1117 1116->1036 1127 491fff-49203f call 446f94 * 3 SendNotifyMessageA call 4470c8 1117->1127 1128 492044-492051 call 403684 1117->1128 1127->1036 1139 492053-492071 call 446ff0 call 42e38c 1128->1139 1140 4920a6-4920b3 call 403684 1128->1140 1159 492083-492091 GetLastError call 447270 1139->1159 1160 492073-492081 call 447270 1139->1160 1150 49212d-49213a call 403684 1140->1150 1151 4920b5-4920e1 call 446ff0 call 403738 call 446f94 GetProcAddress 1140->1151 1165 49213c-49215d call 446f94 FreeLibrary call 4470c8 1150->1165 1166 492162-49216f call 403684 1150->1166 1184 49211d-492128 call 4470c8 1151->1184 1185 4920e3-492118 call 446f94 * 2 call 447270 call 4470c8 1151->1185 1172 492096-4920a1 call 447270 1159->1172 1160->1172 1165->1036 1177 492171-49218f call 446ff0 call 403738 CreateMutexA 1166->1177 1178 492194-4921a1 call 403684 1166->1178 1172->1036 1177->1036 1193 4921a3-4921d5 call 48c174 call 403574 call 403738 OemToCharBuffA call 48c18c 1178->1193 1194 4921d7-4921e4 call 403684 1178->1194 1184->1036 1185->1036 1193->1036 1203 49221a 1194->1203 1204 4921e6-492218 call 48c174 call 403574 call 403738 CharToOemBuffA call 48c18c 1194->1204 1203->1036 1204->1036
                                                  APIs
                                                  • Sleep.KERNEL32(00000000,00000000,00492239,?,?,?,?,00000000,00000000,00000000), ref: 00491D84
                                                  • FindWindowA.USER32(00000000,00000000), ref: 00491DB5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: FindSleepWindow
                                                  • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                  • API String ID: 3078808852-3310373309
                                                  • Opcode ID: 75f42c2bc3d671ddacef7ceddea1dce46e469a81ba41ac7012420b40329701a8
                                                  • Instruction ID: dc8cd37179c6c7efec8ae072485b7dd58185b77a9baa1073e2e80a3326dd0ce5
                                                  • Opcode Fuzzy Hash: 75f42c2bc3d671ddacef7ceddea1dce46e469a81ba41ac7012420b40329701a8
                                                  • Instruction Fuzzy Hash: 6CC19360B043406BDB24BF7E9D4291A59999F98708711897FB846EB38BCE7CDC0E439D
                                                  Function 00483038 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1589 483038-48305d GetModuleHandleA GetProcAddress 1590 48305f-483075 GetNativeSystemInfo GetProcAddress 1589->1590 1591 4830c4-4830c9 GetSystemInfo 1589->1591 1592 4830ce-4830d7 1590->1592 1593 483077-483082 GetCurrentProcess 1590->1593 1591->1592 1594 4830d9-4830dd 1592->1594 1595 4830e7-4830ee 1592->1595 1593->1592 1602 483084-483088 1593->1602 1596 4830df-4830e3 1594->1596 1597 4830f0-4830f7 1594->1597 1598 483109-48310e 1595->1598 1600 4830f9-483100 1596->1600 1601 4830e5-483102 1596->1601 1597->1598 1600->1598 1601->1598 1602->1592 1603 48308a-483091 call 4526f0 1602->1603 1603->1592 1607 483093-4830a0 GetProcAddress 1603->1607 1607->1592 1608 4830a2-4830b9 GetModuleHandleA GetProcAddress 1607->1608 1608->1592 1609 4830bb-4830c2 1608->1609 1609->1592
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483049
                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483056
                                                  • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483064
                                                  • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0048306C
                                                  • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483078
                                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483099
                                                  • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 004830AC
                                                  • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 004830B2
                                                  • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004830C9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                  • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                  • API String ID: 2230631259-2623177817
                                                  • Opcode ID: 19051ef92357407474476a60c046aa04f8c513acd1fb492cc3cf86325791a6e5
                                                  • Instruction ID: af3d4bc633e3fac8e2117acd109dd394a62660f1f52edacbaea6f09291502d38
                                                  • Opcode Fuzzy Hash: 19051ef92357407474476a60c046aa04f8c513acd1fb492cc3cf86325791a6e5
                                                  • Instruction Fuzzy Hash: 9211B69010574194DA117B764C5E76F19888B12F1BF140C3BB880662DBEABD8F45CB2F
                                                  Function 00468BB0 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1615 468bb0-468be8 call 47bb50 1618 468bee-468bfe call 4788b8 1615->1618 1619 468dca-468de4 call 403420 1615->1619 1624 468c03-468c48 call 4078e4 call 403738 call 42de14 1618->1624 1630 468c4d-468c4f 1624->1630 1631 468c55-468c6a 1630->1631 1632 468dc0-468dc4 1630->1632 1633 468c7f-468c86 1631->1633 1634 468c6c-468c7a call 42dd44 1631->1634 1632->1619 1632->1624 1636 468cb3-468cba 1633->1636 1637 468c88-468caa call 42dd44 call 42dd5c 1633->1637 1634->1633 1639 468d13-468d1a 1636->1639 1640 468cbc-468ce1 call 42dd44 * 2 1636->1640 1637->1636 1656 468cac 1637->1656 1642 468d60-468d67 1639->1642 1643 468d1c-468d2e call 42dd44 1639->1643 1660 468ce3-468cec call 4314f0 1640->1660 1661 468cf1-468d03 call 42dd44 1640->1661 1645 468da2-468db8 RegCloseKey 1642->1645 1646 468d69-468d9d call 42dd44 * 3 1642->1646 1657 468d30-468d39 call 4314f0 1643->1657 1658 468d3e-468d50 call 42dd44 1643->1658 1646->1645 1656->1636 1657->1658 1658->1642 1668 468d52-468d5b call 4314f0 1658->1668 1660->1661 1661->1639 1672 468d05-468d0e call 4314f0 1661->1672 1668->1642 1672->1639
                                                  APIs
                                                    • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                  • RegCloseKey.ADVAPI32(?,00468DCA,?,?,00000001,00000000,00000000,00468DE5,?,00000000,00000000,?), ref: 00468DB3
                                                  Strings
                                                  • Inno Setup: App Path, xrefs: 00468C72
                                                  • %s\%s_is1, xrefs: 00468C2D
                                                  • Inno Setup: No Icons, xrefs: 00468C9B
                                                  • Inno Setup: Selected Tasks, xrefs: 00468D1F
                                                  • Inno Setup: Setup Type, xrefs: 00468CC2
                                                  • Inno Setup: User Info: Name, xrefs: 00468D6F
                                                  • Inno Setup: User Info: Serial, xrefs: 00468D95
                                                  • Inno Setup: User Info: Organization, xrefs: 00468D82
                                                  • Inno Setup: Deselected Components, xrefs: 00468CF4
                                                  • Inno Setup: Selected Components, xrefs: 00468CD2
                                                  • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468C0F
                                                  • Inno Setup: Deselected Tasks, xrefs: 00468D41
                                                  • Inno Setup: Icon Group, xrefs: 00468C8E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseOpen
                                                  • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                  • API String ID: 47109696-1093091907
                                                  • Opcode ID: 8db79232fb2f2725b9adfe70d64749861c257aff0263038353b857e31bb30bb7
                                                  • Instruction ID: 9409bd20b999dcc9be58dd01f280802f9f4acbf4d31626fc1b9235e67c3febe1
                                                  • Opcode Fuzzy Hash: 8db79232fb2f2725b9adfe70d64749861c257aff0263038353b857e31bb30bb7
                                                  • Instruction Fuzzy Hash: B451C430A006489BCB11DB65C9917DEB7F5EF98304F50816FE840A7391EB78AE41CB19
                                                  Function 0042386C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98windowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1833 42386c-423876 1834 42399f-4239a3 1833->1834 1835 42387c-42389e call 41f3bc GetClassInfoA 1833->1835 1838 4238a0-4238b7 RegisterClassA 1835->1838 1839 4238cf-4238d8 GetSystemMetrics 1835->1839 1838->1839 1842 4238b9-4238ca call 408cac call 40311c 1838->1842 1840 4238da 1839->1840 1841 4238dd-4238e7 GetSystemMetrics 1839->1841 1840->1841 1843 4238e9 1841->1843 1844 4238ec-423948 call 403738 call 4062e8 call 403400 call 423644 SetWindowLongA 1841->1844 1842->1839 1843->1844 1856 423962-423990 GetSystemMenu DeleteMenu * 2 1844->1856 1857 42394a-42395d call 424170 SendMessageA 1844->1857 1856->1834 1859 423992-42399a DeleteMenu 1856->1859 1857->1856 1859->1834
                                                  APIs
                                                    • Part of subcall function 0041F3BC: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED9C,?,00423887,00423C04,0041ED9C), ref: 0041F3DA
                                                  • GetClassInfoA.USER32(00400000,00423674), ref: 00423897
                                                  • RegisterClassA.USER32(00499630), ref: 004238AF
                                                  • GetSystemMetrics.USER32(00000000), ref: 004238D1
                                                  • GetSystemMetrics.USER32(00000001), ref: 004238E0
                                                  • SetWindowLongA.USER32(00410648,000000FC,00423684), ref: 0042393C
                                                  • SendMessageA.USER32(00410648,00000080,00000001,00000000), ref: 0042395D
                                                  • GetSystemMenu.USER32(00410648,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04,0041ED9C), ref: 00423968
                                                  • DeleteMenu.USER32(00000000,0000F030,00000000,00410648,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04,0041ED9C), ref: 00423977
                                                  • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410648,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423984
                                                  • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410648,00000000,00000000,00400000,00000000,00000000,00000000), ref: 0042399A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                  • String ID: t6B
                                                  • API String ID: 183575631-3178735703
                                                  • Opcode ID: 5827b0b13dbe7130606d895180cc1450c2f1a68b369bd82c96e4222b10ed1bb4
                                                  • Instruction ID: b8adc5bb76ba60810a7e15457cf144511173abf09441cb7f9a8677178c11600e
                                                  • Opcode Fuzzy Hash: 5827b0b13dbe7130606d895180cc1450c2f1a68b369bd82c96e4222b10ed1bb4
                                                  • Instruction Fuzzy Hash: 003150B17402006AE710BF699C82F6A37989B14709F60017AFA44EF2D7C6BDED44876D
                                                  Function 0047C65C Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1972 47c65c-47c6b2 call 42c3f4 call 4035c0 call 47c320 call 4525ac 1981 47c6b4-47c6b9 call 453318 1972->1981 1982 47c6be-47c6cd call 4525ac 1972->1982 1981->1982 1986 47c6e7-47c6ed 1982->1986 1987 47c6cf-47c6d5 1982->1987 1990 47c704-47c72c call 42e38c * 2 1986->1990 1991 47c6ef-47c6f5 1986->1991 1988 47c6f7-47c6ff call 403494 1987->1988 1989 47c6d7-47c6dd 1987->1989 1988->1990 1989->1986 1992 47c6df-47c6e5 1989->1992 1998 47c753-47c76d GetProcAddress 1990->1998 1999 47c72e-47c74e call 4078e4 call 453318 1990->1999 1991->1988 1991->1990 1992->1986 1992->1988 2001 47c76f-47c774 call 453318 1998->2001 2002 47c779-47c796 call 403400 * 2 1998->2002 1999->1998 2001->2002
                                                  APIs
                                                  • GetProcAddress.KERNEL32(6FBC0000,SHGetFolderPathA), ref: 0047C75E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc
                                                  • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$imI$shell32.dll$shfolder.dll
                                                  • API String ID: 190572456-2091577475
                                                  • Opcode ID: d288e8e16deffb628a1a36f0e60e66c1c4d1894b7e7b0e008bed83d76a7a8b95
                                                  • Instruction ID: 1bc5907ccbf8c7c126ff73efdb0a93079a3df87e782a300c574b3872d81dfa42
                                                  • Opcode Fuzzy Hash: d288e8e16deffb628a1a36f0e60e66c1c4d1894b7e7b0e008bed83d76a7a8b95
                                                  • Instruction Fuzzy Hash: BF311D30A00149DBCB00EFA9D9D29DEB7B5EB44305F61847BE404E7241DB389E45CBAD
                                                  Function 0040631C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2010 40631c-406336 GetModuleHandleA GetProcAddress 2011 406338 2010->2011 2012 40633f-40634c GetProcAddress 2010->2012 2011->2012 2013 406355-406362 GetProcAddress 2012->2013 2014 40634e 2012->2014 2015 406364-406366 SetProcessDEPPolicy 2013->2015 2016 406368-406369 2013->2016 2014->2013 2015->2016
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,004980CC), ref: 00406322
                                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                  • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                  • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                  • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,004980CC), ref: 00406366
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$HandleModulePolicyProcess
                                                  • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                  • API String ID: 3256987805-3653653586
                                                  • Opcode ID: 46e9f49e023cd011afba093bed0ab82df2a9fb2f70a8bbd92ca42cf1d07dc1dc
                                                  • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                  • Opcode Fuzzy Hash: 46e9f49e023cd011afba093bed0ab82df2a9fb2f70a8bbd92ca42cf1d07dc1dc
                                                  • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                  Function 00413213 Relevance: 14.6, APIs: 6, Strings: 2, Instructions: 635COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowLongA.USER32(?,000000FC,?), ref: 0041365C
                                                  • GetWindowLongA.USER32(?,000000F0), ref: 00413667
                                                  • GetWindowLongA.USER32(?,000000F4), ref: 00413679
                                                  • SetWindowLongA.USER32(?,000000F4,?), ref: 0041368C
                                                  • SetPropA.USER32(?,00000000,00000000), ref: 004136A3
                                                  • SetPropA.USER32(?,00000000,00000000), ref: 004136BA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: LongWindow$Prop
                                                  • String ID: wA$yA
                                                  • API String ID: 3887896539-1847240991
                                                  • Opcode ID: f90247c629a947c585d53ebd803f71ac5ff518e129def1d5e0d2b734115b4926
                                                  • Instruction ID: c74ba7ed2530cb1b13d42f77b59a1a0282e776654e1e26cace8cc99fbade548e
                                                  • Opcode Fuzzy Hash: f90247c629a947c585d53ebd803f71ac5ff518e129def1d5e0d2b734115b4926
                                                  • Instruction Fuzzy Hash: E922D06108E3C05FE3279B74896A5D17FA0EE23326B1D45DFC4C28B1A3D61D8A87C71A
                                                  Function 0042F558 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2154 42f558-42f562 2155 42f564-42f567 call 402d30 2154->2155 2156 42f56c-42f5a9 call 402b30 GetActiveWindow GetFocus call 41ee9c 2154->2156 2155->2156 2162 42f5bb-42f5c3 2156->2162 2163 42f5ab-42f5b5 RegisterClassA 2156->2163 2164 42f64a-42f666 SetFocus call 403400 2162->2164 2165 42f5c9-42f5fa CreateWindowExA 2162->2165 2163->2162 2165->2164 2166 42f5fc-42f640 call 424274 call 403738 CreateWindowExA 2165->2166 2166->2164 2173 42f642-42f645 ShowWindow 2166->2173 2173->2164
                                                  APIs
                                                  • GetActiveWindow.USER32 ref: 0042F587
                                                  • GetFocus.USER32 ref: 0042F58F
                                                  • RegisterClassA.USER32(004997AC), ref: 0042F5B0
                                                  • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F684,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5EE
                                                  • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F634
                                                  • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F645
                                                  • SetFocus.USER32(00000000,00000000,0042F667,?,?,?,00000001,00000000,?,00458172,00000000,0049B628), ref: 0042F64C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                  • String ID: TWindowDisabler-Window
                                                  • API String ID: 3167913817-1824977358
                                                  • Opcode ID: cf20678f2c7b31b6636adb6e359071d3d006b90a76df8335edf94e9f5e6a866f
                                                  • Instruction ID: 4511064fd05a7bbda13c40d4eeb951e72c3c37d4b9ac5deb9698ad8496ae2c71
                                                  • Opcode Fuzzy Hash: cf20678f2c7b31b6636adb6e359071d3d006b90a76df8335edf94e9f5e6a866f
                                                  • Instruction Fuzzy Hash: B621A171740710BAE220EF61AD43F1A76B8EB14B04F91453BF504AB2E1D7B9AD0586AD
                                                  Function 004531C4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2174 4531c4-453215 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 2175 453217-45321e 2174->2175 2176 453220-453222 2174->2176 2175->2176 2177 453224 2175->2177 2178 453226-45325c call 42e38c call 42e8c0 call 403400 2176->2178 2177->2178
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0045325D,?,?,?,?,00000000,?,00498112), ref: 004531E4
                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004531EA
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0045325D,?,?,?,?,00000000,?,00498112), ref: 004531FE
                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453204
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                  • API String ID: 1646373207-2130885113
                                                  • Opcode ID: cff16269528c733e120fa4e5da7181aa43c1feff678136145baf2a5753302424
                                                  • Instruction ID: 97fdcfa8d8ba184edd095c4085c6b9ff9a8965db98d5396ade8c15ee503d7826
                                                  • Opcode Fuzzy Hash: cff16269528c733e120fa4e5da7181aa43c1feff678136145baf2a5753302424
                                                  • Instruction Fuzzy Hash: 5D018870244B05AED701BF73AD02F5A7A58DB0579BF5004BBF81496183D77C4A08CAAD
                                                  Function 00466FA8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046704B
                                                  • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467071
                                                    • Part of subcall function 00466EE8: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00466F80
                                                    • Part of subcall function 00466EE8: DestroyCursor.USER32(00000000), ref: 00466F96
                                                  • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004670C8
                                                  • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467129
                                                  • ExtractIconA.SHELL32(00400000,00000000,?), ref: 0046714F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                  • String ID: c:\directory$shell32.dll
                                                  • API String ID: 3376378930-1375355148
                                                  • Opcode ID: 996b1765118ede8ef69c1a99999a79d5e00ae09db6322347ba6ec5c8e15e0822
                                                  • Instruction ID: 289419416c676a83544b633f3186a9d007cfc28e75d1c6b72818de0571a1fc75
                                                  • Opcode Fuzzy Hash: 996b1765118ede8ef69c1a99999a79d5e00ae09db6322347ba6ec5c8e15e0822
                                                  • Instruction Fuzzy Hash: ED515E74604244AFDB11DF65DD85FCFB7A8EB49308F5081B7F40897352D638AE81CA59
                                                  Function 00430938 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430940
                                                  • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0043094F
                                                  • GetCurrentThreadId.KERNEL32 ref: 00430969
                                                  • GlobalAddAtomA.KERNEL32(00000000), ref: 0043098A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                  • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                  • API String ID: 4130936913-2943970505
                                                  • Opcode ID: 4892df4f2f1e0b4b8a599102644a6dba2176c7c95c36211ef141ed36876d8ea1
                                                  • Instruction ID: fc358bcdd7e5b0606a48ee3fdcf498d476493da3f5408fce691eb0e46a0d48ea
                                                  • Opcode Fuzzy Hash: 4892df4f2f1e0b4b8a599102644a6dba2176c7c95c36211ef141ed36876d8ea1
                                                  • Instruction Fuzzy Hash: D0F082B04583409AE300EB25994271E77D0EF58318F10463FF898A6392D7385900CB6F
                                                  Function 00454FE4 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455200,00455200,?,00455200,00000000), ref: 0045518E
                                                  • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455200,00455200,?,00455200), ref: 0045519B
                                                    • Part of subcall function 00454F50: WaitForInputIdle.USER32(?,00000032), ref: 00454F7C
                                                    • Part of subcall function 00454F50: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454F9E
                                                    • Part of subcall function 00454F50: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FAD
                                                    • Part of subcall function 00454F50: CloseHandle.KERNEL32(?,00454FDA,00454FD3,?,?,?,00000000,?,?,004551AF,?,?,?,00000044,00000000,00000000), ref: 00454FCD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                  • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                  • API String ID: 854858120-615399546
                                                  • Opcode ID: 5266c0f0ad6ebbe9230572b3dbc1c9029306f1427952ad7447b96826cd76bb62
                                                  • Instruction ID: 453c4c1e4331516b603b6bd36f4112f8bfb414d7ddeab97af99533fe31520792
                                                  • Opcode Fuzzy Hash: 5266c0f0ad6ebbe9230572b3dbc1c9029306f1427952ad7447b96826cd76bb62
                                                  • Instruction Fuzzy Hash: 7A516C34B0074D6BDB11EF95C852BEEBBB9AF44305F50407BB804B7293D7789A098B59
                                                  Function 00423684 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadIconA.USER32(00400000,MAINICON), ref: 00423714
                                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FDE,00000000,?,?,?,00000001), ref: 00423741
                                                  • OemToCharA.USER32(?,?), ref: 00423754
                                                  • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FDE,00000000,?,?,?,00000001), ref: 00423794
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Char$FileIconLoadLowerModuleName
                                                  • String ID: 2$MAINICON
                                                  • API String ID: 3935243913-3181700818
                                                  • Opcode ID: 0a58a7a63c51e6fb41ef8ab53b8ad398b79f83c4c9e9ca8a59e3f0dc4f1d370f
                                                  • Instruction ID: 89b1690b288838b812280c83b83aa3621e89473e571b5a361368100100c68adf
                                                  • Opcode Fuzzy Hash: 0a58a7a63c51e6fb41ef8ab53b8ad398b79f83c4c9e9ca8a59e3f0dc4f1d370f
                                                  • Instruction Fuzzy Hash: BD31D570A042559ADB10EF69C8C57CA3BE89F14308F4441BAE844DB383D7BED988CB59
                                                  Function 00418F30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F35
                                                  • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F56
                                                  • GetCurrentThreadId.KERNEL32 ref: 00418F71
                                                  • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F92
                                                    • Part of subcall function 004230C0: 73A1A570.USER32(00000000,?,?,00000000,?,00418FCB,00000000,?,?,?,00000001), ref: 00423116
                                                    • Part of subcall function 004230C0: EnumFontsA.GDI32(00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000,?,?,?,00000001), ref: 00423129
                                                    • Part of subcall function 004230C0: 73A24620.GDI32(00000000,0000005A,00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000), ref: 00423131
                                                    • Part of subcall function 004230C0: 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000), ref: 0042313C
                                                    • Part of subcall function 00423684: LoadIconA.USER32(00400000,MAINICON), ref: 00423714
                                                    • Part of subcall function 00423684: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FDE,00000000,?,?,?,00000001), ref: 00423741
                                                    • Part of subcall function 00423684: OemToCharA.USER32(?,?), ref: 00423754
                                                    • Part of subcall function 00423684: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FDE,00000000,?,?,?,00000001), ref: 00423794
                                                    • Part of subcall function 0041F110: GetVersion.KERNEL32(?,00418FE8,00000000,?,?,?,00000001), ref: 0041F11E
                                                    • Part of subcall function 0041F110: SetErrorMode.KERNEL32(00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F13A
                                                    • Part of subcall function 0041F110: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F146
                                                    • Part of subcall function 0041F110: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F154
                                                    • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F184
                                                    • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1AD
                                                    • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1C2
                                                    • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1D7
                                                    • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1EC
                                                    • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F201
                                                    • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F216
                                                    • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F22B
                                                    • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F240
                                                    • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F255
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A24620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                                  • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                  • API String ID: 3864787166-2767913252
                                                  • Opcode ID: 4c8bc3a0940144427da5e0ba9ef3ea459de966ceaf526f98a3946975224fbc60
                                                  • Instruction ID: 27c32735182dabff7e1c09a1de9b3c03b849675df7244bb9ef6d39ac7a5e8d86
                                                  • Opcode Fuzzy Hash: 4c8bc3a0940144427da5e0ba9ef3ea459de966ceaf526f98a3946975224fbc60
                                                  • Instruction Fuzzy Hash: 7A11FC70A182409AD704FF66A94275A76E1DB6830CF40853FF448AB391DB39A9458BAF
                                                  Function 00413634 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowLongA.USER32(?,000000FC,?), ref: 0041365C
                                                  • GetWindowLongA.USER32(?,000000F0), ref: 00413667
                                                  • GetWindowLongA.USER32(?,000000F4), ref: 00413679
                                                  • SetWindowLongA.USER32(?,000000F4,?), ref: 0041368C
                                                  • SetPropA.USER32(?,00000000,00000000), ref: 004136A3
                                                  • SetPropA.USER32(?,00000000,00000000), ref: 004136BA
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: LongWindow$Prop
                                                  • String ID:
                                                  • API String ID: 3887896539-0
                                                  • Opcode ID: 45c1895276da90ba0030b8fba909c80b6c0b360e03c75fbe878fc1f19dddecee
                                                  • Instruction ID: 2f0da8c2a639c8e1c6f1513ac1b217b7872104ca576cf6b7b6160f367be9faf8
                                                  • Opcode Fuzzy Hash: 45c1895276da90ba0030b8fba909c80b6c0b360e03c75fbe878fc1f19dddecee
                                                  • Instruction Fuzzy Hash: 8C11B775100244BFEF00DF9DDC84EDA37A8EB19364F144666B958DB2A2D738D9908B68
                                                  Function 00471F5C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 263fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,0047212D,?,00000000,?,0049C1D0,00000000,004722FB,?,00000000,?,00000000,?,004724C9), ref: 00472109
                                                  • FindClose.KERNEL32(000000FF,00472134,0047212D,?,00000000,?,0049C1D0,00000000,004722FB,?,00000000,?,00000000,?,004724C9,?), ref: 00472127
                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,0047224F,?,00000000,?,0049C1D0,00000000,004722FB,?,00000000,?,00000000,?,004724C9), ref: 0047222B
                                                  • FindClose.KERNEL32(000000FF,00472256,0047224F,?,00000000,?,0049C1D0,00000000,004722FB,?,00000000,?,00000000,?,004724C9,?), ref: 00472249
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFileNext
                                                  • String ID: p%G
                                                  • API String ID: 2066263336-2885399958
                                                  • Opcode ID: 70dfab7f3f526ba4f6777ec764105aa0072f72fa14368740d0b3654a77d976e0
                                                  • Instruction ID: c5c343863c2eea904beb919c2ff7085193d8c56025a8159f133c7515c1d415d1
                                                  • Opcode Fuzzy Hash: 70dfab7f3f526ba4f6777ec764105aa0072f72fa14368740d0b3654a77d976e0
                                                  • Instruction Fuzzy Hash: F4B12B3490424D9FCF11DFA5C981ADEBBB9FF49304F5081AAE908B3251D7789A46CF68
                                                  Function 004556AC Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00455843,?,00000000,00455883), ref: 00455789
                                                  Strings
                                                  • PendingFileRenameOperations2, xrefs: 00455758
                                                  • WININIT.INI, xrefs: 004557B8
                                                  • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 0045570C
                                                  • PendingFileRenameOperations, xrefs: 00455728
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseOpen
                                                  • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                  • API String ID: 47109696-2199428270
                                                  • Opcode ID: 106a8fd2afe71b0f41862bd94ec021df8a162f8b500a81dbf23ed0435e9c3f1c
                                                  • Instruction ID: 0b70bbd74ac5003506c3e48668489f2f7adcdad68ca58941e5d407b4478d915f
                                                  • Opcode Fuzzy Hash: 106a8fd2afe71b0f41862bd94ec021df8a162f8b500a81dbf23ed0435e9c3f1c
                                                  • Instruction Fuzzy Hash: 0C518430E006489FDB10EF61DC51AEEB7B9EF44305F50857BE804A7292DB78AE49CA58
                                                  Function 0047C378 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047C4CE,?,?,00000000,0049B628,00000000,00000000,?,00497A45,00000000,00497BEE,?,00000000), ref: 0047C40B
                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,0047C4CE,?,?,00000000,0049B628,00000000,00000000,?,00497A45,00000000,00497BEE,?,00000000), ref: 0047C414
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectoryErrorLast
                                                  • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                  • API String ID: 1375471231-2952887711
                                                  • Opcode ID: 3853c7abe1a0bd338ee766f5a09477788eee4f2c95defc4397553f6378db80d7
                                                  • Instruction ID: d537758c7117fefc82ee858029cb7c27e5ed8caa62090c64dc1ceeedb24f0412
                                                  • Opcode Fuzzy Hash: 3853c7abe1a0bd338ee766f5a09477788eee4f2c95defc4397553f6378db80d7
                                                  • Instruction Fuzzy Hash: A0411774A001099BCB01EFA5C892ADEB7B5EF44305F50857BE814B7392DB38AE058B6D
                                                  Function 00423A7C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnumWindows.USER32(00423A14), ref: 00423AA0
                                                  • GetWindow.USER32(?,00000003), ref: 00423AB5
                                                  • GetWindowLongA.USER32(?,000000EC), ref: 00423AC4
                                                  • SetWindowPos.USER32(00000000,TAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241A3,?,?,00423D6B), ref: 00423AFA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window$EnumLongWindows
                                                  • String ID: TAB
                                                  • API String ID: 4191631535-3846439302
                                                  • Opcode ID: 19508b105e07bab33860b27abf9b752e23d544e284505d5f1a6339f97510727e
                                                  • Instruction ID: 44c8a23491b9c45dd34cf4bcc3c04de93252e86aee0086cff54aee2134896fd7
                                                  • Opcode Fuzzy Hash: 19508b105e07bab33860b27abf9b752e23d544e284505d5f1a6339f97510727e
                                                  • Instruction Fuzzy Hash: 7B112A70704610ABDB10DF28D985F5677E8EB08725F51026AF994EB2E3C378AD41CB59
                                                  Function 0042DE3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE48
                                                  • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFE3,00000000,0042DFFB,?,?,?,?,00000006,?,00000000,00496D69), ref: 0042DE63
                                                  • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE69
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressDeleteHandleModuleProc
                                                  • String ID: RegDeleteKeyExA$advapi32.dll
                                                  • API String ID: 588496660-1846899949
                                                  • Opcode ID: c05e7c3326c5169c07e68be8c9fbbd77449d19c2dd42617386e66743e2d73e3c
                                                  • Instruction ID: 9c024767392e34e1239b6ccdb0e78e824d69575b4a8d701ce7db5acd733af5c1
                                                  • Opcode Fuzzy Hash: c05e7c3326c5169c07e68be8c9fbbd77449d19c2dd42617386e66743e2d73e3c
                                                  • Instruction Fuzzy Hash: B2E06DF1B41B30AAD72426697C8AFA72728DB74365F618537B105AD1A183FC1C50CE9D
                                                  Function 0046B930 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • Need to restart Windows? %s, xrefs: 0046BCB5
                                                  • NextButtonClick, xrefs: 0046BA6C
                                                  • PrepareToInstall failed: %s, xrefs: 0046BC8E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                  • API String ID: 0-2329492092
                                                  • Opcode ID: c85eed945518d546ff95eb83013acbbea6e3c59c24d52283f76f7584732158fe
                                                  • Instruction ID: ef605359146084d2a330ce9392c81193c54d44d6395a219c566c339d74a55226
                                                  • Opcode Fuzzy Hash: c85eed945518d546ff95eb83013acbbea6e3c59c24d52283f76f7584732158fe
                                                  • Instruction Fuzzy Hash: F6D12A34A04108DFCB10EF99D585AEE77F5EF49304F6444BAE400AB352D778AE81CB9A
                                                  Function 00482648 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 224COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetActiveWindow.USER32(?,?,00000000,00482990), ref: 0048276C
                                                  • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00482801
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ActiveChangeNotifyWindow
                                                  • String ID: $Need to restart Windows? %s
                                                  • API String ID: 1160245247-4200181552
                                                  • Opcode ID: 205c42aac985357c00af048fdaf18b998a02a4faeff7a2d0de879de7ff73840d
                                                  • Instruction ID: d92f6dc0c394a11860c555715cc1377d1ab7d31dc5c27e132739ea4afdffe6c1
                                                  • Opcode Fuzzy Hash: 205c42aac985357c00af048fdaf18b998a02a4faeff7a2d0de879de7ff73840d
                                                  • Instruction Fuzzy Hash: 5291A274A042049FDB10FB69D986BAD77F4AF55308F1084BBE8009B362D7B86D05CB5D
                                                  Function 0046F8FC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042C7FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C820
                                                  • GetLastError.KERNEL32(00000000,0046FAF9,?,?,0049C1D0,00000000), ref: 0046F9D6
                                                  • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FA50
                                                  • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FA75
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ChangeNotify$ErrorFullLastNamePath
                                                  • String ID: Creating directory: %s
                                                  • API String ID: 2451617938-483064649
                                                  • Opcode ID: d149bf9a4864bf308676d1666e2ddee2b554becc532c3436bbb106b5e5686cba
                                                  • Instruction ID: 2bd83b05653ced0f0f619092410e1b81403e7cd9e02354fb4b3544f6b0b1216d
                                                  • Opcode Fuzzy Hash: d149bf9a4864bf308676d1666e2ddee2b554becc532c3436bbb106b5e5686cba
                                                  • Instruction Fuzzy Hash: 0F512174E00248ABDB01DFE9D582BDEBBF5AF48304F50847AE844B7396D7785E088B59
                                                  Function 00454DA8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E56
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F1C), ref: 00454EC0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressByteCharMultiProcWide
                                                  • String ID: SfcIsFileProtected$sfc.dll
                                                  • API String ID: 2508298434-591603554
                                                  • Opcode ID: e7edbd208805aa306e5bb6f456733d4c36fbf9170141b95da0f44c83ccf47135
                                                  • Instruction ID: 176d29f9623cbc30a6d26dfc77e51d4098360506d5c3757ea1f9e8bf8263b863
                                                  • Opcode Fuzzy Hash: e7edbd208805aa306e5bb6f456733d4c36fbf9170141b95da0f44c83ccf47135
                                                  • Instruction Fuzzy Hash: 21416670A04218ABE720EB55DC86B9E77B8EB44309F5041B7E908A7293D7785F89CF5C
                                                  Function 00416408 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClassInfoA.USER32(00400000,?,?), ref: 00416477
                                                  • UnregisterClassA.USER32(?,00400000), ref: 004164A3
                                                  • RegisterClassA.USER32(?), ref: 004164C6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Class$InfoRegisterUnregister
                                                  • String ID: @
                                                  • API String ID: 3749476976-2766056989
                                                  • Opcode ID: 58713160258ce5f561964bbdae6a2794c8f6f6caf00f6f1604bd66b56dd4b990
                                                  • Instruction ID: 9d11af1acff112dbe95f15f3a9399eab9f365f4a7252c57533c35fba51c14aa0
                                                  • Opcode Fuzzy Hash: 58713160258ce5f561964bbdae6a2794c8f6f6caf00f6f1604bd66b56dd4b990
                                                  • Instruction Fuzzy Hash: 81316F702043409BD720EF68C981B9B77E5AB89308F04457FF949DB392DB39D944CB6A
                                                  Function 0042ED30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDBD
                                                    • Part of subcall function 0042D8BC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8CF
                                                    • Part of subcall function 0042E38C: SetErrorMode.KERNEL32(00008000), ref: 0042E396
                                                    • Part of subcall function 0042E38C: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E0,?,00000000,0042E3FE,?,00008000), ref: 0042E3C5
                                                  • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                  • String ID: SHAutoComplete$shlwapi.dll
                                                  • API String ID: 395431579-1506664499
                                                  • Opcode ID: 07c44bdcd03860b1f33b3045299bb1d0449c98b3a7b2341f9148d4efe18bbe9e
                                                  • Instruction ID: abd39ea96fbc8e8598eec473428a27bf92d63543bd8a2491ee7d7de58c90140d
                                                  • Opcode Fuzzy Hash: 07c44bdcd03860b1f33b3045299bb1d0449c98b3a7b2341f9148d4efe18bbe9e
                                                  • Instruction Fuzzy Hash: B1117330B00319BFD711EB62ED85B8E7BA8EB55704F90407BF400A6691D778AE05865D
                                                  Function 004559E4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                  • RegCloseKey.ADVAPI32(?,00455A4F,?,00000001,00000000), ref: 00455A42
                                                  Strings
                                                  • PendingFileRenameOperations, xrefs: 00455A14
                                                  • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004559F0
                                                  • PendingFileRenameOperations2, xrefs: 00455A23
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseOpen
                                                  • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                  • API String ID: 47109696-2115312317
                                                  • Opcode ID: bdd8c77769c6bad55690eeddcdbd75d9d8896b7276d3d2e2d12af9b25540c28f
                                                  • Instruction ID: 0e3b4bd859061d9736a48b3f0c398de546ea7d73752f370084b2b16911b021d7
                                                  • Opcode Fuzzy Hash: bdd8c77769c6bad55690eeddcdbd75d9d8896b7276d3d2e2d12af9b25540c28f
                                                  • Instruction Fuzzy Hash: 31F09671744A08EFDB04D6A6DC62E7A739DD744711FA04477F800D7682DA7DAD04962C
                                                  Function 0047F340 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047F539,?,00000000,00000000,?,?,00480749,?,?,00000000), ref: 0047F3E6
                                                  • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047F539,?,00000000,00000000,?,?,00480749,?,?), ref: 0047F3F3
                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,0047F50C,?,?,?,?,00000000,0047F539,?,00000000,00000000,?,?,00480749), ref: 0047F4E8
                                                  • FindClose.KERNEL32(000000FF,0047F513,0047F50C,?,?,?,?,00000000,0047F539,?,00000000,00000000,?,?,00480749,?), ref: 0047F506
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFileNext
                                                  • String ID:
                                                  • API String ID: 2066263336-0
                                                  • Opcode ID: b461a46803c2cc4ea78060a2329edfdb5f867b3d72b18562307b1542635c1f41
                                                  • Instruction ID: 93840f20d66fcb2e286325320114c4d74e835c6895e54ad5a4f30f132b089a3b
                                                  • Opcode Fuzzy Hash: b461a46803c2cc4ea78060a2329edfdb5f867b3d72b18562307b1542635c1f41
                                                  • Instruction Fuzzy Hash: 19512F71A00658AFCB21DF65CC45ADEB7B8EB48319F5084BAA818E7341D7389F49CF54
                                                  Function 0042126C Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetMenu.USER32(00000000), ref: 00421359
                                                  • SetMenu.USER32(00000000,00000000), ref: 00421376
                                                  • SetMenu.USER32(00000000,00000000), ref: 004213AB
                                                  • SetMenu.USER32(00000000,00000000), ref: 004213C7
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Menu
                                                  • String ID:
                                                  • API String ID: 3711407533-0
                                                  • Opcode ID: 2199c62fdc40b6f857ca540156f476da1cd3d0498d35d1cb2f117de972eee6cd
                                                  • Instruction ID: 7bb7859a2cdb5f88754e70ccfd218d349751ef7fdbf43141b5448ef52fdf7b61
                                                  • Opcode Fuzzy Hash: 2199c62fdc40b6f857ca540156f476da1cd3d0498d35d1cb2f117de972eee6cd
                                                  • Instruction Fuzzy Hash: 0141B03070025456EB20EB3AA8857AB36D64F61308F4856BFBC44DF7A3CA7CCC5583A9
                                                  Function 00416B3A Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageA.USER32(?,?,?,?), ref: 00416B7C
                                                  • SetTextColor.GDI32(?,00000000), ref: 00416B96
                                                  • SetBkColor.GDI32(?,00000000), ref: 00416BB0
                                                  • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BD8
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Color$CallMessageProcSendTextWindow
                                                  • String ID:
                                                  • API String ID: 601730667-0
                                                  • Opcode ID: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                  • Instruction ID: 029c09512e86dc7a5584eefc6ebe6d25086567911d505253220d4c4c80a1b89b
                                                  • Opcode Fuzzy Hash: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                  • Instruction Fuzzy Hash: D4114FB5304604AFD720EE6ECDC4E9777DCAF49310715882AB55ADB602C638F8418B39
                                                  Function 00454F50 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForInputIdle.USER32(?,00000032), ref: 00454F7C
                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454F9E
                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FAD
                                                  • CloseHandle.KERNEL32(?,00454FDA,00454FD3,?,?,?,00000000,?,?,004551AF,?,?,?,00000044,00000000,00000000), ref: 00454FCD
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                  • String ID:
                                                  • API String ID: 4071923889-0
                                                  • Opcode ID: 51238a3311eee55e88becd6a870e4e93586b22fb22ba4d0d147ea6b118d6571c
                                                  • Instruction ID: ae4672943cd7382c52be368afd98a0e744302f00d430d4f9e0a97d6bd95691cc
                                                  • Opcode Fuzzy Hash: 51238a3311eee55e88becd6a870e4e93586b22fb22ba4d0d147ea6b118d6571c
                                                  • Instruction Fuzzy Hash: 9C01F931A006087EEB10979D8C02F5B7BACDB89764F610127F904DB2C2C5789D408A68
                                                  Function 004230C0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • 73A1A570.USER32(00000000,?,?,00000000,?,00418FCB,00000000,?,?,?,00000001), ref: 00423116
                                                  • EnumFontsA.GDI32(00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000,?,?,?,00000001), ref: 00423129
                                                  • 73A24620.GDI32(00000000,0000005A,00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000), ref: 00423131
                                                  • 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000), ref: 0042313C
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: A24620A480A570EnumFonts
                                                  • String ID:
                                                  • API String ID: 2630238358-0
                                                  • Opcode ID: 9afbfd5fafda1dbd28af8ddef14be35d640b69e4e8358016454380424bd4bee6
                                                  • Instruction ID: 69cee35535e214b40259e1ab78654d31e06b117eb7ed13cd681158bdd9fae355
                                                  • Opcode Fuzzy Hash: 9afbfd5fafda1dbd28af8ddef14be35d640b69e4e8358016454380424bd4bee6
                                                  • Instruction Fuzzy Hash: 2F01D2717442102AE700BF795CC6B9B36A4DF04318F40027BF808AB3C6D6BE9C0547AE
                                                  Function 0045C084 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00450900: SetEndOfFile.KERNEL32(?,?,0045C162,00000000,0045C2ED,?,00000000,00000002,00000002), ref: 00450907
                                                  • FlushFileBuffers.KERNEL32(?), ref: 0045C2B9
                                                  Strings
                                                  • EndOffset range exceeded, xrefs: 0045C1ED
                                                  • NumRecs range exceeded, xrefs: 0045C1B6
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: File$BuffersFlush
                                                  • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                  • API String ID: 3593489403-659731555
                                                  • Opcode ID: 0bf64ccb4770f6e98af3bdf021747f42c693f3348cd9375c8cc8fc116bf0a776
                                                  • Instruction ID: f1827e02de76a306a1886b93aefbbb2344be70999cb9be9d3c0cbcfad0efad24
                                                  • Opcode Fuzzy Hash: 0bf64ccb4770f6e98af3bdf021747f42c693f3348cd9375c8cc8fc116bf0a776
                                                  • Instruction Fuzzy Hash: 35616334A002548FDB25DF25C891ADAB7B5AF49305F0084DAED88AB353D7749EC9CF54
                                                  Function 004980B4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,004980C2), ref: 0040334B
                                                    • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,004980C2), ref: 00403356
                                                    • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,004980CC), ref: 00406322
                                                    • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                    • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                    • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                    • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,004980CC), ref: 00406366
                                                    • Part of subcall function 00409B70: 6F551CD0.COMCTL32(004980D6), ref: 00409B70
                                                    • Part of subcall function 0041094C: GetCurrentThreadId.KERNEL32 ref: 0041099A
                                                    • Part of subcall function 00419038: GetVersion.KERNEL32(004980EA), ref: 00419038
                                                    • Part of subcall function 0044F73C: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004980FE), ref: 0044F777
                                                    • Part of subcall function 0044F73C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F77D
                                                    • Part of subcall function 0044FBE4: GetVersionExA.KERNEL32(0049B790,00498103), ref: 0044FBF3
                                                    • Part of subcall function 004531C4: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0045325D,?,?,?,?,00000000,?,00498112), ref: 004531E4
                                                    • Part of subcall function 004531C4: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004531EA
                                                    • Part of subcall function 004531C4: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0045325D,?,?,?,?,00000000,?,00498112), ref: 004531FE
                                                    • Part of subcall function 004531C4: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453204
                                                    • Part of subcall function 00456ED4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456EF8
                                                    • Part of subcall function 0046441C: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498126), ref: 0046442B
                                                    • Part of subcall function 0046441C: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464431
                                                    • Part of subcall function 0046CC10: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CC25
                                                    • Part of subcall function 004786B4: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498130), ref: 004786BA
                                                    • Part of subcall function 004786B4: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004786C7
                                                    • Part of subcall function 004786B4: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004786D7
                                                    • Part of subcall function 004950C0: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 004950D9
                                                  • SetErrorMode.KERNEL32(00000001,00000000,00498178), ref: 0049814A
                                                    • Part of subcall function 00497E74: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498154,00000001,00000000,00498178), ref: 00497E7E
                                                    • Part of subcall function 00497E74: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00497E84
                                                    • Part of subcall function 004244CC: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244EB
                                                    • Part of subcall function 004242BC: SetWindowTextA.USER32(?,00000000), ref: 004242D4
                                                  • ShowWindow.USER32(?,00000005,00000000,00498178), ref: 004981AB
                                                    • Part of subcall function 00481B8C: SetActiveWindow.USER32(?), ref: 00481C3A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF551FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                  • String ID: Setup
                                                  • API String ID: 3870281231-3839654196
                                                  • Opcode ID: c82cb4154b49966d52098e7678e9f8cbacc3d3e1a40bce85d329610fd5ea755b
                                                  • Instruction ID: d0c772c7b00e67a50ac74b8b43c66aaf35bd51fc0d8445b6be8c1c392d06dbfc
                                                  • Opcode Fuzzy Hash: c82cb4154b49966d52098e7678e9f8cbacc3d3e1a40bce85d329610fd5ea755b
                                                  • Instruction Fuzzy Hash: 6E31A471208A409ED601BBB7ED53A293B98EF89B18B61447FF80482593DE3D5C158A7E
                                                  Function 0042DBF8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD30), ref: 0042DC34
                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD30), ref: 0042DCA4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID: 2H
                                                  • API String ID: 3660427363-1900415311
                                                  • Opcode ID: 14541883276540ac7989a720439aace4da052e0d2dc9232dcf0108ce5bd41f35
                                                  • Instruction ID: 6f29e5db34dee79be2e4bdbc2feb63702d0df34b1de6f6cc3bdc936bcd48876b
                                                  • Opcode Fuzzy Hash: 14541883276540ac7989a720439aace4da052e0d2dc9232dcf0108ce5bd41f35
                                                  • Instruction Fuzzy Hash: 88414271E04529ABDB11DF95D881BAFB7B8EF05704FA18466E800F7241D778EE01CBA9
                                                  Function 004539F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453AE7,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A3E
                                                  • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453AE7,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A47
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectoryErrorLast
                                                  • String ID: .tmp
                                                  • API String ID: 1375471231-2986845003
                                                  • Opcode ID: 78f230c1c23ee00a09b91ad4e0d90e969b8545f4e864f0322f10b99bd95edb86
                                                  • Instruction ID: 5c47afe113f3b23246b8f03ea8338b9bfcdda488aecdb3892d8cb76e5c942ae9
                                                  • Opcode Fuzzy Hash: 78f230c1c23ee00a09b91ad4e0d90e969b8545f4e864f0322f10b99bd95edb86
                                                  • Instruction Fuzzy Hash: 4A213374A00218ABDB01EFA5C8529DFB7B9EF48305F50457BE801B7342DA7C9F059BA9
                                                  Function 0047BE88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C10E,00000000,0047C124,?,?,?,?,00000000), ref: 0047BEEA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID: RegisteredOrganization$RegisteredOwner
                                                  • API String ID: 3535843008-1113070880
                                                  • Opcode ID: 27ab63dfb5301e991ca37986a8aa3ba83a7bb1c6c96b168b2a63f47a98e3c08c
                                                  • Instruction ID: 7ba728e1ef3f38ce6dcb00f7549556e1698566df6bc9e7584ed9d3abf6b47640
                                                  • Opcode Fuzzy Hash: 27ab63dfb5301e991ca37986a8aa3ba83a7bb1c6c96b168b2a63f47a98e3c08c
                                                  • Instruction Fuzzy Hash: 2CF09060704244AFEB00E665DC92BEA33A9D745304F20803BE2048B392D779AE00CB5C
                                                  Function 0046EC64 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,r_G,?,0049C1D0,?,0046EF7B,?,00000000,0046F516,?,_is1), ref: 0046EC87
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID: Inno Setup: Setup Version$r_G
                                                  • API String ID: 3702945584-2380526977
                                                  • Opcode ID: b48b0372e97a4200f87fd252dff6264bc446dea2a7e948ac8a811b1755729780
                                                  • Instruction ID: ba068d84db82e82ca1a3bed1356aff977b130b22b64274b732cbd5037cad883f
                                                  • Opcode Fuzzy Hash: b48b0372e97a4200f87fd252dff6264bc446dea2a7e948ac8a811b1755729780
                                                  • Instruction Fuzzy Hash: 7DE06D753012047FD710AA2F9C85F5BBADCDF88765F10403AB908DB392D978DD0181A9
                                                  Function 00475034 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047526B), ref: 00475059
                                                  • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047526B), ref: 00475070
                                                    • Part of subcall function 00453470: GetLastError.KERNEL32(00000000,00454005,00000005,00000000,0045403A,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004978B1,00000000), ref: 00453473
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateErrorFileHandleLast
                                                  • String ID: CreateFile
                                                  • API String ID: 2528220319-823142352
                                                  • Opcode ID: 45f398a1a593fdecff2147bb029019ab571d1f120eeae4798deb9ab921dd96fc
                                                  • Instruction ID: 870c31508693feaa39a4cce9bbdb9491accbaf3cbacbc975652ec4f9337bcdac
                                                  • Opcode Fuzzy Hash: 45f398a1a593fdecff2147bb029019ab571d1f120eeae4798deb9ab921dd96fc
                                                  • Instruction Fuzzy Hash: 88E06D302403447FEA10EA69CCC6F497798AB04728F10C152FA48AF3E2C5B9FC80866C
                                                  Function 00456ED4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00456E64: CoInitialize.OLE32(00000000), ref: 00456E6A
                                                    • Part of subcall function 0042E38C: SetErrorMode.KERNEL32(00008000), ref: 0042E396
                                                    • Part of subcall function 0042E38C: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E0,?,00000000,0042E3FE,?,00008000), ref: 0042E3C5
                                                  • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456EF8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                  • String ID: SHCreateItemFromParsingName$shell32.dll
                                                  • API String ID: 2906209438-2320870614
                                                  • Opcode ID: 08d23a7e6096c5616a14a2d2cd89d11c62b3b5d1f72113431a163231d9b2ac33
                                                  • Instruction ID: 195fe0e36b32ee525331c9a8c220a45252f3edc4141651a384f0b9e1c2da6bc9
                                                  • Opcode Fuzzy Hash: 08d23a7e6096c5616a14a2d2cd89d11c62b3b5d1f72113431a163231d9b2ac33
                                                  • Instruction Fuzzy Hash: 45C00291B4265092CA40B7FA695261E28049B8031AB92813BB951A7587CA6C88099A6E
                                                  Function 0046CC10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042E38C: SetErrorMode.KERNEL32(00008000), ref: 0042E396
                                                    • Part of subcall function 0042E38C: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E0,?,00000000,0042E3FE,?,00008000), ref: 0042E3C5
                                                  • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CC25
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressErrorLibraryLoadModeProc
                                                  • String ID: SHPathPrepareForWriteA$shell32.dll
                                                  • API String ID: 2492108670-2683653824
                                                  • Opcode ID: 55b93e5fb714966f70f5ffd37ba9539aaa645b322ed6e907ef1699bb6481b051
                                                  • Instruction ID: f133f44782887ed2db26bd8e5f2adaf6b1782a38bec069888892578a86e918ee
                                                  • Opcode Fuzzy Hash: 55b93e5fb714966f70f5ffd37ba9539aaa645b322ed6e907ef1699bb6481b051
                                                  • Instruction Fuzzy Hash: 85B092A060274086CB00B7A2699262B28059740309B90803BB0889B286EA3C88121BEF
                                                  Function 00448524 Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448701), ref: 00448644
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486C5
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID:
                                                  • API String ID: 2574300362-0
                                                  • Opcode ID: 38a0c8dcb6cfe2486321be47105cd2edcf630b03ef44025de89f80e5062423d0
                                                  • Instruction ID: 4a5ebe3fee4a2e51bf72c529b0c862ae9b4ea9e2815ff95c09d8a3db799a058c
                                                  • Opcode Fuzzy Hash: 38a0c8dcb6cfe2486321be47105cd2edcf630b03ef44025de89f80e5062423d0
                                                  • Instruction Fuzzy Hash: 4A515470E00105AFDB40EFA5C481AAEBBF9EB45315F11817FE814BB391DA789E05CB99
                                                  Function 00481240 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemMenu.USER32(00000000,00000000,00000000,00481378), ref: 00481310
                                                  • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481321
                                                  • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481339
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Menu$Append$System
                                                  • String ID:
                                                  • API String ID: 1489644407-0
                                                  • Opcode ID: 63b26f928f1c87accb3103f044f3acf90972e1faa844404f13018ca58e8bddc3
                                                  • Instruction ID: 5c8896f7e766c0ec1e9fe117ebe49108a2e73e6ee011f2acc73c141eda266b91
                                                  • Opcode Fuzzy Hash: 63b26f928f1c87accb3103f044f3acf90972e1faa844404f13018ca58e8bddc3
                                                  • Instruction Fuzzy Hash: F431A0307043441AE711FB759C82BAE3B989B55318F54997BBC00A62E3CA7C9C4A87AD
                                                  Function 004524E4 Relevance: 4.6, APIs: 3, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • 74D41520.VERSION(00000000,?,?,?,00496E0C), ref: 00452504
                                                  • 74D41500.VERSION(00000000,?,00000000,?,00000000,0045257F,?,00000000,?,?,?,00496E0C), ref: 00452531
                                                  • 74D41540.VERSION(?,004525A8,?,?,00000000,?,00000000,?,00000000,0045257F,?,00000000,?,?,?,00496E0C), ref: 0045254B
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: D41500D41520D41540
                                                  • String ID:
                                                  • API String ID: 2153611984-0
                                                  • Opcode ID: c4d10431c24d3ec04fd95a2756a86a033cda299e0aeed98268810ee563e95d09
                                                  • Instruction ID: e6b34cf6ad4872bd94a826b675f3d2b909ad99421c044533a40ff62eec17d383
                                                  • Opcode Fuzzy Hash: c4d10431c24d3ec04fd95a2756a86a033cda299e0aeed98268810ee563e95d09
                                                  • Instruction Fuzzy Hash: C2219531A00608BFDB01DAA98D519AFB7FCEB4A341F554477FC04E3242E6B9AE04C769
                                                  Function 0044B384 Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • 73A1A570.USER32(00000000,?,00000000,00000000,0044B485,?,00481BA7,?,?), ref: 0044B3F9
                                                  • SelectObject.GDI32(?,00000000), ref: 0044B41C
                                                  • 73A1A480.USER32(00000000,?,0044B45C,00000000,0044B455,?,00000000,?,00000000,00000000,0044B485,?,00481BA7,?,?), ref: 0044B44F
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: A480A570ObjectSelect
                                                  • String ID:
                                                  • API String ID: 1230475511-0
                                                  • Opcode ID: c86bc8a9f0cb4198ec92499236d982b336435bb3408aeec5184fda352670fa70
                                                  • Instruction ID: d0000cdbf443d5d41ac7fc8b7796d2cef13fade9d4e1083fbf8e955bfb0ad8b0
                                                  • Opcode Fuzzy Hash: c86bc8a9f0cb4198ec92499236d982b336435bb3408aeec5184fda352670fa70
                                                  • Instruction Fuzzy Hash: 94217770A04348AFEB11DFA6C851B9FBBB8DB49304F5184BAF904A6682D778D940CB59
                                                  Function 0044B0B8 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B144,?,00481BA7,?,?), ref: 0044B116
                                                  • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B129
                                                  • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B15D
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: DrawText$ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 65125430-0
                                                  • Opcode ID: a3bbdd0e85052032b4464c044c199c381ab15dbe2007c11af0ea937095cc15c9
                                                  • Instruction ID: 20993999b02ad9b2d132c7482a3993701c750e35562fff3cb1b1e5e45c97fd42
                                                  • Opcode Fuzzy Hash: a3bbdd0e85052032b4464c044c199c381ab15dbe2007c11af0ea937095cc15c9
                                                  • Instruction Fuzzy Hash: 9211B9B17046047FEB00DA6A9C82D6F77EDEB49754F10417AF504D7290D6399E0186A9
                                                  Function 004243F4 Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042440A
                                                  • TranslateMessage.USER32(?), ref: 00424487
                                                  • DispatchMessageA.USER32(?), ref: 00424491
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Message$DispatchPeekTranslate
                                                  • String ID:
                                                  • API String ID: 4217535847-0
                                                  • Opcode ID: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                  • Instruction ID: b41559e7cef9b8617ee35765752275fac57a970be1b78d71f4432c2d4d9c435b
                                                  • Opcode Fuzzy Hash: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                  • Instruction Fuzzy Hash: E911943030471096EA20F6A4E94179B73D4DFC1748F80485EF98997382D7BD9E45979F
                                                  Function 0041663C Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetPropA.USER32(00000000,00000000), ref: 00416662
                                                  • SetPropA.USER32(00000000,00000000), ref: 00416677
                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 0041669E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Prop$Window
                                                  • String ID:
                                                  • API String ID: 3363284559-0
                                                  • Opcode ID: c28d9c26afe72c5be1bf0cacc918de6e274a174950c4a3475c45b681fa8918c3
                                                  • Instruction ID: 2f709078d098ddf512341954ec1abde5ac178872df7165362e48a9b460053d77
                                                  • Opcode Fuzzy Hash: c28d9c26afe72c5be1bf0cacc918de6e274a174950c4a3475c45b681fa8918c3
                                                  • Instruction Fuzzy Hash: 11F0B271701210ABDB10AB599C85FA732DCAB09715F16017AB945EF286C6B8DD5087A8
                                                  Function 004014E4 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Virtual$AllocFree
                                                  • String ID: l"s
                                                  • API String ID: 2087232378-3492974064
                                                  • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                  • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                  • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                  • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                  Function 0041EE4C Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindowVisible.USER32(?), ref: 0041EE5C
                                                  • IsWindowEnabled.USER32(?), ref: 0041EE66
                                                  • EnableWindow.USER32(?,00000000), ref: 0041EE8C
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window$EnableEnabledVisible
                                                  • String ID:
                                                  • API String ID: 3234591441-0
                                                  • Opcode ID: 8d68ea6b8e39d06ec6ae2b778d87487b924e250a5b1b44c5d2ba2f9a93d60018
                                                  • Instruction ID: 168d1bb9c0e6e8839a01a9d99d3d7c452caa6e9a1b9b90f31caf5ae3eef8e520
                                                  • Opcode Fuzzy Hash: 8d68ea6b8e39d06ec6ae2b778d87487b924e250a5b1b44c5d2ba2f9a93d60018
                                                  • Instruction Fuzzy Hash: 75E06D75100300AAE701AB2BDCC1B5B7ADCAB54350F02843FA9489B292D63ADC408B3C
                                                  Function 00469D44 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetActiveWindow.USER32(?), ref: 00469E55
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ActiveWindow
                                                  • String ID: PrepareToInstall
                                                  • API String ID: 2558294473-1101760603
                                                  • Opcode ID: 81b39a8fdeb0dad2a777ccf23e1b5cc1b94ea3789fac9a2a9b8faf6000b70bf0
                                                  • Instruction ID: e2c6ec18e62d86bdb0c44b4d883dda39cec9e825136043f452d3b1ffdd24169b
                                                  • Opcode Fuzzy Hash: 81b39a8fdeb0dad2a777ccf23e1b5cc1b94ea3789fac9a2a9b8faf6000b70bf0
                                                  • Instruction Fuzzy Hash: 32A12C34A00105DFCB00EF9AD986EDEB7F5EF48304F5580B6E404AB362D778AE459B99
                                                  Function 0046C2DC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: /:*?"<>|
                                                  • API String ID: 0-4078764451
                                                  • Opcode ID: 6835233e7ea63174332d10e4dcc06dbd64aaa3a2a45f414fb28228d8854cf9c9
                                                  • Instruction ID: b0c2865fc5a4d1d7a494ca3edaa4dc5a45f3ff44e2e280cd3bc35834766e41d0
                                                  • Opcode Fuzzy Hash: 6835233e7ea63174332d10e4dcc06dbd64aaa3a2a45f414fb28228d8854cf9c9
                                                  • Instruction Fuzzy Hash: 1671D770B002546AEB20EB66DCC2BEE77A19F44704F50C067F580AB391E779AD85875F
                                                  Function 00481B8C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetActiveWindow.USER32(?), ref: 00481C3A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ActiveWindow
                                                  • String ID: InitializeWizard
                                                  • API String ID: 2558294473-2356795471
                                                  • Opcode ID: fdb67a5f3bc31efd8c5029728f1dc86113fdadd76a2f434d4b50cbf8c80ff7a4
                                                  • Instruction ID: 5241d356f86f5b5e3f0808c496da9b9c49bd8f9ac143394a12901a1e43732a0a
                                                  • Opcode Fuzzy Hash: fdb67a5f3bc31efd8c5029728f1dc86113fdadd76a2f434d4b50cbf8c80ff7a4
                                                  • Instruction Fuzzy Hash: 411182342452009FD700EBA9ED96B693BE8EB65318F10043BE5018B2A1DA396C01CB2D
                                                  Function 0047BDA4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047BFEA,00000000,0047C124), ref: 0047BDE9
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047BDB9
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseOpen
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion
                                                  • API String ID: 47109696-1019749484
                                                  • Opcode ID: f9eb47421012cec5c34730d2a4c0e30c6d7bbbf73eea55f5f75bb62311f339ce
                                                  • Instruction ID: 054ff1380bf98a065617cb750ccb895fcb12562a11c78c2a0c7ed737f373e9e0
                                                  • Opcode Fuzzy Hash: f9eb47421012cec5c34730d2a4c0e30c6d7bbbf73eea55f5f75bb62311f339ce
                                                  • Instruction Fuzzy Hash: F2F082317045186BDA10A65F9C42BEBA69DCB84758F20403BF508DB343DAB99E0242EC
                                                  Function 0046ECD4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F352,?,?,00000000,0046F516,?,_is1,?), ref: 0046ECE7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID: NoModify
                                                  • API String ID: 3702945584-1699962838
                                                  • Opcode ID: 7eb4ab459c3921dc5338c7b3abf7fd5903c54a3e898984c04107b97a88657072
                                                  • Instruction ID: 1140eb4c3ce40d11de990e217cdc8ecc45d3a806a677c2547659d4957ea667b8
                                                  • Opcode Fuzzy Hash: 7eb4ab459c3921dc5338c7b3abf7fd5903c54a3e898984c04107b97a88657072
                                                  • Instruction Fuzzy Hash: C6E04FB4640308BFEB04DB55DD4AF6AB7ECDB48724F104059BA049B280E674FE00C669
                                                  Function 0042DE14 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                  Strings
                                                  • System\CurrentControlSet\Control\Windows, xrefs: 0042DE2E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID: System\CurrentControlSet\Control\Windows
                                                  • API String ID: 71445658-1109719901
                                                  • Opcode ID: 3bdcab3ffa95dd7854a6d474c2ff8c4d7b332cac827883cc7250e5693ef667ec
                                                  • Instruction ID: d7cc6eff87d81a3ef1983a0911a62a1ada5c46f4ff843c2b0821017aeb54f6c2
                                                  • Opcode Fuzzy Hash: 3bdcab3ffa95dd7854a6d474c2ff8c4d7b332cac827883cc7250e5693ef667ec
                                                  • Instruction Fuzzy Hash: 88D0C972910228BBEB00DE89DC41DFB77ADDB19760F45802AFD04AB241C6B4EC519BF8
                                                  Function 0047DABC Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetACP.KERNEL32(?,?,00000001,00000000,0047DD9B,?,-0000001A,0047FC14,-00000010,?,00000004,0000001B,00000000,0047FF61,?,0045D988), ref: 0047DB32
                                                    • Part of subcall function 0042E314: 73A1A570.USER32(00000000,00000000,0047FFC8,?,?,00000001,00000000,00000002,00000000,004808CA,?,?,?,?,?,004981E7), ref: 0042E323
                                                    • Part of subcall function 0042E314: EnumFontsA.GDI32(?,00000000,0042E300,00000000,00000000,0042E36C,?,00000000,00000000,0047FFC8,?,?,00000001,00000000,00000002,00000000), ref: 0042E34E
                                                    • Part of subcall function 0042E314: 73A1A480.USER32(00000000,?,0042E373,00000000,00000000,0042E36C,?,00000000,00000000,0047FFC8,?,?,00000001,00000000,00000002,00000000), ref: 0042E366
                                                  • SendNotifyMessageA.USER32(00020450,00000496,00002711,-00000001), ref: 0047DD02
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: A480A570EnumFontsMessageNotifySend
                                                  • String ID:
                                                  • API String ID: 2685184028-0
                                                  • Opcode ID: 1699f4068c0c5867e7106ba40e3d9973070bda02754bb9a23a09a502d1616ce7
                                                  • Instruction ID: 990e0cae6f69a79882f0940071147895bcf3dc4f71101f62f717fb2ce75f629c
                                                  • Opcode Fuzzy Hash: 1699f4068c0c5867e7106ba40e3d9973070bda02754bb9a23a09a502d1616ce7
                                                  • Instruction Fuzzy Hash: FD517074A101008BCB21EF26E98169637B9EF94308B50C57BA8499F367C778ED46CB9D
                                                  Function 0042DEB8 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFCE,?,?,00000008,00000000,00000000,0042DFFB), ref: 0042DF64
                                                  • RegCloseKey.ADVAPI32(?,0042DFD5,?,00000000,00000000,00000000,00000000,00000000,0042DFCE,?,?,00000008,00000000,00000000,0042DFFB), ref: 0042DFC8
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseEnum
                                                  • String ID:
                                                  • API String ID: 2818636725-0
                                                  • Opcode ID: 9f8261b046af4c0305013da9979aadb613cc1e3f6400fb4ebe2b883e54c4606e
                                                  • Instruction ID: c872a63f9528d4f9380aaceb5e2d891e8c563da0940016be03c3acb485ce214c
                                                  • Opcode Fuzzy Hash: 9f8261b046af4c0305013da9979aadb613cc1e3f6400fb4ebe2b883e54c4606e
                                                  • Instruction Fuzzy Hash: A8319370F04258AEDB11DFA6DD42BBFBBB9EB49304F92447BE401E6281D6385E01CA1D
                                                  Function 004527BC Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458098,00000000,00458080,?,?,?,00000000,00452836,?,?,?,00000001), ref: 00452810
                                                  • GetLastError.KERNEL32(00000000,00000000,?,?,00458098,00000000,00458080,?,?,?,00000000,00452836,?,?,?,00000001), ref: 00452818
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CreateErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 2919029540-0
                                                  • Opcode ID: e0555b4cbc397befea5ce91cbbea4dedbfe526bfc705885143054cd240055755
                                                  • Instruction ID: e9b66965f7ed38539142cc2995e542ed63b4c0771d7d6ba66a5e4ac3981b0267
                                                  • Opcode Fuzzy Hash: e0555b4cbc397befea5ce91cbbea4dedbfe526bfc705885143054cd240055755
                                                  • Instruction Fuzzy Hash: 70113C72604608AF8B50DEADDD41D9FB7ECEB4D310B114567FD18D3241D674AD148BA8
                                                  Function 0040AFC0 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AFDA
                                                  • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B137,00000000,0040B14F,?,?,?,00000000), ref: 0040AFEB
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Resource$FindFree
                                                  • String ID:
                                                  • API String ID: 4097029671-0
                                                  • Opcode ID: bd4d08f36a9d4a560adef0fa1bde098128f2b715f965cb3459cef9598ac6c158
                                                  • Instruction ID: aeeba5ce467f8effdb78304bcd792b874f75604bed8582862ca5d9c37e282381
                                                  • Opcode Fuzzy Hash: bd4d08f36a9d4a560adef0fa1bde098128f2b715f965cb3459cef9598ac6c158
                                                  • Instruction Fuzzy Hash: CE01DF71700700AFDB14EF65AC92A1B77ADDB4A714B11807AF400AB3D1DA39AC019AA9
                                                  Function 0041EE9C Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 0041EEEB
                                                  • 73A25940.USER32(00000000,0041EE4C,00000000,00000000,0041EF08,?,00000000,0041EF3F,?,0042EEA8,?,00000001), ref: 0041EEF1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: A25940CurrentThread
                                                  • String ID:
                                                  • API String ID: 2655091166-0
                                                  • Opcode ID: b000ad2c2d45302efb537f6ed51b85bb3a5cc49cf8a353236d3522148df1097f
                                                  • Instruction ID: ec06e6b8def62778297c6a117e91140491810bf1675edd7fb5fc45fb14f34894
                                                  • Opcode Fuzzy Hash: b000ad2c2d45302efb537f6ed51b85bb3a5cc49cf8a353236d3522148df1097f
                                                  • Instruction Fuzzy Hash: D9015B76A04604BFD706CF6BDC1199ABBE8E789720B22887BEC04D3690E6355810DF18
                                                  Function 00452C54 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MoveFileA.KERNEL32(00000000,00000000), ref: 00452C96
                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,00452CBC), ref: 00452C9E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastMove
                                                  • String ID:
                                                  • API String ID: 55378915-0
                                                  • Opcode ID: 4b3f53bb71bbb3de239a758d95ad3dd7b2750d400091be83cb52db7a615a65e0
                                                  • Instruction ID: 72322736c602c8c7a1920fbe291f5aeb87443d44c1116871956ce6e3077d7411
                                                  • Opcode Fuzzy Hash: 4b3f53bb71bbb3de239a758d95ad3dd7b2750d400091be83cb52db7a615a65e0
                                                  • Instruction Fuzzy Hash: C9012671B00604AB8B01EB799D4189EB7ECDB4A32575045BBFC14E3343EA784E04456C
                                                  Function 0040170C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00003D40,00007D43,00401973), ref: 00401766
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: FreeVirtual
                                                  • String ID: l"s
                                                  • API String ID: 1263568516-3492974064
                                                  • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                  • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                  • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                  • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                  Function 00452744 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527A3), ref: 0045277D
                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,004527A3), ref: 00452785
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectoryErrorLast
                                                  • String ID:
                                                  • API String ID: 1375471231-0
                                                  • Opcode ID: 9ee879c615aac4fee22e4c99406f95e71c245cbd6d77cc6155be40721354894d
                                                  • Instruction ID: e798b8fcaf2c893210dd6dd972d3083c0fc79cae1e6532b7171fe4e83a13409b
                                                  • Opcode Fuzzy Hash: 9ee879c615aac4fee22e4c99406f95e71c245cbd6d77cc6155be40721354894d
                                                  • Instruction Fuzzy Hash: E1F02871A04604BFCB00EF759E4159EB3E8DB0E721B1045B7FC04E3242E7B94E048598
                                                  Function 00423234 Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadCursorA.USER32(00000000,00007F00), ref: 00423241
                                                  • LoadCursorA.USER32(00000000,00000000), ref: 0042326B
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CursorLoad
                                                  • String ID:
                                                  • API String ID: 3238433803-0
                                                  • Opcode ID: 57390d314a1cb7161e6ddc30cf2ec12f57c29d9a020bc84e90da4252d8f033e1
                                                  • Instruction ID: 59516fef74be350ba7f17c0e511b54e8d6c2303d910d3728eb6a55db14448276
                                                  • Opcode Fuzzy Hash: 57390d314a1cb7161e6ddc30cf2ec12f57c29d9a020bc84e90da4252d8f033e1
                                                  • Instruction Fuzzy Hash: 68F0271170421066D6109E3E6CC0A6B72A8DF82335B71037BFB3EC72D1CA2E1D414569
                                                  Function 0042E38C Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00008000), ref: 0042E396
                                                  • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E0,?,00000000,0042E3FE,?,00008000), ref: 0042E3C5
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLibraryLoadMode
                                                  • String ID:
                                                  • API String ID: 2987862817-0
                                                  • Opcode ID: 5e1e313bdd13d7489a01f7e50f084508f9c5c97fde52d832d9963c9b8019f2bb
                                                  • Instruction ID: aa33dc687cd71512c069df69893670fc4fcbad3b08ca7d4395289e8ee6212cdb
                                                  • Opcode Fuzzy Hash: 5e1e313bdd13d7489a01f7e50f084508f9c5c97fde52d832d9963c9b8019f2bb
                                                  • Instruction Fuzzy Hash: 13F08270714B44BFDB019F779CA282BBBECEB49B1179249B6FD00A3691E53C5910C928
                                                  Function 004162C2 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClassInfoA.USER32(00400000,?,?), ref: 004162D9
                                                  • GetClassInfoA.USER32(00000000,?,?), ref: 004162E9
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ClassInfo
                                                  • String ID:
                                                  • API String ID: 3534257612-0
                                                  • Opcode ID: 0cefddb0d68ec1ee3d6e09aa9ac37d408dcb608ad702880eba3eeb66fdb88c2a
                                                  • Instruction ID: 6cd5cb93a67b39dfae17eda9b7884797c0ece5161c54fd1178b0752c2523ee83
                                                  • Opcode Fuzzy Hash: 0cefddb0d68ec1ee3d6e09aa9ac37d408dcb608ad702880eba3eeb66fdb88c2a
                                                  • Instruction Fuzzy Hash: C7E01AB26015146EE710DFA89D81EE73BDCDB08350B2201B7FE08CB246D3A4DD008BA8
                                                  Function 004508CC Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,0046FF69,?,00000000), ref: 004508E2
                                                  • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,0046FF69,?,00000000), ref: 004508EA
                                                    • Part of subcall function 00450688: GetLastError.KERNEL32(004504A4,0045074A,?,00000000,?,00497338,00000001,00000000,00000002,00000000,00497499,?,?,00000005,00000000,004974CD), ref: 0045068B
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$FilePointer
                                                  • String ID:
                                                  • API String ID: 1156039329-0
                                                  • Opcode ID: b81912fe9410729738c8cc3b4427c31e6f6ea190abe7f97a6bc74282f8b5003d
                                                  • Instruction ID: 7f4ce0808efc90522886b7fd4f7afe0cb5ca5dcd319eb65f5abb6fc959a7204b
                                                  • Opcode Fuzzy Hash: b81912fe9410729738c8cc3b4427c31e6f6ea190abe7f97a6bc74282f8b5003d
                                                  • Instruction Fuzzy Hash: BDE012A93542005FE700FA7589C1F2B22DCDB44315F00846AF945CA183D678CC054B69
                                                  Function 0040625C Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Global$AllocLock
                                                  • String ID:
                                                  • API String ID: 15508794-0
                                                  • Opcode ID: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                  • Instruction ID: 06179efae1cd4c7c45065c0f91b58358bdd8bb936cab03a6fa385f12497be06a
                                                  • Opcode Fuzzy Hash: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                  • Instruction Fuzzy Hash: 3E9002C4D10B00B8DC0072B20C1AD3F146CD8C172D3D0486F7004B61C3883C88004839
                                                  Function 004085CC Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDefaultLCID.KERNEL32(00000000,00408702), ref: 004085EB
                                                    • Part of subcall function 00406DDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406DF9
                                                    • Part of subcall function 00408558: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408623,?,00000000,00408702), ref: 00408576
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: DefaultInfoLoadLocaleStringSystem
                                                  • String ID:
                                                  • API String ID: 1658689577-0
                                                  • Opcode ID: e0f2d7fee364d4b50c904546fee583fee48e6df64a24fbccf64ec24177fbbbf9
                                                  • Instruction ID: bd6209dc85efa73f9a721b4ecfe58d49d0953a842630d38ee12c0cb785ae99e6
                                                  • Opcode Fuzzy Hash: e0f2d7fee364d4b50c904546fee583fee48e6df64a24fbccf64ec24177fbbbf9
                                                  • Instruction Fuzzy Hash: 1E314075E0011D9BCB01EF95C8819EEB779EF84314F518577E819BB386E738AE018B98
                                                  Function 0041FB94 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC31
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: InfoScroll
                                                  • String ID:
                                                  • API String ID: 629608716-0
                                                  • Opcode ID: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                  • Instruction ID: d0a12eb0c5d8f31e5c98d8a2781f1eb62c39d12b06d2a108fd5dac4500059ce8
                                                  • Opcode Fuzzy Hash: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                  • Instruction Fuzzy Hash: C02130B16087466FC340DF39C5447A6BBE4BB88304F04893EA498C3741E778E996CBD6
                                                  Function 0046C270 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041EE9C: GetCurrentThreadId.KERNEL32 ref: 0041EEEB
                                                    • Part of subcall function 0041EE9C: 73A25940.USER32(00000000,0041EE4C,00000000,00000000,0041EF08,?,00000000,0041EF3F,?,0042EEA8,?,00000001), ref: 0041EEF1
                                                  • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C2CE,?,00000000,?,?,0046C4E0,?,00000000,0046C554), ref: 0046C2B2
                                                    • Part of subcall function 0041EF50: IsWindow.USER32(?), ref: 0041EF5E
                                                    • Part of subcall function 0041EF50: EnableWindow.USER32(?,00000001), ref: 0041EF6D
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window$A25940CurrentEnablePathPrepareThreadWrite
                                                  • String ID:
                                                  • API String ID: 390483697-0
                                                  • Opcode ID: 1950fa63623794e8b6cf7dfe712e88d918e2b7d9557fc3b7505cef75313acc34
                                                  • Instruction ID: 435c92a82c98609a262d66890dafa743f24e5c1e823ccadb8e8beb41f7667319
                                                  • Opcode Fuzzy Hash: 1950fa63623794e8b6cf7dfe712e88d918e2b7d9557fc3b7505cef75313acc34
                                                  • Instruction Fuzzy Hash: 95F059B1288300BFE7049BF2ECA6B2577E9E318720F510477F904821C0E5B95800C51E
                                                  Function 0044138C Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                  • Instruction ID: bbd698397dbc8f39e4f55c310c3945233451addb9156919cc96357002ab2f652
                                                  • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                  • Instruction Fuzzy Hash: 66F06271614109DBBB1CCF58D1519AF7BA0EB44310B20406FF907C7BA0E6346E90DA58
                                                  Function 00416548 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 0041657D
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                  • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                  • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                  • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                  Function 004149AC Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149E7
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CallbackDispatcherUser
                                                  • String ID:
                                                  • API String ID: 2492992576-0
                                                  • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                  • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                  • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                  • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                  Function 00450798 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004507D8
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: fdd558c29566e738fcbdedabbf129a38e9c66ac316c6ebf650c30ee427f19e4e
                                                  • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                  • Opcode Fuzzy Hash: fdd558c29566e738fcbdedabbf129a38e9c66ac316c6ebf650c30ee427f19e4e
                                                  • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                  Function 0042CCC4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD0C,?,00000001,?,?,00000000,?,0042CD5E,00000000,004529F9,00000000,00452A1A,?,00000000), ref: 0042CCEF
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: 416bf2ec68b95bcc5af0582ff2491831708fe8216b24dbe794372527742e75b2
                                                  • Instruction ID: 6c88cd9b3502ecc0d8ec22600fa2d9d68314b02b8b7bc0d4dcd5a0b3e687a907
                                                  • Opcode Fuzzy Hash: 416bf2ec68b95bcc5af0582ff2491831708fe8216b24dbe794372527742e75b2
                                                  • Instruction Fuzzy Hash: 62E0E570300304BFDB01EB62AC82A5EBFECDB45704BA14876B400A7242D5785E008418
                                                  Function 0042E8C0 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453247,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8DF
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: FormatMessage
                                                  • String ID:
                                                  • API String ID: 1306739567-0
                                                  • Opcode ID: e6d3d52e8f4f63ecf0b34621506695ba35df63bdde710507be70f7165fd629ff
                                                  • Instruction ID: 2ce6c9ff4e19e0960d9753b9113d8e2cc47385edbc752d5ed3014e636873cb34
                                                  • Opcode Fuzzy Hash: e6d3d52e8f4f63ecf0b34621506695ba35df63bdde710507be70f7165fd629ff
                                                  • Instruction Fuzzy Hash: 90E0D86178831116F23535566C43B77150E4380708F9840277B809E3D3D6AE9905A25E
                                                  Function 0041AF68 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AF93
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ExtentPointText
                                                  • String ID:
                                                  • API String ID: 566491939-0
                                                  • Opcode ID: 3c55dac69961fee89b68075ba878e24778629f7632fcdab2122717d20327b8c8
                                                  • Instruction ID: 35d5fbc2abb1c5525ca41b455db2da1d0f195ed39a7f49d2ce332ec9d6dfc1ac
                                                  • Opcode Fuzzy Hash: 3c55dac69961fee89b68075ba878e24778629f7632fcdab2122717d20327b8c8
                                                  • Instruction Fuzzy Hash: EEE04FB53096102AD600A67E1DC19DB76DC8E483693148176B458E7292D628DE1242AE
                                                  Function 004062E8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateWindowExA.USER32(00000000,00423674,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04), ref: 00406311
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                  • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                  • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                  • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                  Function 0042DDDC Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE08
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: a2fa4b3b70172a899a44371cb6cb166e106d6f14f5a748d009f698e06f133ef9
                                                  • Instruction ID: bece317731ff8cd2e666e34543c7a68b5f38d577bb060a1f695f350ce1c31ea4
                                                  • Opcode Fuzzy Hash: a2fa4b3b70172a899a44371cb6cb166e106d6f14f5a748d009f698e06f133ef9
                                                  • Instruction Fuzzy Hash: 46E07EB2610129AFDB40DE8CDC81EEB37ADAB1D350F404016FA08D7200C274EC519BB4
                                                  Function 00454BCC Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindClose.KERNEL32(00000000,000000FF,0047078C,00000000,00471588,?,00000000,004715D1,?,00000000,0047170A,?,00000000,?,00000000), ref: 00454BE2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseFind
                                                  • String ID:
                                                  • API String ID: 1863332320-0
                                                  • Opcode ID: 06d429211cbdde73cb23459f0bbdb60b04e95dac6161286f70ab338dbad9895d
                                                  • Instruction ID: 5b38ea55cb3c31d0920dcaeaf3b0ab9c64c5d1fc8265480bc1e0bc694521aac9
                                                  • Opcode Fuzzy Hash: 06d429211cbdde73cb23459f0bbdb60b04e95dac6161286f70ab338dbad9895d
                                                  • Instruction Fuzzy Hash: C3E092B0A056008BCB14DF3A898031A7AD29FC9324F04C56AEC9CCF3D7E63DC8594A27
                                                  Function 00414674 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserCallbackDispatcher.NTDLL(00494EF2,?,00494F14,?,?,00000000,00494EF2,?,?), ref: 00414693
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CallbackDispatcherUser
                                                  • String ID:
                                                  • API String ID: 2492992576-0
                                                  • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                  • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                  • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                  • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                  Function 00406F00 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F14
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: 5f93265df2524d0dcc0c9b34101366d534c30ce5f0cb0d235cb6b24d2b8f20db
                                                  • Instruction ID: cfde3e3822fa8edba560b3c3045b88a59d445a8db7eea6df610edd37a4bd72e7
                                                  • Opcode Fuzzy Hash: 5f93265df2524d0dcc0c9b34101366d534c30ce5f0cb0d235cb6b24d2b8f20db
                                                  • Instruction Fuzzy Hash: A3D012722081516AD220965AAC44EAB6BDCCBC5770F11063AB558C2181D7609C01C675
                                                  Function 00423644 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004235F0: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 00423605
                                                  • ShowWindow.USER32(00410648,00000009,?,00000000,0041ED9C,00423932,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04), ref: 0042365F
                                                    • Part of subcall function 00423620: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 0042363C
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: InfoParametersSystem$ShowWindow
                                                  • String ID:
                                                  • API String ID: 3202724764-0
                                                  • Opcode ID: fce0b26c2d9ed10aeec85bb6dc1e2ec36172a6d8969be9752991d6a22a5a0e05
                                                  • Instruction ID: ebc5fdb8686796c5fd5eba84b5ab6671b787b6de9fbea9510ee25edb69bb1d0b
                                                  • Opcode Fuzzy Hash: fce0b26c2d9ed10aeec85bb6dc1e2ec36172a6d8969be9752991d6a22a5a0e05
                                                  • Instruction Fuzzy Hash: 7CD05E123412703182307ABB384598B46AC8D922A6749043BB4448B347ED5DCE1110BC
                                                  Function 004242BC Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowTextA.USER32(?,00000000), ref: 004242D4
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: TextWindow
                                                  • String ID:
                                                  • API String ID: 530164218-0
                                                  • Opcode ID: 63c2204a93b3ceeccd91b68fb1f2f63f98ac991c37a9674dd692e28dceb45842
                                                  • Instruction ID: 82e7bab73c65a9778cea5b734bd50d71f4a8736701fc7bbe01534373bbdf07f9
                                                  • Opcode Fuzzy Hash: 63c2204a93b3ceeccd91b68fb1f2f63f98ac991c37a9674dd692e28dceb45842
                                                  • Instruction Fuzzy Hash: 0BD05BE27011205BC701BAED54C4AC667CC4B4925671440BBF904EF257D638CD514398
                                                  Function 00466968 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467650,00000000,00000000,00000000,0000000C,00000000), ref: 00466980
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CallbackDispatcherUser
                                                  • String ID:
                                                  • API String ID: 2492992576-0
                                                  • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                  • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                  • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                  • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                  Function 0042CD1C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,0045159F,00000000), ref: 0042CD27
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: a20a0933f9adf495ad294cc7f43800295bba8e01ea8a7e04e2e8fcb3411a2c60
                                                  • Instruction ID: 582242be021ecdaa9f487f520a6273a00fb8a2f6ff7a96cbd182f7b59f56d267
                                                  • Opcode Fuzzy Hash: a20a0933f9adf495ad294cc7f43800295bba8e01ea8a7e04e2e8fcb3411a2c60
                                                  • Instruction Fuzzy Hash: 9EC08CE03222101A9E1069BD2CC521F46C8891823A3A41E3BB528E72D2E23D88262818
                                                  Function 00406EB0 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A8BC,0040CE68,?,00000000,?), ref: 00406ECD
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 434cd2ceddc45fc6059baf9bd558cd456b1210cf1f9af3b638900e146cb02294
                                                  • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                  • Opcode Fuzzy Hash: 434cd2ceddc45fc6059baf9bd558cd456b1210cf1f9af3b638900e146cb02294
                                                  • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                  Function 00450900 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEndOfFile.KERNEL32(?,?,0045C162,00000000,0045C2ED,?,00000000,00000002,00000002), ref: 00450907
                                                    • Part of subcall function 00450688: GetLastError.KERNEL32(004504A4,0045074A,?,00000000,?,00497338,00000001,00000000,00000002,00000000,00497499,?,?,00000005,00000000,004974CD), ref: 0045068B
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLast
                                                  • String ID:
                                                  • API String ID: 734332943-0
                                                  • Opcode ID: df934b34f1bc85ce2471d95e5f96b66cab128c3cad0ff5fb16097d4bfcec1436
                                                  • Instruction ID: b7b79c15840fa76abef9437e43e4f8825fb2e58c400bd883dda953f657da4aaf
                                                  • Opcode Fuzzy Hash: df934b34f1bc85ce2471d95e5f96b66cab128c3cad0ff5fb16097d4bfcec1436
                                                  • Instruction Fuzzy Hash: A9C09BB93011158BDF50E6FEC5C1D0763DC6F5C30A7514166BD04CF207E668DC154B18
                                                  Function 00407298 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetCurrentDirectoryA.KERNEL32(00000000,?,004972C6,00000000,00497499,?,?,00000005,00000000,004974CD,?,?,00000000), ref: 004072A3
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectory
                                                  • String ID:
                                                  • API String ID: 1611563598-0
                                                  • Opcode ID: 3c8093bb5f09dc1c1582e908db928c9e5cb26b64588de7f0dbcd6adb7ad2976f
                                                  • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                  • Opcode Fuzzy Hash: 3c8093bb5f09dc1c1582e908db928c9e5cb26b64588de7f0dbcd6adb7ad2976f
                                                  • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                  Function 0042E3E7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(?,0042E405), ref: 0042E3F8
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: f4ecfd3f9628561c4f225325444755a3e89d37cff15fe7854645b1b41ac61961
                                                  • Instruction ID: 0a31ae7c3a111c16d424c34ef622fbdc70eb0dd2bd2df7fa5b045972c40067f9
                                                  • Opcode Fuzzy Hash: f4ecfd3f9628561c4f225325444755a3e89d37cff15fe7854645b1b41ac61961
                                                  • Instruction Fuzzy Hash: C5B09B7670C6105DA719DED5B45552D63D4D7C47207E14477F000D2581D97C58014A18
                                                  Function 004165E4 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                  • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                  • Opcode Fuzzy Hash: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                  • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                  Function 00448720 Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cb9b9dd83b9c3a50c03624de410b9d2001f21e86ad2002bd7b0a23a4e373be6c
                                                  • Instruction ID: 536338a183f72747ee396c39aaf2d9ae1316c242f91420f2fc1fbbab771670b7
                                                  • Opcode Fuzzy Hash: cb9b9dd83b9c3a50c03624de410b9d2001f21e86ad2002bd7b0a23a4e373be6c
                                                  • Instruction Fuzzy Hash: 73519770E042099FEB00EFA5C892AAEBBF5EF49714F50417AE504E7351DB389E41CB98
                                                  Function 0047D57C Relevance: 1.4, APIs: 1, Instructions: 150COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0047D754,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047D70E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 626452242-0
                                                  • Opcode ID: c7e5cdcebff257ae51aff8300cd1cc40ed83c093b3b6095f0ee234a78004d27f
                                                  • Instruction ID: ceed5698e636368dfd76c0cd730b865cf5009e2f8cb46b99e2292a0b329ee420
                                                  • Opcode Fuzzy Hash: c7e5cdcebff257ae51aff8300cd1cc40ed83c093b3b6095f0ee234a78004d27f
                                                  • Instruction Fuzzy Hash: 7C518170A14245AFDB20DF55D8C5BAABBF9EF29304F108077E808A73A1C778AD45CB59
                                                  Function 0041F3BC Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED9C,?,00423887,00423C04,0041ED9C), ref: 0041F3DA
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 22959fa884de24c48d5df6d55c2b32dc96685aad46c3c62c5ebc91be37d62682
                                                  • Instruction ID: cb23d80071df23bba1d133aab7454d5b1bd3cce231e0a29d7ee5219cf2fb9859
                                                  • Opcode Fuzzy Hash: 22959fa884de24c48d5df6d55c2b32dc96685aad46c3c62c5ebc91be37d62682
                                                  • Instruction Fuzzy Hash: 08115A752407059BDB10DF19D880B86FBE5EF58350F10C53BE9A88B385D374E84ACBA9
                                                  Function 00452F98 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000000,00453001), ref: 00452FE3
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast
                                                  • String ID:
                                                  • API String ID: 1452528299-0
                                                  • Opcode ID: f08d4b25af8aa325ab52cd9faeda57ccaa32c3ce955bb7c2d9b93568a2cf152c
                                                  • Instruction ID: 3c34fb880e90b623eb2bb31e9ea66b18baec95e7b0c87dab0e1dfc6834c7d9d6
                                                  • Opcode Fuzzy Hash: f08d4b25af8aa325ab52cd9faeda57ccaa32c3ce955bb7c2d9b93568a2cf152c
                                                  • Instruction Fuzzy Hash: 98014C356042046A8B15DF699C008AEFBE8EB4E72175046B7FC24D3382D6344E059798
                                                  Function 00406F38 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle
                                                  • String ID:
                                                  • API String ID: 2962429428-0
                                                  • Opcode ID: efb61ad58cd5fb487c50d8b3f78a63cdbb479017f0edef40a54ab24c8625a7e3
                                                  • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                  • Opcode Fuzzy Hash: efb61ad58cd5fb487c50d8b3f78a63cdbb479017f0edef40a54ab24c8625a7e3
                                                  • Instruction Fuzzy Hash:

                                                  Non-executed Functions

                                                  Function 0041F110 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetVersion.KERNEL32(?,00418FE8,00000000,?,?,?,00000001), ref: 0041F11E
                                                  • SetErrorMode.KERNEL32(00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F13A
                                                  • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F146
                                                  • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F154
                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F184
                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1AD
                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1C2
                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1D7
                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1EC
                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F201
                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F216
                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F22B
                                                  • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F240
                                                  • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F255
                                                  • FreeLibrary.KERNEL32(00000001,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F267
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                  • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                  • API String ID: 2323315520-3614243559
                                                  • Opcode ID: 555e93f06c2ea596d0c5ea37008c95f9a766e1991345355b6851531c4bbfc724
                                                  • Instruction ID: b3d5d35426b7a88a41f50cbf902c37b37573112488e24e2852513ec86d1b0e77
                                                  • Opcode Fuzzy Hash: 555e93f06c2ea596d0c5ea37008c95f9a766e1991345355b6851531c4bbfc724
                                                  • Instruction Fuzzy Hash: 1F3150B2600700ABEB01EBB9AC46A6B3794F728324751093FB508D72A2E77C5C55CF5C
                                                  Function 004583E8 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 0045844F
                                                  • QueryPerformanceCounter.KERNEL32(01FD3858,00000000,004586E2,?,?,01FD3858,00000000,?,00458DDE,?,01FD3858,00000000), ref: 00458458
                                                  • GetSystemTimeAsFileTime.KERNEL32(01FD3858,01FD3858), ref: 00458462
                                                  • GetCurrentProcessId.KERNEL32(?,01FD3858,00000000,004586E2,?,?,01FD3858,00000000,?,00458DDE,?,01FD3858,00000000), ref: 0045846B
                                                  • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004584E1
                                                  • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,01FD3858,01FD3858), ref: 004584EF
                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B10,00000003,00000000,00000000,00000000,0045869E), ref: 00458537
                                                  • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045868D,?,00000000,C0000000,00000000,00499B10,00000003,00000000,00000000,00000000,0045869E), ref: 00458570
                                                    • Part of subcall function 0042D8BC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8CF
                                                  • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458619
                                                  • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045864F
                                                  • CloseHandle.KERNEL32(000000FF,00458694,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458687
                                                    • Part of subcall function 00453470: GetLastError.KERNEL32(00000000,00454005,00000005,00000000,0045403A,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004978B1,00000000), ref: 00453473
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                  • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                  • API String ID: 770386003-3271284199
                                                  • Opcode ID: 054b3fce73081814b7d88cf5b28d8f4160fb10be08dbad5a985f56231a1c746d
                                                  • Instruction ID: 5a0611516353431e4aeb24f6ab6c42495b14cb215b8b3d0382893c99e5952ef8
                                                  • Opcode Fuzzy Hash: 054b3fce73081814b7d88cf5b28d8f4160fb10be08dbad5a985f56231a1c746d
                                                  • Instruction Fuzzy Hash: E8711370A003449EDB11DF65CC41B9E7BF8EB19305F1085BAF958FB282DB7899448F69
                                                  Function 00477F98 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00477E04: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,01FD2BD8,?,?,?,01FD2BD8,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E1D
                                                    • Part of subcall function 00477E04: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00477E23
                                                    • Part of subcall function 00477E04: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,01FD2BD8,?,?,?,01FD2BD8,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E36
                                                    • Part of subcall function 00477E04: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,01FD2BD8,?,?,?,01FD2BD8), ref: 00477E60
                                                    • Part of subcall function 00477E04: CloseHandle.KERNEL32(00000000,?,?,?,01FD2BD8,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E7E
                                                    • Part of subcall function 00477EDC: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00477F6E,?,?,?,01FD2BD8,?,00477FD0,00000000,004780E6,?,?,-00000010,?), ref: 00477F0C
                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00478020
                                                  • GetLastError.KERNEL32(00000000,004780E6,?,?,-00000010,?), ref: 00478029
                                                  • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00478076
                                                  • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 0047809A
                                                  • CloseHandle.KERNEL32(00000000,004780CB,00000000,00000000,000000FF,000000FF,00000000,004780C4,?,00000000,004780E6,?,?,-00000010,?), ref: 004780BE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                  • String ID: =G$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                  • API String ID: 883996979-2356621170
                                                  • Opcode ID: b678e359fd0ae47c3c5922cbe0b0ba0238e438d4a6a95f87c38f16ae302c5cef
                                                  • Instruction ID: f917ad2a0ddd76f9e2927b7da1bf40d86712eb5f256f3455e7a65403f61927fd
                                                  • Opcode Fuzzy Hash: b678e359fd0ae47c3c5922cbe0b0ba0238e438d4a6a95f87c38f16ae302c5cef
                                                  • Instruction Fuzzy Hash: 6A317670A40648AFDB10EFA6C845ADE76B8EB09318F91847FF518E7281DB7C4909CB59
                                                  Function 00422854 Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229EC
                                                  • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BB6), ref: 004229FC
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: MessageSendShowWindow
                                                  • String ID:
                                                  • API String ID: 1631623395-0
                                                  • Opcode ID: c219f7c537efeea3579c9411d70f54cec51da60040311af4759150a5570cff70
                                                  • Instruction ID: 1945ea129714beb182378817fb96d2750a9cf3de1b1d00e1964b2da952e4e1c4
                                                  • Opcode Fuzzy Hash: c219f7c537efeea3579c9411d70f54cec51da60040311af4759150a5570cff70
                                                  • Instruction Fuzzy Hash: 54917071B04254BFDB10DFA9DA86F9E77F4AB04304F5501BAF904AB292C778AE40DB58
                                                  Function 0041837C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsIconic.USER32(?), ref: 0041838B
                                                  • GetWindowPlacement.USER32(?,0000002C), ref: 004183A8
                                                  • GetWindowRect.USER32(?), ref: 004183C4
                                                  • GetWindowLongA.USER32(?,000000F0), ref: 004183D2
                                                  • GetWindowLongA.USER32(?,000000F8), ref: 004183E7
                                                  • ScreenToClient.USER32(00000000), ref: 004183F0
                                                  • ScreenToClient.USER32(00000000,?), ref: 004183FB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                  • String ID: ,
                                                  • API String ID: 2266315723-3772416878
                                                  • Opcode ID: 6217f91ca86bc21168c1a31dc77beadf87db026dacfe8a4e2043101b83599555
                                                  • Instruction ID: e201a0486811adc056edcb3d82b1b2fee19cba914b7849b2462e59dde51cd5f3
                                                  • Opcode Fuzzy Hash: 6217f91ca86bc21168c1a31dc77beadf87db026dacfe8a4e2043101b83599555
                                                  • Instruction Fuzzy Hash: A3112BB1505201ABEB00DF69C885F9B77E8AF48314F15067EFD58DB296D738D900CBA9
                                                  Function 004555B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000028), ref: 004555C7
                                                  • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555CD
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004555E6
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045560D
                                                  • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455612
                                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 00455623
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                  • String ID: SeShutdownPrivilege
                                                  • API String ID: 107509674-3733053543
                                                  • Opcode ID: bb799306ba89914f4ad5c57bf57863a6c2a35b94d1ae8b7cd1197278bb0a2066
                                                  • Instruction ID: a3beb9442be635481dc24a528bf80296f5a6403aa298a4e6fe1161b8e304ba10
                                                  • Opcode Fuzzy Hash: bb799306ba89914f4ad5c57bf57863a6c2a35b94d1ae8b7cd1197278bb0a2066
                                                  • Instruction Fuzzy Hash: 46F09C70294B46B5E610A6758C17F3B71889B44759F94483AFE05EE1C3EBBCD90C4A3E
                                                  Function 0045CFA8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045CFB1
                                                  • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045CFC1
                                                  • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045CFD1
                                                  • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047EFB7,00000000,0047EFE0), ref: 0045CFF6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$CryptVersion
                                                  • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                  • API String ID: 1951258720-508647305
                                                  • Opcode ID: 85d4af24599792157b57fa29dc23e54678ac232aa88ac9caf84ed8bf40255b48
                                                  • Instruction ID: aa10fef992bac70bb4986ae7772dd6d371a0f40a2d4a4027d6f3d37c18d15e1e
                                                  • Opcode Fuzzy Hash: 85d4af24599792157b57fa29dc23e54678ac232aa88ac9caf84ed8bf40255b48
                                                  • Instruction Fuzzy Hash: A1F0F9B0940700DBE728EFB6ACC67267795EBE570AF54813BA409911A2D7784499CB1C
                                                  Function 004975B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,004976EE,?,?,00000000,0049B628,?,00497878,00000000,004978CC,?,?,00000000,0049B628), ref: 00497607
                                                  • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049768A
                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,004976C6,?,00000000,?,00000000,004976EE,?,?,00000000,0049B628,?,00497878,00000000), ref: 004976A2
                                                  • FindClose.KERNEL32(000000FF,004976CD,004976C6,?,00000000,?,00000000,004976EE,?,?,00000000,0049B628,?,00497878,00000000,004978CC), ref: 004976C0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: FileFind$AttributesCloseFirstNext
                                                  • String ID: isRS-$isRS-???.tmp
                                                  • API String ID: 134685335-3422211394
                                                  • Opcode ID: 9a85730e70ae0ef94d3f90e2644594d3b330f28a48244bbcf8e97e2e49ccae5c
                                                  • Instruction ID: ac0d863a46ff1cebd9ad17e119327f8a53363d7c8f83829e6742a95b9ddb5555
                                                  • Opcode Fuzzy Hash: 9a85730e70ae0ef94d3f90e2644594d3b330f28a48244bbcf8e97e2e49ccae5c
                                                  • Instruction Fuzzy Hash: 61317471914608ABCF10EF65CC41ADEBBBCDB45714F5184FBA908E32A1DB389E458F58
                                                  Function 004573B4 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457431
                                                  • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457458
                                                  • SetForegroundWindow.USER32(?), ref: 00457469
                                                  • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457741,?,00000000,0045777D), ref: 0045772C
                                                  Strings
                                                  • Cannot evaluate variable because [Code] isn't running yet, xrefs: 004575AC
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                  • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                  • API String ID: 2236967946-3182603685
                                                  • Opcode ID: cf3dd7661c3a2792e8ad76a02533a59f2a31b040d492fcb55b696cf145d9940a
                                                  • Instruction ID: ea769b4c14fff8c8931e63d970561434c834200915b3ece1ca1c477b8b524b3f
                                                  • Opcode Fuzzy Hash: cf3dd7661c3a2792e8ad76a02533a59f2a31b040d492fcb55b696cf145d9940a
                                                  • Instruction Fuzzy Hash: A591E234608204EFD715CF55E9A1F5ABBF9FB49704F2180BAE80497792C638AE05DF58
                                                  Function 00455DE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F1F), ref: 00455E10
                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E16
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                  • API String ID: 1646373207-3712701948
                                                  • Opcode ID: 2a586cdd6d3b5b624cec46e44aab5337d0e4580ac2e02e9277c845893915eeed
                                                  • Instruction ID: 94d637f012244594286cd058a6e690650624bbac00cb131118490790a059a9ff
                                                  • Opcode Fuzzy Hash: 2a586cdd6d3b5b624cec46e44aab5337d0e4580ac2e02e9277c845893915eeed
                                                  • Instruction Fuzzy Hash: F6416271A04649ABCF01EFA5C892DEEB7B8EF48304F504566E800F7292D6785E09CB68
                                                  Function 00417CC8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsIconic.USER32(?), ref: 00417D07
                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D25
                                                  • GetWindowPlacement.USER32(?,0000002C), ref: 00417D5B
                                                  • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D82
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window$Placement$Iconic
                                                  • String ID: ,
                                                  • API String ID: 568898626-3772416878
                                                  • Opcode ID: e47ccc7c96dd650ee5aa99fe86ba7015ba4d078f2208ea4d0e2f2c43afaedfea
                                                  • Instruction ID: 4a262c2e3c05075ab76cb34d6dc8316acc681754e7f1d5d7fcc9d539da6ecccc
                                                  • Opcode Fuzzy Hash: e47ccc7c96dd650ee5aa99fe86ba7015ba4d078f2208ea4d0e2f2c43afaedfea
                                                  • Instruction Fuzzy Hash: A9213E716002089BDF10EFA9D8C0ADA77B8AF58314F15416AFE19DF246D638ED44CBA8
                                                  Function 00463B04 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001,00000000,00463CC1), ref: 00463B35
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,00463C94,?,00000001,00000000,00463CC1), ref: 00463BC4
                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,00463C76,?,00000000,?,00000000,00463C94,?,00000001,00000000,00463CC1), ref: 00463C56
                                                  • FindClose.KERNEL32(000000FF,00463C7D,00463C76,?,00000000,?,00000000,00463C94,?,00000001,00000000,00463CC1), ref: 00463C70
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Find$File$CloseErrorFirstModeNext
                                                  • String ID:
                                                  • API String ID: 4011626565-0
                                                  • Opcode ID: 9e4b21a255c9957acc66722b8fb030e028549ea653889a09ad31eb4a852fe968
                                                  • Instruction ID: 72b898f2585741bb0186620e4596b31eb4d76daf54761f31677757d41602065f
                                                  • Opcode Fuzzy Hash: 9e4b21a255c9957acc66722b8fb030e028549ea653889a09ad31eb4a852fe968
                                                  • Instruction Fuzzy Hash: E941B971A00A54AFCB10EF65CC55ADEB7B8EB88705F4044BAF404B7381E67C9F488E19
                                                  Function 00463F80 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001,00000000,00464167), ref: 00463FF5
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,00464132,?,00000001,00000000,00464167), ref: 0046403B
                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,00464114,?,00000000,?,00000000,00464132,?,00000001,00000000,00464167), ref: 004640F0
                                                  • FindClose.KERNEL32(000000FF,0046411B,00464114,?,00000000,?,00000000,00464132,?,00000001,00000000,00464167), ref: 0046410E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Find$File$CloseErrorFirstModeNext
                                                  • String ID:
                                                  • API String ID: 4011626565-0
                                                  • Opcode ID: c09ef32585df6ad6587d46f89372b88c2f663d9922c9a38294b644e1f7da4993
                                                  • Instruction ID: c50a8f924641f435bcadfb0116f3895028b18db14577d5a571763064cbfe8c6c
                                                  • Opcode Fuzzy Hash: c09ef32585df6ad6587d46f89372b88c2f663d9922c9a38294b644e1f7da4993
                                                  • Instruction Fuzzy Hash: 77417674A00A18DFCB11EFA5CD859DEB7B8FB88315F4044AAF804A7341E7789E858E59
                                                  Function 0042E92C Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F13,00000000,00452F34), ref: 0042E94E
                                                  • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E979
                                                  • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F13,00000000,00452F34), ref: 0042E986
                                                  • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F13,00000000,00452F34), ref: 0042E98E
                                                  • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F13,00000000,00452F34), ref: 0042E994
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                  • String ID:
                                                  • API String ID: 1177325624-0
                                                  • Opcode ID: d6b6e6a3c56c44dba96863f891d7151671ed351fcb177b64f87cc52fc7469355
                                                  • Instruction ID: 3f40d390e8a5df174f84cdc2f44e01f6cfa8788c97922530efddc0b1fccee370
                                                  • Opcode Fuzzy Hash: d6b6e6a3c56c44dba96863f891d7151671ed351fcb177b64f87cc52fc7469355
                                                  • Instruction Fuzzy Hash: 31F0CDB23A17207AF520717A5C86F6B018CC789B68F10823BBB04FF1C1E9A85D0545AD
                                                  Function 00482EF8 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsIconic.USER32(?), ref: 00482F36
                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 00482F54
                                                  • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A4,0048241A,0048244E,00000000,0048246E,?,?,?,0049C0A4), ref: 00482F76
                                                  • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A4,0048241A,0048244E,00000000,0048246E,?,?,?,0049C0A4), ref: 00482F8A
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window$Show$IconicLong
                                                  • String ID:
                                                  • API String ID: 2754861897-0
                                                  • Opcode ID: 9bd873c9f0220d19758c381c5bb4dd0340ed2cd746ce77723441eba7bf105e49
                                                  • Instruction ID: 41c7b109e84caadfbd7bdb59434551f42a7ac603c048c530ac1057f10a9e5501
                                                  • Opcode Fuzzy Hash: 9bd873c9f0220d19758c381c5bb4dd0340ed2cd746ce77723441eba7bf105e49
                                                  • Instruction Fuzzy Hash: F30152742452009FD600F7A58E89B6B33E55B14304F480977BB009F2E6CAADD841E71C
                                                  Function 00462578 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,0046264C), ref: 004625D0
                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,0046262C,?,00000000,?,00000000,0046264C), ref: 0046260C
                                                  • FindClose.KERNEL32(000000FF,00462633,0046262C,?,00000000,?,00000000,0046264C), ref: 00462626
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNext
                                                  • String ID:
                                                  • API String ID: 3541575487-0
                                                  • Opcode ID: b00d8aacf9e7513e04c7705060d933e78633390233e65912034b0f0047bc0786
                                                  • Instruction ID: 35f3f22b183c5d1ecd4ea1753066c09f008546f1eb4ef8afe9bdb694ca888e99
                                                  • Opcode Fuzzy Hash: b00d8aacf9e7513e04c7705060d933e78633390233e65912034b0f0047bc0786
                                                  • Instruction Fuzzy Hash: 07210B31904B047ECB11EB75CC41ACEBBBCDB49304F5084F7A808E21A1E6789E55CE5A
                                                  Function 004241D4 Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsIconic.USER32(?), ref: 004241DC
                                                  • SetActiveWindow.USER32(?,?,?,0046CB73), ref: 004241E9
                                                    • Part of subcall function 00423644: ShowWindow.USER32(00410648,00000009,?,00000000,0041ED9C,00423932,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04), ref: 0042365F
                                                    • Part of subcall function 00423B0C: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,01FD25AC,00424202,?,?,?,0046CB73), ref: 00423B47
                                                  • SetFocus.USER32(00000000,?,?,?,0046CB73), ref: 00424216
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window$ActiveFocusIconicShow
                                                  • String ID:
                                                  • API String ID: 649377781-0
                                                  • Opcode ID: 362a53b09b72621cbce2071a633a460a23dddc7e90100e91eac1f534d9fc78be
                                                  • Instruction ID: 7ea1460413e76a83717bea1d3364086182948ca7ce33fd4e030d283203b7bb74
                                                  • Opcode Fuzzy Hash: 362a53b09b72621cbce2071a633a460a23dddc7e90100e91eac1f534d9fc78be
                                                  • Instruction Fuzzy Hash: 5BF03071B0012087CB10AFAA9885B9673B8AB48305F5500BBBD05DF357C67CDC058768
                                                  Function 00417CC6 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsIconic.USER32(?), ref: 00417D07
                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D25
                                                  • GetWindowPlacement.USER32(?,0000002C), ref: 00417D5B
                                                  • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D82
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window$Placement$Iconic
                                                  • String ID:
                                                  • API String ID: 568898626-0
                                                  • Opcode ID: 47b671fdedc35fdf98b71b51c82caa7697cc0af64fcddd8af6052c4a4d8e86ab
                                                  • Instruction ID: 3daf342c44424aa5ce1366acdd2a80e82e5cfeaf10da0033b5167ac39e8fb95c
                                                  • Opcode Fuzzy Hash: 47b671fdedc35fdf98b71b51c82caa7697cc0af64fcddd8af6052c4a4d8e86ab
                                                  • Instruction Fuzzy Hash: BE017C31204108ABDB10EE69ECC1EE773A8AF59324F154166FE09CF242D638EC8087A8
                                                  Function 00417590 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CaptureIconic
                                                  • String ID:
                                                  • API String ID: 2277910766-0
                                                  • Opcode ID: 9fb93b599f870259b4000da7575617f39aed9b1e5bccbb5d02bb51a51f71ab84
                                                  • Instruction ID: 3321041a09622c131d5de1c426c5b9ba37bf97161ea704a377034d17a7c99502
                                                  • Opcode Fuzzy Hash: 9fb93b599f870259b4000da7575617f39aed9b1e5bccbb5d02bb51a51f71ab84
                                                  • Instruction Fuzzy Hash: 2EF0AF7230564157D7209B2EC984ABB62F69F88318B54483FE419CBB61EB78DCC08658
                                                  Function 0042418C Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsIconic.USER32(?), ref: 00424193
                                                    • Part of subcall function 00423A7C: EnumWindows.USER32(00423A14), ref: 00423AA0
                                                    • Part of subcall function 00423A7C: GetWindow.USER32(?,00000003), ref: 00423AB5
                                                    • Part of subcall function 00423A7C: GetWindowLongA.USER32(?,000000EC), ref: 00423AC4
                                                    • Part of subcall function 00423A7C: SetWindowPos.USER32(00000000,TAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241A3,?,?,00423D6B), ref: 00423AFA
                                                  • SetActiveWindow.USER32(?,?,?,00423D6B,00000000,00424154), ref: 004241A7
                                                    • Part of subcall function 00423644: ShowWindow.USER32(00410648,00000009,?,00000000,0041ED9C,00423932,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04), ref: 0042365F
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window$ActiveEnumIconicLongShowWindows
                                                  • String ID:
                                                  • API String ID: 2671590913-0
                                                  • Opcode ID: dcd3cf20cd52624e3855be4655b1b3d00803fdb590b5af4931fd0619bf418583
                                                  • Instruction ID: 714e4cd20337d44954868cb88e5cd3c5f05620b237e6b6751f152470bbecd415
                                                  • Opcode Fuzzy Hash: dcd3cf20cd52624e3855be4655b1b3d00803fdb590b5af4931fd0619bf418583
                                                  • Instruction Fuzzy Hash: 47E01AA070011087EB10AF69DCC9B9632A8BB4C304F5501BABD49CF25BD63CC8608728
                                                  Function 004125D0 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127CD), ref: 004127BB
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: NtdllProc_Window
                                                  • String ID:
                                                  • API String ID: 4255912815-0
                                                  • Opcode ID: fadc627793d3d758d03d3b6288103bd692d15878d139e3b8876b7a5e98d728c0
                                                  • Instruction ID: 515a926e27beec0aab385df702329c93692b8444378934293cf55fba5e442f36
                                                  • Opcode Fuzzy Hash: fadc627793d3d758d03d3b6288103bd692d15878d139e3b8876b7a5e98d728c0
                                                  • Instruction Fuzzy Hash: 4951F335304205CFD714DB6ADA8099BF3E5EF94314B2481ABD815C33A1D7B8ADA2CB48
                                                  Function 00478554 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004786A2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: NtdllProc_Window
                                                  • String ID:
                                                  • API String ID: 4255912815-0
                                                  • Opcode ID: 74fd435c634dc11c163aa08e5e8bd118cd21225c10192b8e8785eef0067adbbd
                                                  • Instruction ID: b7c0c70f2a783e09ad8744fe0b8a2eb923ce1fb3c3bfc7260a93e3bfca3db08f
                                                  • Opcode Fuzzy Hash: 74fd435c634dc11c163aa08e5e8bd118cd21225c10192b8e8785eef0067adbbd
                                                  • Instruction Fuzzy Hash: 1C416875604104EFCB10CF99C6888AAB7F5FB48311B24C99AE80CEB701DB38EE41DB95
                                                  Function 0045D05C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045D067
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CryptFour
                                                  • String ID:
                                                  • API String ID: 2153018856-0
                                                  • Opcode ID: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
                                                  • Instruction ID: 2e238a974be0c8424367b3c35ccc205e7f0a308c5ec670be841bb4718b7179ff
                                                  • Opcode Fuzzy Hash: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
                                                  • Instruction Fuzzy Hash: 37C09BF200420CBF660057D5ECC9C77B75CF6586547508126F6048210195726C104574
                                                  Function 0045D074 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046D934,?,0046DB15), ref: 0045D07A
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CryptFour
                                                  • String ID:
                                                  • API String ID: 2153018856-0
                                                  • Opcode ID: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
                                                  • Instruction ID: 227689971defb3a768f182aa15824e3680876923b4d994b81e1676941902ce31
                                                  • Opcode Fuzzy Hash: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
                                                  • Instruction Fuzzy Hash: 9DA002B0A80300BAFD2057B05D4EF26352CA7D0F05F708465B202EA0D085A56410852C
                                                  Function 10001130 Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3009873670.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.3009853573.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000001.00000002.3009896023.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_10000000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                  • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                  • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                  • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                  Function 10001000 Relevance: .0, Instructions: 2COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3009873670.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000001.00000002.3009853573.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000001.00000002.3009896023.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_10000000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                  • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                  • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                  • Instruction Fuzzy Hash:
                                                  Function 0044B650 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0044B5FC: GetVersionExA.KERNEL32(00000094), ref: 0044B619
                                                  • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F76D,004980FE), ref: 0044B677
                                                  • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B68F
                                                  • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A1
                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6B3
                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6C5
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6D7
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6E9
                                                  • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B6FB
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B70D
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B71F
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B731
                                                  • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B743
                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B755
                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B767
                                                  • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B779
                                                  • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B78B
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B79D
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7AF
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C1
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7D3
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7E5
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7F7
                                                  • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B809
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B81B
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B82D
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B83F
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B851
                                                  • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B863
                                                  • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B875
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B887
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B899
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8AB
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8BD
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8CF
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E1
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8F3
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B905
                                                  • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B917
                                                  • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B929
                                                  • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B93B
                                                  • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B94D
                                                  • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B95F
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B971
                                                  • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B983
                                                  • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B995
                                                  • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9A7
                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9B9
                                                  • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9CB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoadVersion
                                                  • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                  • API String ID: 1968650500-2910565190
                                                  • Opcode ID: 6c67b19e24951571b37bf4c203fa1685e3d140177509ee69aad76801aa2bc0fe
                                                  • Instruction ID: 77cdb2a24b144e98dd8fe0af3c477b00202e10f27d636664339925e4e96e780e
                                                  • Opcode Fuzzy Hash: 6c67b19e24951571b37bf4c203fa1685e3d140177509ee69aad76801aa2bc0fe
                                                  • Instruction Fuzzy Hash: 679198F0A40B11EBEB00AFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                  Function 0041CA04 Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • 73A1A570.USER32(00000000,?,0041A93C,?), ref: 0041CA38
                                                  • 73A24C40.GDI32(?,00000000,?,0041A93C,?), ref: 0041CA44
                                                  • 73A26180.GDI32(0041A93C,?,00000001,00000001,00000000,00000000,0041CC5A,?,?,00000000,?,0041A93C,?), ref: 0041CA68
                                                  • 73A24C00.GDI32(?,0041A93C,?,00000000,0041CC5A,?,?,00000000,?,0041A93C,?), ref: 0041CA78
                                                  • SelectObject.GDI32(0041CE34,00000000), ref: 0041CA93
                                                  • FillRect.USER32(0041CE34,?,?), ref: 0041CACE
                                                  • SetTextColor.GDI32(0041CE34,00000000), ref: 0041CAE3
                                                  • SetBkColor.GDI32(0041CE34,00000000), ref: 0041CAFA
                                                  • PatBlt.GDI32(0041CE34,00000000,00000000,0041A93C,?,00FF0062), ref: 0041CB10
                                                  • 73A24C40.GDI32(?,00000000,0041CC13,?,0041CE34,00000000,?,0041A93C,?,00000000,0041CC5A,?,?,00000000,?,0041A93C), ref: 0041CB23
                                                  • SelectObject.GDI32(00000000,00000000), ref: 0041CB54
                                                  • 73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CC02,?,?,00000000,0041CC13,?,0041CE34,00000000,?,0041A93C), ref: 0041CB6C
                                                  • 73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC02,?,?,00000000,0041CC13,?,0041CE34,00000000,?), ref: 0041CB75
                                                  • 73A18830.GDI32(0041CE34,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC02,?,?,00000000,0041CC13), ref: 0041CB84
                                                  • 73A122A0.GDI32(0041CE34,0041CE34,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC02,?,?,00000000,0041CC13), ref: 0041CB8D
                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0041CBA6
                                                  • SetBkColor.GDI32(00000000,00000000), ref: 0041CBBD
                                                  • 73A24D40.GDI32(0041CE34,00000000,00000000,0041A93C,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CC02,?,?,00000000), ref: 0041CBD9
                                                  • SelectObject.GDI32(00000000,?), ref: 0041CBE6
                                                  • DeleteDC.GDI32(00000000), ref: 0041CBFC
                                                    • Part of subcall function 0041A050: GetSysColor.USER32(?), ref: 0041A05A
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Color$ObjectSelect$A122A18830Text$A26180A570DeleteFillRect
                                                  • String ID:
                                                  • API String ID: 1381628555-0
                                                  • Opcode ID: dd52d12a6b024fa5c35df86d1f57249e44ceff71b775bbbb3271d9076c63cc1d
                                                  • Instruction ID: 82b5d3b79294c4079cc38f46940f8a3e5246528c32e36f15c424f6ef30e38055
                                                  • Opcode Fuzzy Hash: dd52d12a6b024fa5c35df86d1f57249e44ceff71b775bbbb3271d9076c63cc1d
                                                  • Instruction Fuzzy Hash: 0061F071A44608AFDB10EBE5DC86FEFB7B8EB48704F10446AB504E7281D67CA9508B69
                                                  Function 004978DC Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShowWindow.USER32(?,00000005,00000000,00497C74,?,?,00000000,?,00000000,00000000,?,0049802B,00000000,00498035,?,00000000), ref: 0049795F
                                                  • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00497C74,?,?,00000000,?,00000000,00000000,?,0049802B,00000000), ref: 00497972
                                                  • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00497C74,?,?,00000000,?,00000000,00000000), ref: 00497982
                                                  • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004979A3
                                                  • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00497C74,?,?,00000000,?,00000000), ref: 004979B3
                                                    • Part of subcall function 0042D444: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4D2,?,?,?,00000001,?,00456052,00000000,004560BA), ref: 0042D479
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                  • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                  • API String ID: 2000705611-3672972446
                                                  • Opcode ID: 2045753806e23fd6e9fea4bee8d30805ced8101e67e5ade90995f0c82b8a892a
                                                  • Instruction ID: f92775941c35c4987ffcee83f2591dcd2e8f64eb72217f5dcf8b9acaa4e0c6bb
                                                  • Opcode Fuzzy Hash: 2045753806e23fd6e9fea4bee8d30805ced8101e67e5ade90995f0c82b8a892a
                                                  • Instruction Fuzzy Hash: 3E91D7306182449FDF11EBA5C856BAE7BF4EB49308F5184B7F500A7392D67CAC05CB19
                                                  Function 0045A4F8 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000000,0045A7B4,?,?,?,?,?,00000006,?,00000000,00496D69,?,00000000,00496E0C), ref: 0045A666
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast
                                                  • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                  • API String ID: 1452528299-3112430753
                                                  • Opcode ID: 127c5c00bd7f07bd664bda2d415f16e76833b4e90778cf540cd654be4338eef0
                                                  • Instruction ID: 580fd2345af5d8a11a71580b87de25b1444814d8228b9e74f7717922954df390
                                                  • Opcode Fuzzy Hash: 127c5c00bd7f07bd664bda2d415f16e76833b4e90778cf540cd654be4338eef0
                                                  • Instruction Fuzzy Hash: E07181307002445BCB01EB6988817AE7BB59F48319F50866BFC01EB383DB7CDE59879A
                                                  Function 0045C9E0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetVersion.KERNEL32 ref: 0045C9FA
                                                  • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CA1A
                                                  • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CA27
                                                  • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CA34
                                                  • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CA42
                                                    • Part of subcall function 0045C8E8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045C987,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045C961
                                                  • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CC35,?,?,00000000), ref: 0045CAFB
                                                  • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CC35,?,?,00000000), ref: 0045CB04
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                  • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                  • API String ID: 59345061-4263478283
                                                  • Opcode ID: d4e9dcddc66f996bc70a3a05105cdd7da188d764776208506d3c6d6334ff02cf
                                                  • Instruction ID: 7cfcd68cf7d50f34506c8699d7ac6bd3cbd645d605ef7a14e0a5f99aee2185cc
                                                  • Opcode Fuzzy Hash: d4e9dcddc66f996bc70a3a05105cdd7da188d764776208506d3c6d6334ff02cf
                                                  • Instruction Fuzzy Hash: C25186B1D00308EFDB11DF99C885BAEBBB8EB4C311F14806AF915B7241C6799945CFA9
                                                  Function 00456538 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 282comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,00456875), ref: 0045657A
                                                  • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,00456875), ref: 004565A0
                                                  • SysFreeString.OLEAUT32(?), ref: 0045672D
                                                  Strings
                                                  • IPersistFile::Save, xrefs: 004567FC
                                                  • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456764
                                                  • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 0045668F
                                                  • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 0045679E
                                                  • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456712
                                                  • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004566C3
                                                  • IPropertyStore::Commit, xrefs: 0045677D
                                                  • CoCreateInstance, xrefs: 004565AB
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CreateInstance$FreeString
                                                  • String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)
                                                  • API String ID: 308859552-3936712486
                                                  • Opcode ID: d9c88e13b0211f2ae0e7d78f7e27283256602066dc9cc7621edf88d817652462
                                                  • Instruction ID: c38ea0ca400292199a4bf55cc3a6d877564858b73cfd7edbf1df179bb9384e2e
                                                  • Opcode Fuzzy Hash: d9c88e13b0211f2ae0e7d78f7e27283256602066dc9cc7621edf88d817652462
                                                  • Instruction Fuzzy Hash: A5A12170A00145AFDB50DFA9C885B9E7BF8AF09306F55406AF804E7362DB38DD48CB69
                                                  Function 0041B3A4 Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • 73A24C40.GDI32(00000000,?,00000000,?), ref: 0041B3BB
                                                  • 73A24C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B3C5
                                                  • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3D7
                                                  • 73A26180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3EE
                                                  • 73A1A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3FA
                                                  • 73A24C00.GDI32(00000000,0000000B,?,00000000,0041B453,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B427
                                                  • 73A1A480.USER32(00000000,00000000,0041B45A,00000000,0041B453,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B44D
                                                  • SelectObject.GDI32(00000000,?), ref: 0041B468
                                                  • SelectObject.GDI32(?,00000000), ref: 0041B477
                                                  • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4A3
                                                  • SelectObject.GDI32(00000000,00000000), ref: 0041B4B1
                                                  • SelectObject.GDI32(?,00000000), ref: 0041B4BF
                                                  • DeleteDC.GDI32(00000000), ref: 0041B4C8
                                                  • DeleteDC.GDI32(?), ref: 0041B4D1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Object$Select$Delete$A26180A480A570Stretch
                                                  • String ID:
                                                  • API String ID: 359944910-0
                                                  • Opcode ID: eea4d520f28c0b9b1f45a8d73eca5c5381e7292da506ec26be0ce79386cc84d5
                                                  • Instruction ID: 33ab0b3d7217a913ee79b1f77f60082389afcfeada11791300d2e7ee1e5313f5
                                                  • Opcode Fuzzy Hash: eea4d520f28c0b9b1f45a8d73eca5c5381e7292da506ec26be0ce79386cc84d5
                                                  • Instruction Fuzzy Hash: FC41BC71E44619AFDB10DAE9C946FEFB7BCEB08704F104466B614F7281D678AD408BA8
                                                  Function 00472930 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 337COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042C7FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C820
                                                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472AE8
                                                  • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472BEF
                                                  • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472C05
                                                  • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472C2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                  • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                  • API String ID: 971782779-3668018701
                                                  • Opcode ID: ca3bd86af9356875fb255c0965e6d4b7c6ab4e57c2ddb924be80171e39f68e51
                                                  • Instruction ID: fd1e6c444996228d4851cdbb4885a0c41f61386fce8022a34f2115261328fc48
                                                  • Opcode Fuzzy Hash: ca3bd86af9356875fb255c0965e6d4b7c6ab4e57c2ddb924be80171e39f68e51
                                                  • Instruction Fuzzy Hash: 06D13574A001499FDB11EFA9D981BDEBBF4AF08304F50806AF904B7392D778AD45CB69
                                                  Function 00454848 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                  • RegQueryValueExA.ADVAPI32(0045A98A,00000000,00000000,?,00000000,?,00000000,00454AE1,?,0045A98A,00000003,00000000,00000000,00454B18), ref: 00454961
                                                    • Part of subcall function 0042E8C0: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453247,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8DF
                                                  • RegQueryValueExA.ADVAPI32(0045A98A,00000000,00000000,00000000,?,00000004,00000000,00454A2B,?,0045A98A,00000000,00000000,?,00000000,?,00000000), ref: 004549E5
                                                  • RegQueryValueExA.ADVAPI32(0045A98A,00000000,00000000,00000000,?,00000004,00000000,00454A2B,?,0045A98A,00000000,00000000,?,00000000,?,00000000), ref: 00454A14
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548B8
                                                  • , xrefs: 004548D2
                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045487F
                                                  • RegOpenKeyEx, xrefs: 004548E4
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: QueryValue$FormatMessageOpen
                                                  • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                  • API String ID: 2812809588-1577016196
                                                  • Opcode ID: 0e91def5215c87c363aa53ad37b130579f95eb5f388cba70c6f61ed9a91dbc8c
                                                  • Instruction ID: ff4e522da132bb0e31d6f3ae6b90b680e2e6169bdaf0a1bf0a59660f44ee0e74
                                                  • Opcode Fuzzy Hash: 0e91def5215c87c363aa53ad37b130579f95eb5f388cba70c6f61ed9a91dbc8c
                                                  • Instruction Fuzzy Hash: 5B912571E44108ABDB40DFD5D942BDEB7F8EB48309F10406AF900FB682D6789E459B69
                                                  Function 00459278 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00459184: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004592C1,00000000,00459479,?,00000000,00000000,00000000), ref: 004591D1
                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459479,?,00000000,00000000,00000000), ref: 0045931F
                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459479,?,00000000,00000000,00000000), ref: 00459389
                                                    • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459479,?,00000000,00000000,00000000), ref: 004593F0
                                                  Strings
                                                  • v4.0.30319, xrefs: 00459311
                                                  • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004592D2
                                                  • .NET Framework not found, xrefs: 0045943D
                                                  • .NET Framework version %s not found, xrefs: 00459429
                                                  • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 004593A3
                                                  • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045933C
                                                  • v2.0.50727, xrefs: 0045937B
                                                  • v1.1.4322, xrefs: 004593E2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Close$Open
                                                  • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                  • API String ID: 2976201327-446240816
                                                  • Opcode ID: 4a110fd54c67272918f155c84fd5e7c55fc1eb208e7566f68b065823514e3926
                                                  • Instruction ID: b06f59bb3d6be91165b8bdbc27cbaff9901adf20ec6b7ffb5bff20868c6d7bc9
                                                  • Opcode Fuzzy Hash: 4a110fd54c67272918f155c84fd5e7c55fc1eb208e7566f68b065823514e3926
                                                  • Instruction Fuzzy Hash: 7F51A131A04144EBCB00DFA988A17EE77B6DB49305F54447BE800DB382E63D9E0ACB58
                                                  Function 00458864 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNEL32(?), ref: 0045889B
                                                  • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 004588B7
                                                  • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 004588C5
                                                  • GetExitCodeProcess.KERNEL32(?), ref: 004588D6
                                                  • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045891D
                                                  • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458939
                                                  Strings
                                                  • Helper process exited., xrefs: 004588E5
                                                  • Stopping 64-bit helper process. (PID: %u), xrefs: 0045888D
                                                  • Helper process exited with failure code: 0x%x, xrefs: 00458903
                                                  • Helper process exited, but failed to get exit code., xrefs: 0045890F
                                                  • Helper isn't responding; killing it., xrefs: 004588A7
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                  • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                  • API String ID: 3355656108-1243109208
                                                  • Opcode ID: dbcea0f0447e14293e2ba497c2ba511ba70dab0111fa353bc66056d4bed30cc0
                                                  • Instruction ID: 5c1f132ce02699e8ecfae473a4aa832f70e08e49b07aa2054fbd8a494dc4d87a
                                                  • Opcode Fuzzy Hash: dbcea0f0447e14293e2ba497c2ba511ba70dab0111fa353bc66056d4bed30cc0
                                                  • Instruction Fuzzy Hash: 582171706087409AD710E779C44575BB6D4AF48309F00C82FB9DAD7693DE7CE8488B6B
                                                  Function 004544FC Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042DDDC: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE08
                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546D3,?,00000000,00454797), ref: 00454623
                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546D3,?,00000000,00454797), ref: 0045475F
                                                    • Part of subcall function 0042E8C0: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453247,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8DF
                                                  Strings
                                                  • , xrefs: 00454585
                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045453B
                                                  • RegCreateKeyEx, xrefs: 00454597
                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045456B
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateFormatMessageQueryValue
                                                  • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                  • API String ID: 2481121983-1280779767
                                                  • Opcode ID: fb036eabf5a146f2d7e855c45c9778b44f21e44f1b6b00b130857789a6a7aa14
                                                  • Instruction ID: 79a928fbfbb5cbc52e9f584d13fa8ff479f10e23804a0d57af644d787f67e4fc
                                                  • Opcode Fuzzy Hash: fb036eabf5a146f2d7e855c45c9778b44f21e44f1b6b00b130857789a6a7aa14
                                                  • Instruction Fuzzy Hash: 4C812275A00209AFDB00DFD5C841BEEB7B9EF49305F50452AF900FB292D7789A49CB69
                                                  Function 0049615C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00453890: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,-cI,_iu,?,00000000,004539CA), ref: 0045397F
                                                    • Part of subcall function 00453890: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,-cI,_iu,?,00000000,004539CA), ref: 0045398F
                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004961D9
                                                  • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,0049632D), ref: 004961FA
                                                  • CreateWindowExA.USER32(00000000,STATIC,0049633C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496221
                                                  • SetWindowLongA.USER32(?,000000FC,004959B4), ref: 00496234
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496300,?,?,000000FC,004959B4,00000000,STATIC,0049633C), ref: 00496264
                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004962D8
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496300,?,?,000000FC,004959B4,00000000), ref: 004962E4
                                                    • Part of subcall function 00453D04: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453DEB
                                                  • 73A25CF0.USER32(?,00496307,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496300,?,?,000000FC,004959B4,00000000,STATIC), ref: 004962FA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                  • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                  • API String ID: 170458502-2312673372
                                                  • Opcode ID: 9b06694425e575e437806c69a3063783cd4ae9b2f688ab1fdd8fd86893ac9854
                                                  • Instruction ID: 59c6668a25180793b9734d4b881d6428f2164d7595bd96eb0933aaec2009094d
                                                  • Opcode Fuzzy Hash: 9b06694425e575e437806c69a3063783cd4ae9b2f688ab1fdd8fd86893ac9854
                                                  • Instruction Fuzzy Hash: 30413070A00204AFDF11EBA5DD42FAE7BB8EB09714F61457AF500F7291D7799A048B68
                                                  Function 0042E410 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E515,?,00000000,0047DD24,00000000), ref: 0042E439
                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E43F
                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E515,?,00000000,0047DD24,00000000), ref: 0042E48D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressCloseHandleModuleProc
                                                  • String ID: %aE$.DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                  • API String ID: 4190037839-4073108654
                                                  • Opcode ID: 2da1f24d3b2dac621d95ef46090c641aa8f16fa50bf8c44a058beec2af7c6974
                                                  • Instruction ID: 54e13c124a033066941eeca65415b1323707e8dcf3020f71d3dbb5d1a98da02b
                                                  • Opcode Fuzzy Hash: 2da1f24d3b2dac621d95ef46090c641aa8f16fa50bf8c44a058beec2af7c6974
                                                  • Instruction Fuzzy Hash: C5214430B10225BBDB00EAE7DC45B9E76B8EB48708F904477A500E7281E77CDE419B1C
                                                  Function 00462818 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetActiveWindow.USER32 ref: 00462824
                                                  • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462838
                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462845
                                                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462852
                                                  • GetWindowRect.USER32(?,00000000), ref: 0046289E
                                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 004628DC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                  • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                  • API String ID: 2610873146-3407710046
                                                  • Opcode ID: 1a12ae3bf6497ff777cd16400bb62bc7ce249fae767d1011b5c9c7ae1396f400
                                                  • Instruction ID: 4c37a186de2a83ca6a9e6f1427afc5cce354ac5e92891655707437263646b99d
                                                  • Opcode Fuzzy Hash: 1a12ae3bf6497ff777cd16400bb62bc7ce249fae767d1011b5c9c7ae1396f400
                                                  • Instruction Fuzzy Hash: 8621C571700B006BD310E664DD41F3B3798EB84710F08063AF984DB3D2EAB8EC008B9A
                                                  Function 0042F180 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetActiveWindow.USER32 ref: 0042F18C
                                                  • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A0
                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1AD
                                                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1BA
                                                  • GetWindowRect.USER32(?,00000000), ref: 0042F206
                                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F244
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                  • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                  • API String ID: 2610873146-3407710046
                                                  • Opcode ID: f060aae0b7a5edf3cc9df1b8e2ac1156138d1c343137e24e009784064c48acd9
                                                  • Instruction ID: fe4b6ce3f65a79f89e9c436b8398c0b3b6e1cac74b3897b930778965e8aa8e9e
                                                  • Opcode Fuzzy Hash: f060aae0b7a5edf3cc9df1b8e2ac1156138d1c343137e24e009784064c48acd9
                                                  • Instruction Fuzzy Hash: 8A21D479300710ABD700D668EC81F3B36E8EB85710F88457AF944DB3C1DA79EC048BA9
                                                  Function 00458A3C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458C1B,?,00000000,00458C7E,?,?,01FD3858,00000000), ref: 00458A99
                                                  • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,01FD3858,?,00000000,00458BB0,?,00000000,00000001,00000000,00000000,00000000,00458C1B), ref: 00458AF6
                                                  • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,01FD3858,?,00000000,00458BB0,?,00000000,00000001,00000000,00000000,00000000,00458C1B), ref: 00458B03
                                                  • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458B4F
                                                  • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458B89,?,-00000020,0000000C,-00004034,00000014,01FD3858,?,00000000,00458BB0,?,00000000), ref: 00458B75
                                                  • GetLastError.KERNEL32(?,?,00000000,00000001,00458B89,?,-00000020,0000000C,-00004034,00000014,01FD3858,?,00000000,00458BB0,?,00000000), ref: 00458B7C
                                                    • Part of subcall function 00453470: GetLastError.KERNEL32(00000000,00454005,00000005,00000000,0045403A,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004978B1,00000000), ref: 00453473
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                  • String ID: CreateEvent$TransactNamedPipe
                                                  • API String ID: 2182916169-3012584893
                                                  • Opcode ID: 893ade2b7d25531ff66c13e68608fa62c4cd61168c1a2b8304732b74ac398c25
                                                  • Instruction ID: 8abbb299140198d1acf2f300c186b6d7a0c7583c2a92940a340f901db1703015
                                                  • Opcode Fuzzy Hash: 893ade2b7d25531ff66c13e68608fa62c4cd61168c1a2b8304732b74ac398c25
                                                  • Instruction Fuzzy Hash: D4418771A00608EFDB15DF95CD81F9EB7F8EB48714F10406AF904F7292DA789E44CA28
                                                  Function 00456B40 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456CA5,?,?,00000031,?), ref: 00456B68
                                                  • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456B6E
                                                  • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456BBB
                                                    • Part of subcall function 00453470: GetLastError.KERNEL32(00000000,00454005,00000005,00000000,0045403A,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004978B1,00000000), ref: 00453473
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressErrorHandleLastLoadModuleProcType
                                                  • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                  • API String ID: 1914119943-2711329623
                                                  • Opcode ID: 429f9213fdce0867704162136d35381b6641e802cf297fe1828a7e481cb37b2a
                                                  • Instruction ID: 90c7a9fdd6b9eff4f50a7868ac1bc5a0a48bbd230e3c9f86fc21845b06ed4ed7
                                                  • Opcode Fuzzy Hash: 429f9213fdce0867704162136d35381b6641e802cf297fe1828a7e481cb37b2a
                                                  • Instruction Fuzzy Hash: 1B31B271A00A04AF9702EFAACC51D5BB7BDEB89746752846AFC04D3752DA38DD04C768
                                                  Function 00401A90 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                  • LocalFree.KERNEL32(00732A68,00000000,00401B68), ref: 00401ACF
                                                  • VirtualFree.KERNEL32(?,00000000,00008000,00732A68,00000000,00401B68), ref: 00401AEE
                                                  • LocalFree.KERNEL32(00731C38,?,00000000,00008000,00732A68,00000000,00401B68), ref: 00401B2D
                                                  • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                  • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                  • String ID: \"s$h*s$l"s
                                                  • API String ID: 3782394904-1185311768
                                                  • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                  • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                  • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                  • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                  Function 00416D78 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RectVisible.GDI32(?,?), ref: 00416E0B
                                                  • SaveDC.GDI32(?), ref: 00416E1F
                                                  • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E42
                                                  • RestoreDC.GDI32(?,?), ref: 00416E5D
                                                  • CreateSolidBrush.GDI32(00000000), ref: 00416EDD
                                                  • FrameRect.USER32(?,?,?), ref: 00416F10
                                                  • DeleteObject.GDI32(?), ref: 00416F1A
                                                  • CreateSolidBrush.GDI32(00000000), ref: 00416F2A
                                                  • FrameRect.USER32(?,?,?), ref: 00416F5D
                                                  • DeleteObject.GDI32(?), ref: 00416F67
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                  • String ID:
                                                  • API String ID: 375863564-0
                                                  • Opcode ID: 4f2037b5eabd4c0ddd7adb5546328da8476fa2c27bed59ce0fc3228c4463e070
                                                  • Instruction ID: 3aa003abb57efcc62207c922e0442432c52dbc4458161ac97ea4a6727b5fec63
                                                  • Opcode Fuzzy Hash: 4f2037b5eabd4c0ddd7adb5546328da8476fa2c27bed59ce0fc3228c4463e070
                                                  • Instruction Fuzzy Hash: 7F512B716086459FDB50EF29C8C0B9777E8AF48314F15466ABD889B287C738EC81CB99
                                                  Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                  • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                  • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                  • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                  • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                  • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                  • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                  • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                  • String ID:
                                                  • API String ID: 1694776339-0
                                                  • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                  • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                  • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                  • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                  Function 004221E0 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemMenu.USER32(00000000,00000000), ref: 0042222B
                                                  • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422249
                                                  • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422256
                                                  • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422263
                                                  • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422270
                                                  • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0042227D
                                                  • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0042228A
                                                  • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00422297
                                                  • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222B5
                                                  • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Menu$Delete$EnableItem$System
                                                  • String ID:
                                                  • API String ID: 3985193851-0
                                                  • Opcode ID: 5abdbd2448cd02f00dbd9e0a18e72027fb78d1268677703bf36b2e23ad6afd93
                                                  • Instruction ID: 3d512aed001548988d9f6823c75d43677a46120aeb5bb01c9b252fa7414fdf33
                                                  • Opcode Fuzzy Hash: 5abdbd2448cd02f00dbd9e0a18e72027fb78d1268677703bf36b2e23ad6afd93
                                                  • Instruction Fuzzy Hash: 692144703407447AE720E724DD8BFABBBD8AB04708F1455A5B6487F6D3C2F9AB804698
                                                  Function 00480E18 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNEL32(10000000), ref: 00480FD5
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00480FE9
                                                  • SendNotifyMessageA.USER32(00020450,00000496,00002710,00000000), ref: 0048105B
                                                  Strings
                                                  • Restarting Windows., xrefs: 00481036
                                                  • GetCustomSetupExitCode, xrefs: 00480E75
                                                  • Deinitializing Setup., xrefs: 00480E36
                                                  • DeinitializeSetup, xrefs: 00480ED1
                                                  • Not restarting Windows because Setup is being run from the debugger., xrefs: 0048100A
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: FreeLibrary$MessageNotifySend
                                                  • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                  • API String ID: 3817813901-1884538726
                                                  • Opcode ID: aeb7eeed0520e5db2a06f6f9575c7ce6fe4ce849ef8be63e157f84bdb35f0c9d
                                                  • Instruction ID: 3a7bead0d2027120b4b43806ed62f13ca717c16daae07b60498e62be9a129c9c
                                                  • Opcode Fuzzy Hash: aeb7eeed0520e5db2a06f6f9575c7ce6fe4ce849ef8be63e157f84bdb35f0c9d
                                                  • Instruction Fuzzy Hash: 6E5191307042409FD711EB65D9A5B6E77E8EB5A304F50887BF900D73A2CB38A849CB9D
                                                  Function 004614B4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetMalloc.SHELL32(?), ref: 004614EF
                                                  • GetActiveWindow.USER32 ref: 00461553
                                                  • CoInitialize.OLE32(00000000), ref: 00461567
                                                  • SHBrowseForFolder.SHELL32(?), ref: 0046157E
                                                  • CoUninitialize.OLE32(004615BF,00000000,?,?,?,?,?,00000000,00461643), ref: 00461593
                                                  • SetActiveWindow.USER32(?,004615BF,00000000,?,?,?,?,?,00000000,00461643), ref: 004615A9
                                                  • SetActiveWindow.USER32(?,?,004615BF,00000000,?,?,?,?,?,00000000,00461643), ref: 004615B2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                  • String ID: A
                                                  • API String ID: 2684663990-3554254475
                                                  • Opcode ID: 1a2b14b0ce593c78e5b77d196e88522ccd9c3a7e94d83b7f20090faf3fe85af4
                                                  • Instruction ID: 3b7aa7431835c7c777c0b5d0eb650662cb24b1be5a668883a221ebb7e5be7499
                                                  • Opcode Fuzzy Hash: 1a2b14b0ce593c78e5b77d196e88522ccd9c3a7e94d83b7f20090faf3fe85af4
                                                  • Instruction Fuzzy Hash: 05310F70D00218AFDB00EFA6D885A9EBBF8EF09304F55847AF415E7251E6789A04CB5A
                                                  Function 004727E0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,004728A1,?,?,?,00000008,00000000,00000000,00000000,?,00472AFD,?,?,00000000,00472D6C), ref: 00472804
                                                    • Part of subcall function 0042CD8C: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE02
                                                    • Part of subcall function 00406F40: DeleteFileA.KERNEL32(00000000,0049B628,00497BFD,00000000,00497C52,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F4B
                                                  • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,004728A1,?,?,?,00000008,00000000,00000000,00000000,?,00472AFD), ref: 0047287B
                                                  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,004728A1,?,?,?,00000008,00000000,00000000,00000000), ref: 00472881
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                  • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                  • API String ID: 884541143-1710247218
                                                  • Opcode ID: 1868d1ec2436a7bbc0d7041c4ffcd453102d48d96e31a7c571d0111a3cf3086d
                                                  • Instruction ID: 279d6da86f281c7a9c803d865f3c4407023b84140d9db6ac64499a617a38ab60
                                                  • Opcode Fuzzy Hash: 1868d1ec2436a7bbc0d7041c4ffcd453102d48d96e31a7c571d0111a3cf3086d
                                                  • Instruction Fuzzy Hash: 8A11E270B005147BDB01F6658D82BAE73ACDB45754F62827BB804A72C1DB7C9E028A1E
                                                  Function 0045D0D4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D0DD
                                                  • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D0ED
                                                  • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D0FD
                                                  • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D10D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc
                                                  • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                  • API String ID: 190572456-3516654456
                                                  • Opcode ID: dbb685680a16ba3fccec3577b7ec4e51ea72545e87c1ddc4c02616cb3473d65c
                                                  • Instruction ID: 76eb10cdb098e6f3740e4570fa0e0ca14f9d337f92906be3718b60d9f676c82f
                                                  • Opcode Fuzzy Hash: dbb685680a16ba3fccec3577b7ec4e51ea72545e87c1ddc4c02616cb3473d65c
                                                  • Instruction Fuzzy Hash: 800112B0D01B00DAE724DFB69DD572736A5ABA4306F10C13B9C49D62A2D77D0859DF2C
                                                  Function 0041A8D4 Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetBkColor.GDI32(?,00000000), ref: 0041A9B1
                                                  • 73A24D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041A9EB
                                                  • SetBkColor.GDI32(?,?), ref: 0041AA00
                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA4A
                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0041AA55
                                                  • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA65
                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAA4
                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0041AAAE
                                                  • SetBkColor.GDI32(00000000,?), ref: 0041AABB
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Color$StretchText
                                                  • String ID:
                                                  • API String ID: 2984075790-0
                                                  • Opcode ID: 33ed346255d2d01e66c926e049e6617e656dc0545b4cfc6f34fc57e337ce283f
                                                  • Instruction ID: f35f62ab74b2522f6310a7e8d9a92b24202350a16c816e0881424610f10e5e30
                                                  • Opcode Fuzzy Hash: 33ed346255d2d01e66c926e049e6617e656dc0545b4cfc6f34fc57e337ce283f
                                                  • Instruction Fuzzy Hash: 9F61C7B5A00105AFCB40EFADD985E9EB7F8EF08314B1085AAF518DB262C735ED408F58
                                                  Function 00457EE4 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042D8BC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8CF
                                                  • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458098,?, /s ",?,regsvr32.exe",?,00458098), ref: 0045800A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseDirectoryHandleSystem
                                                  • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                  • API String ID: 2051275411-1862435767
                                                  • Opcode ID: cb06b037a9936da38b1ea299305d673950aed566f5e97164fe1c7bb630972389
                                                  • Instruction ID: 56a02eb2220928eb4cb829bb83c6f501b915172eb664170f25c545f5d36e4a23
                                                  • Opcode Fuzzy Hash: cb06b037a9936da38b1ea299305d673950aed566f5e97164fe1c7bb630972389
                                                  • Instruction Fuzzy Hash: 80413670A003086BDB10EFE5D842B8EB7B9AF44705F50407FA904BB297DF789A0D8B19
                                                  Function 0044D170 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A1
                                                  • GetSysColor.USER32(00000014), ref: 0044D1A8
                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C0
                                                  • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1E9
                                                  • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1F3
                                                  • GetSysColor.USER32(00000010), ref: 0044D1FA
                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0044D212
                                                  • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D23B
                                                  • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D266
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Text$Color$Draw$OffsetRect
                                                  • String ID:
                                                  • API String ID: 1005981011-0
                                                  • Opcode ID: c5a987219403fb39552b8629345f90501b93a362f94b22de4e5dcdb6506d09d4
                                                  • Instruction ID: 3fa3981ec5684e07db84b004592342e93505d63b705e9416633fcf0049301179
                                                  • Opcode Fuzzy Hash: c5a987219403fb39552b8629345f90501b93a362f94b22de4e5dcdb6506d09d4
                                                  • Instruction Fuzzy Hash: 6A21CEB46415047FC710FB2ACC8AE8BBBECDF19319B00457AB958EB392C678DE404668
                                                  Function 00495A00 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00450900: SetEndOfFile.KERNEL32(?,?,0045C162,00000000,0045C2ED,?,00000000,00000002,00000002), ref: 00450907
                                                    • Part of subcall function 00406F40: DeleteFileA.KERNEL32(00000000,0049B628,00497BFD,00000000,00497C52,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F4B
                                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 00495A91
                                                  • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00495AA5
                                                  • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00495ABF
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495ACB
                                                  • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495AD1
                                                  • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495AE4
                                                  Strings
                                                  • Deleting Uninstall data files., xrefs: 00495A07
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                  • String ID: Deleting Uninstall data files.
                                                  • API String ID: 1570157960-2568741658
                                                  • Opcode ID: 181e5138e971e41075a5f0d412266dd8d351837d1b4a26c408709cd589ae8453
                                                  • Instruction ID: 8fd25edfc014547dd13852670f785c7791f766ba0082412c3ee421c8584d85d8
                                                  • Opcode Fuzzy Hash: 181e5138e971e41075a5f0d412266dd8d351837d1b4a26c408709cd589ae8453
                                                  • Instruction Fuzzy Hash: 6D217371304610AFEB11E7A6ECC6B2736A8E758328F61453BB5019A1E2D67CAC04CB6C
                                                  Function 0047001C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                  • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00470119,?,?,?,?,00000000), ref: 00470083
                                                  • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00470119), ref: 0047009A
                                                  • AddFontResourceA.GDI32(00000000), ref: 004700B7
                                                  • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004700CB
                                                  Strings
                                                  • Failed to open Fonts registry key., xrefs: 004700A1
                                                  • Failed to set value in Fonts registry key., xrefs: 0047008C
                                                  • AddFontResource, xrefs: 004700D5
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                  • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                  • API String ID: 955540645-649663873
                                                  • Opcode ID: f5f332fdf6b81b93aa7c4aa8247d012b23b36d83bd75883ed92b8e0c843fb9c6
                                                  • Instruction ID: 9e1cacd5bb0885738b58fd2773111f6953d7784f445270ce1bd520dac8ad2ca8
                                                  • Opcode Fuzzy Hash: f5f332fdf6b81b93aa7c4aa8247d012b23b36d83bd75883ed92b8e0c843fb9c6
                                                  • Instruction Fuzzy Hash: 2921B270741240BBDB10EA669C42FAA77DDCB54708F508437B904EB3C2DA7DAE02966D
                                                  Function 00462C58 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00416408: GetClassInfoA.USER32(00400000,?,?), ref: 00416477
                                                    • Part of subcall function 00416408: UnregisterClassA.USER32(?,00400000), ref: 004164A3
                                                    • Part of subcall function 00416408: RegisterClassA.USER32(?), ref: 004164C6
                                                  • GetVersion.KERNEL32 ref: 00462C88
                                                  • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462CC6
                                                  • SHGetFileInfo.SHELL32(00462D64,00000000,?,00000160,00004011), ref: 00462CE3
                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 00462D01
                                                  • SetCursor.USER32(00000000,00000000,00007F02,00462D64,00000000,?,00000160,00004011), ref: 00462D07
                                                  • SetCursor.USER32(?,00462D47,00007F02,00462D64,00000000,?,00000160,00004011), ref: 00462D3A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                  • String ID: Explorer
                                                  • API String ID: 2594429197-512347832
                                                  • Opcode ID: 30df62a617669fef841725f59b7241a6ef7ae2a9f6b946bb27ea1461a0e7011c
                                                  • Instruction ID: fc1c968538dd14d686f90bdc81855b9701391525be241791f09fb78c6da7bbf1
                                                  • Opcode Fuzzy Hash: 30df62a617669fef841725f59b7241a6ef7ae2a9f6b946bb27ea1461a0e7011c
                                                  • Instruction Fuzzy Hash: 7A21E7717407047AE720BB768D47F9A3698DB09708F40047FBA09EF2D3D9BC880186AD
                                                  Function 00477E04 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,01FD2BD8,?,?,?,01FD2BD8,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E1D
                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00477E23
                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,01FD2BD8,?,?,?,01FD2BD8,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E36
                                                  • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,01FD2BD8,?,?,?,01FD2BD8), ref: 00477E60
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,01FD2BD8,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E7E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                  • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                  • API String ID: 2704155762-2318956294
                                                  • Opcode ID: 174de6e33fe68a4e6b56811a15987559e55e5d15ecccd51d737e8050849857cd
                                                  • Instruction ID: a9b895bb6ebf06323b616d37e9582929c99452ce9f0730db43ffa1519c083574
                                                  • Opcode Fuzzy Hash: 174de6e33fe68a4e6b56811a15987559e55e5d15ecccd51d737e8050849857cd
                                                  • Instruction Fuzzy Hash: D1014551788B0436E52031BA0C82FBB244C8F50729F508177BB5CEE2D3EABC9C0201AE
                                                  Function 004019CC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0203C2BC,00003D40,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                  • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0203C2BC,00003D40,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                  • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0203C2BC,00003D40,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                  • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0203C2BC,00003D40,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                  • String ID: \"s$h*s$l"s
                                                  • API String ID: 730355536-1185311768
                                                  • Opcode ID: 0971dfa849a4ffc4cae04a3e1ff9e59bd0eaa306d87ad714f1f0155365df5b79
                                                  • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                  • Opcode Fuzzy Hash: 0971dfa849a4ffc4cae04a3e1ff9e59bd0eaa306d87ad714f1f0155365df5b79
                                                  • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                  Function 00459C2C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000000,00459DAE,?,00000000,00000000,00000000,?,00000006,?,00000000,00496D69,?,00000000,00496E0C), ref: 00459CF2
                                                    • Part of subcall function 004543C8: FindClose.KERNEL32(000000FF,004544BE), ref: 004544AD
                                                  Strings
                                                  • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459CCC
                                                  • Failed to delete directory (%d). Will retry later., xrefs: 00459D0B
                                                  • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459D67
                                                  • Deleting directory: %s, xrefs: 00459C7B
                                                  • Failed to strip read-only attribute., xrefs: 00459CC0
                                                  • Failed to delete directory (%d)., xrefs: 00459D88
                                                  • Stripped read-only attribute., xrefs: 00459CB4
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseErrorFindLast
                                                  • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                  • API String ID: 754982922-1448842058
                                                  • Opcode ID: 98c166b47c72afa297f55e861990155f618f32ac3a66bf902307907fb8e99ae8
                                                  • Instruction ID: cce1cab1201e8728e9bc38508445727295e1911ffe2e7292dd45cd7f335e186b
                                                  • Opcode Fuzzy Hash: 98c166b47c72afa297f55e861990155f618f32ac3a66bf902307907fb8e99ae8
                                                  • Instruction Fuzzy Hash: F9418230A04259DACB04EB6988013AE76F55F4930AF55857FAC0597393D7BC8E0D879A
                                                  Function 00422E48 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCapture.USER32 ref: 00422E9C
                                                  • GetCapture.USER32 ref: 00422EAB
                                                  • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB1
                                                  • ReleaseCapture.USER32 ref: 00422EB6
                                                  • GetActiveWindow.USER32 ref: 00422EC5
                                                  • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F44
                                                  • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FA8
                                                  • GetActiveWindow.USER32 ref: 00422FB7
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CaptureMessageSend$ActiveWindow$Release
                                                  • String ID:
                                                  • API String ID: 862346643-0
                                                  • Opcode ID: b9008f70cee70ce8cdbe9feae850e28bfa4c4446851c9a93175be9357b8d3b25
                                                  • Instruction ID: a831bf89ec3617aa4b81e8a61b28cb02c358a8e939ae68eb352e359643dafe13
                                                  • Opcode Fuzzy Hash: b9008f70cee70ce8cdbe9feae850e28bfa4c4446851c9a93175be9357b8d3b25
                                                  • Instruction Fuzzy Hash: E1414070B00245AFDB10EF69DA46B9E77F1EF48304F5140BAF404AB2A2D7B89E40DB59
                                                  Function 0042F288 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowLongA.USER32(?,000000F0), ref: 0042F2B2
                                                  • GetWindowLongA.USER32(?,000000EC), ref: 0042F2C9
                                                  • GetActiveWindow.USER32 ref: 0042F2D2
                                                  • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F2FF
                                                  • SetActiveWindow.USER32(?,0042F42F,00000000,?), ref: 0042F320
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window$ActiveLong$Message
                                                  • String ID:
                                                  • API String ID: 2785966331-0
                                                  • Opcode ID: a223125d65db3de814fb2ac44b456330cdbbeb03ed1e631204e072d19995624a
                                                  • Instruction ID: 9696dc9395d24dec9abacdc10881687288e082ae8fcf9a6a48756090996bfad8
                                                  • Opcode Fuzzy Hash: a223125d65db3de814fb2ac44b456330cdbbeb03ed1e631204e072d19995624a
                                                  • Instruction Fuzzy Hash: A431A171A00714AFDB01EFB9DC52E6E7BF8EB09714B9148BAF804E7291D7389D10CA58
                                                  Function 00429478 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • 73A1A570.USER32(00000000), ref: 00429482
                                                  • GetTextMetricsA.GDI32(00000000), ref: 0042948B
                                                    • Part of subcall function 0041A1E0: CreateFontIndirectA.GDI32(?), ref: 0041A29F
                                                  • SelectObject.GDI32(00000000,00000000), ref: 0042949A
                                                  • GetTextMetricsA.GDI32(00000000,?), ref: 004294A7
                                                  • SelectObject.GDI32(00000000,00000000), ref: 004294AE
                                                  • 73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004294B6
                                                  • GetSystemMetrics.USER32(00000006), ref: 004294DB
                                                  • GetSystemMetrics.USER32(00000006), ref: 004294F5
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                                  • String ID:
                                                  • API String ID: 361401722-0
                                                  • Opcode ID: 9352f0de83d2aa8ef3dc5e588d401a22e63a3fe7846e7c3b2a64ff92932535c4
                                                  • Instruction ID: 79023d5d76270fc5b80a90959683f08304bbfc9b3a68a0d1de019d9dda53e89a
                                                  • Opcode Fuzzy Hash: 9352f0de83d2aa8ef3dc5e588d401a22e63a3fe7846e7c3b2a64ff92932535c4
                                                  • Instruction Fuzzy Hash: FE01C0A17087503BE311767A9CC6F6F65C8DB44358F84043BF686D63D3D9AC9C81876A
                                                  Function 0041DE1C Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • 73A1A570.USER32(00000000,?,00419051,004980EA), ref: 0041DE1F
                                                  • 73A24620.GDI32(00000000,0000005A,00000000,?,00419051,004980EA), ref: 0041DE29
                                                  • 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419051,004980EA), ref: 0041DE36
                                                  • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE45
                                                  • GetStockObject.GDI32(00000007), ref: 0041DE53
                                                  • GetStockObject.GDI32(00000005), ref: 0041DE5F
                                                  • GetStockObject.GDI32(0000000D), ref: 0041DE6B
                                                  • LoadIconA.USER32(00000000,00007F00), ref: 0041DE7C
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ObjectStock$A24620A480A570IconLoad
                                                  • String ID:
                                                  • API String ID: 3573811560-0
                                                  • Opcode ID: 710d086b1de04f4d575db38747d659360b557b0cb5838dc09f26a38d22fa0d7e
                                                  • Instruction ID: 462cd7651d9f59a3c1518f9422d26db27efab3bc10fcb75ee14264e6343fb545
                                                  • Opcode Fuzzy Hash: 710d086b1de04f4d575db38747d659360b557b0cb5838dc09f26a38d22fa0d7e
                                                  • Instruction Fuzzy Hash: 0E11EC706456055AE340FFAA6A52BAA3695E724708F00813FF6099F3D1D77D2C444B9F
                                                  Function 00463068 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 0046316C
                                                  • SetCursor.USER32(00000000,00000000,00007F02,00000000,00463201), ref: 00463172
                                                  • SetCursor.USER32(?,004631E9,00007F02,00000000,00463201), ref: 004631DC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Cursor$Load
                                                  • String ID: $ $Internal error: Item already expanding
                                                  • API String ID: 1675784387-1948079669
                                                  • Opcode ID: 18a8c92a23110e1585e61799d78ad50682638d437455fe8a8eac84c2222b077b
                                                  • Instruction ID: 8c03ff8e54c482a295deb11cd31210a84b03b27930917a3eb50de1af6f5dfb0a
                                                  • Opcode Fuzzy Hash: 18a8c92a23110e1585e61799d78ad50682638d437455fe8a8eac84c2222b077b
                                                  • Instruction Fuzzy Hash: A7B1C430A00284DFD711DF69C589B9ABBF1FF04305F1484AAE8459B792EB78EE45CB19
                                                  Function 00453D04 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453DEB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfileStringWrite
                                                  • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                  • API String ID: 390214022-3304407042
                                                  • Opcode ID: 7a42a0697151d0d5d2c191e5f1412612b4bf9d75eff795acc860741356bb7580
                                                  • Instruction ID: 27719b604a15c88968755e1a1929315a4e70c7568c957628d41e5ea0e69e6a26
                                                  • Opcode Fuzzy Hash: 7a42a0697151d0d5d2c191e5f1412612b4bf9d75eff795acc860741356bb7580
                                                  • Instruction Fuzzy Hash: DD914434E001099BDF11EFA5D882BDEB7F5EF4834AF508066E90077292D778AE49CB58
                                                  Function 004766E4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 0047673D
                                                  • 73A259E0.USER32(00000000,000000FC,00476698,00000000,0047697C,?,00000000,004769A6), ref: 00476764
                                                  • GetACP.KERNEL32(00000000,0047697C,?,00000000,004769A6), ref: 004767A1
                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004767E7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: A259ClassInfoMessageSend
                                                  • String ID: COMBOBOX$Inno Setup: Language
                                                  • API String ID: 3217714596-4234151509
                                                  • Opcode ID: c91c96764c9eb46afea8f4730bcae4c036a3e37d4e33096e95ae453515e7d384
                                                  • Instruction ID: 91173772f4e079f50c7e0c6215708d31291a540b6063389a75a2ac3d3f1b2ee4
                                                  • Opcode Fuzzy Hash: c91c96764c9eb46afea8f4730bcae4c036a3e37d4e33096e95ae453515e7d384
                                                  • Instruction Fuzzy Hash: 68814074A006059FCB10EF69C985AEAB7F5FB09304F56C0BAE808E7362D734AD45CB59
                                                  Function 00408710 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDefaultLCID.KERNEL32(00000000,00408958,?,?,?,?,00000000,00000000,00000000,?,0040995F,00000000,00409972), ref: 0040872A
                                                    • Part of subcall function 00408558: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408623,?,00000000,00408702), ref: 00408576
                                                    • Part of subcall function 004085A4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087A6,?,?,?,00000000,00408958), ref: 004085B7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: InfoLocale$DefaultSystem
                                                  • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                  • API String ID: 1044490935-665933166
                                                  • Opcode ID: e4d4874023cbce5b0e58a93798fb9a357b254c43991a542c79008375c0b91d34
                                                  • Instruction ID: acf8fabd4b29bc0114a799655761a3ccdfd58ddc6ec536e3fe46e21ad76a8ffd
                                                  • Opcode Fuzzy Hash: e4d4874023cbce5b0e58a93798fb9a357b254c43991a542c79008375c0b91d34
                                                  • Instruction Fuzzy Hash: 85515C24B001486BDB00FBA99E91A9E77A9DB84308F50C47FA151BB3C7CE3CDA05975D
                                                  Function 004116EC Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetVersion.KERNEL32(00000000,004118F1), ref: 00411784
                                                  • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 00411842
                                                    • Part of subcall function 00411AA4: CreatePopupMenu.USER32 ref: 00411ABE
                                                  • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118CE
                                                    • Part of subcall function 00411AA4: CreateMenu.USER32 ref: 00411AC8
                                                  • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118B5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Menu$Insert$Create$ItemPopupVersion
                                                  • String ID: ,$?
                                                  • API String ID: 2359071979-2308483597
                                                  • Opcode ID: e0c9a44165d56187b0795cac699610ea385af12d5fd7003569757b390febdefd
                                                  • Instruction ID: d8c93b49542c4992b593f331124e59532eba8c65ca5fe63237d6ba0ca55a8ecc
                                                  • Opcode Fuzzy Hash: e0c9a44165d56187b0795cac699610ea385af12d5fd7003569757b390febdefd
                                                  • Instruction Fuzzy Hash: 9E510370A00245ABDB10EF6ADD816EA7BF9AF09304B15857BF904E73A2D738DD41CB58
                                                  Function 0041BE5B Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetObjectA.GDI32(?,00000018,?), ref: 0041BF20
                                                  • GetObjectA.GDI32(?,00000018,?), ref: 0041BF2F
                                                  • GetBitmapBits.GDI32(?,?,?), ref: 0041BF80
                                                  • GetBitmapBits.GDI32(?,?,?), ref: 0041BF8E
                                                  • DeleteObject.GDI32(?), ref: 0041BF97
                                                  • DeleteObject.GDI32(?), ref: 0041BFA0
                                                  • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFBD
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Object$BitmapBitsDelete$CreateIcon
                                                  • String ID:
                                                  • API String ID: 1030595962-0
                                                  • Opcode ID: a6b868a807f1f599719e52264ea8325182c659afeabb6b194134e5b91d426331
                                                  • Instruction ID: 4619fcafd17693633a8c31a92518bd0abdf88944d34ea3f3446ff31194e2e661
                                                  • Opcode Fuzzy Hash: a6b868a807f1f599719e52264ea8325182c659afeabb6b194134e5b91d426331
                                                  • Instruction Fuzzy Hash: 48510375A00219AFCF10DFA9C8819EEB7F9EF48314B11856AF914E7391D738AD81CB64
                                                  Function 0041CED0 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEF6
                                                  • 73A24620.GDI32(00000000,00000026), ref: 0041CF15
                                                  • 73A18830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF7B
                                                  • 73A122A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CF8A
                                                  • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFF4
                                                  • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D032
                                                  • 73A18830.GDI32(?,?,00000001,0041D064,00000000,00000026), ref: 0041D057
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Stretch$A18830$A122A24620BitsMode
                                                  • String ID:
                                                  • API String ID: 430401518-0
                                                  • Opcode ID: c81279b313576d135e7f058ec71da99c22708ae42f226878f0d4e896de0476ba
                                                  • Instruction ID: 9b717f45caa71cbdb3d7743a5068819f31981c945c02765ea0762fde20f1409d
                                                  • Opcode Fuzzy Hash: c81279b313576d135e7f058ec71da99c22708ae42f226878f0d4e896de0476ba
                                                  • Instruction Fuzzy Hash: 17513F70604204AFDB14DFA8C985F9BBBF9EF08304F14459AB545E7692C778ED81CB58
                                                  Function 004570FC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageA.USER32(00000000,?,?), ref: 0045714E
                                                    • Part of subcall function 00424274: GetWindowTextA.USER32(?,?,00000100), ref: 00424294
                                                    • Part of subcall function 0041EE9C: GetCurrentThreadId.KERNEL32 ref: 0041EEEB
                                                    • Part of subcall function 0041EE9C: 73A25940.USER32(00000000,0041EE4C,00000000,00000000,0041EF08,?,00000000,0041EF3F,?,0042EEA8,?,00000001), ref: 0041EEF1
                                                    • Part of subcall function 004242BC: SetWindowTextA.USER32(?,00000000), ref: 004242D4
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004571B5
                                                  • TranslateMessage.USER32(?), ref: 004571D3
                                                  • DispatchMessageA.USER32(?), ref: 004571DC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Message$TextWindow$A25940CurrentDispatchSendThreadTranslate
                                                  • String ID: [Paused]
                                                  • API String ID: 3047529653-4230553315
                                                  • Opcode ID: 80c4c27c4b754fe1519de729eb729efa4ffa2fc2b03d19605f480c373ee661fa
                                                  • Instruction ID: 4dd0f6a69861fba71970a0c95394483262e0630457e8f7cd4854214566cc162d
                                                  • Opcode Fuzzy Hash: 80c4c27c4b754fe1519de729eb729efa4ffa2fc2b03d19605f480c373ee661fa
                                                  • Instruction Fuzzy Hash: EC3196319082449EDB11DFB5EC81B9E7FB8EB49314F5544BBF800E7292D63C9909CB69
                                                  Function 0046B240 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCursor.USER32(00000000,0046B37F), ref: 0046B2FC
                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 0046B30A
                                                  • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B37F), ref: 0046B310
                                                  • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B37F), ref: 0046B31A
                                                  • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B37F), ref: 0046B320
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Cursor$LoadSleep
                                                  • String ID: CheckPassword
                                                  • API String ID: 4023313301-1302249611
                                                  • Opcode ID: c5bdf5f640806f8796bfbc41b1a4ab00d3ded5bef946e97f85f4201d994c149c
                                                  • Instruction ID: dcef8ef75e700f151948083f515970cfb06be99f29bdf3d7051495a11b4a934f
                                                  • Opcode Fuzzy Hash: c5bdf5f640806f8796bfbc41b1a4ab00d3ded5bef946e97f85f4201d994c149c
                                                  • Instruction Fuzzy Hash: 9D3190347402049FD701EF69C899B9E7BE4EB49304F5580B6B904DB3A2E7789E80CB89
                                                  Function 00477700 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00477628: GetWindowThreadProcessId.USER32(00000000), ref: 00477630
                                                    • Part of subcall function 00477628: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477727,0049C0A4,00000000), ref: 00477643
                                                    • Part of subcall function 00477628: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477649
                                                  • SendMessageA.USER32(00000000,0000004A,00000000,00477ABA), ref: 00477735
                                                  • GetTickCount.KERNEL32 ref: 0047777A
                                                  • GetTickCount.KERNEL32 ref: 00477784
                                                  • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 004777D9
                                                  Strings
                                                  • CallSpawnServer: Unexpected status: %d, xrefs: 004777C2
                                                  • CallSpawnServer: Unexpected response: $%x, xrefs: 0047776A
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                  • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                  • API String ID: 613034392-3771334282
                                                  • Opcode ID: e1b07b7da0dc81f79c626057223c48b53da9c8a9430d466ab72b2e6b955821c4
                                                  • Instruction ID: 5facb6da61392f64ef9a6a7cc904dffa3fea64199446eda4e4b81d1598b422a3
                                                  • Opcode Fuzzy Hash: e1b07b7da0dc81f79c626057223c48b53da9c8a9430d466ab72b2e6b955821c4
                                                  • Instruction Fuzzy Hash: 0131E474F042158ADF10EBB9C8467EEB6A09B08304F90807AB508EB382D67C5E01C79D
                                                  Function 004595A4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045965F
                                                  Strings
                                                  • Failed to load .NET Framework DLL "%s", xrefs: 00459644
                                                  • CreateAssemblyCache, xrefs: 00459656
                                                  • .NET Framework CreateAssemblyCache function failed, xrefs: 00459682
                                                  • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045966A
                                                  • Fusion.dll, xrefs: 004595FF
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc
                                                  • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                  • API String ID: 190572456-3990135632
                                                  • Opcode ID: 6db9dd5a59cee9e125ea37fcdd1d071909f295375ba02b74572753309365d729
                                                  • Instruction ID: ee3dd963a50cff277cc460556b086b348bcce4d3c12070cda944c03b6b96f9ce
                                                  • Opcode Fuzzy Hash: 6db9dd5a59cee9e125ea37fcdd1d071909f295375ba02b74572753309365d729
                                                  • Instruction Fuzzy Hash: 5D315771E00609EBCB01EFA5C88169EB7A5AF44315F50857BE814A7382DB7C9E09CB99
                                                  Function 0041C140 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041C040: GetObjectA.GDI32(?,00000018), ref: 0041C04D
                                                  • GetFocus.USER32 ref: 0041C160
                                                  • 73A1A570.USER32(?), ref: 0041C16C
                                                  • 73A18830.GDI32(?,?,00000000,00000000,0041C1EB,?,?), ref: 0041C18D
                                                  • 73A122A0.GDI32(?,?,?,00000000,00000000,0041C1EB,?,?), ref: 0041C199
                                                  • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B0
                                                  • 73A18830.GDI32(?,00000000,00000000,0041C1F2,?,?), ref: 0041C1D8
                                                  • 73A1A480.USER32(?,?,0041C1F2,?,?), ref: 0041C1E5
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: A18830$A122A480A570BitsFocusObject
                                                  • String ID:
                                                  • API String ID: 2231653193-0
                                                  • Opcode ID: 9c9984a03792254f7cf3ad1787892f213a144d0a64db434cb782e1e94da2dcd6
                                                  • Instruction ID: 42301c90dcb8571f5cbc3500225c3f0eaf81cc24073f805a24a28427ce123417
                                                  • Opcode Fuzzy Hash: 9c9984a03792254f7cf3ad1787892f213a144d0a64db434cb782e1e94da2dcd6
                                                  • Instruction Fuzzy Hash: D7116D71A44618BBDF00DBE9CC81FAFB7FCEB48700F14446AB518E7281DA3899008B28
                                                  Function 00418C4C Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemMetrics.USER32(0000000E), ref: 00418C68
                                                  • GetSystemMetrics.USER32(0000000D), ref: 00418C70
                                                  • 6F532980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C76
                                                    • Part of subcall function 004099A8: 6F52C400.COMCTL32(0049B628,000000FF,00000000,00418CA4,00000000,00418D00,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004099AC
                                                  • 6F59CB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D00,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CC6
                                                  • 6F59C740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D00,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD1
                                                  • 6F59CB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D00,?,00000000,0000000D,00000000), ref: 00418CE4
                                                  • 6F530860.COMCTL32(0049B628,00418D07,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D00,?,00000000,0000000D,00000000,0000000E), ref: 00418CFA
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: MetricsSystem$C400C740F530860F532980
                                                  • String ID:
                                                  • API String ID: 209721339-0
                                                  • Opcode ID: 3e87c7a23a4a947163f4d2b90e583babc0fab05060521c53009111721e1cf9e6
                                                  • Instruction ID: c5403bac5749a6cea20ad86aefc03aeb17a2f2ee6000d3a37742d6553dc7a201
                                                  • Opcode Fuzzy Hash: 3e87c7a23a4a947163f4d2b90e583babc0fab05060521c53009111721e1cf9e6
                                                  • Instruction Fuzzy Hash: 981124B1B44304BFDB10EBA9EC82F5E73B8DB48714F50406AB504EB2C2DAB99D408659
                                                  Function 00483228 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004832E0), ref: 004832C5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseOpen
                                                  • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                  • API String ID: 47109696-2530820420
                                                  • Opcode ID: 069f94f9fa12544f7a36e7bd85e6d1afcaa647915ea6f8fcf756052135ad9446
                                                  • Instruction ID: b53b4caf4df369742718f420b864b5eadf64457ff5313130662490eff196aabe
                                                  • Opcode Fuzzy Hash: 069f94f9fa12544f7a36e7bd85e6d1afcaa647915ea6f8fcf756052135ad9446
                                                  • Instruction Fuzzy Hash: 7E115130704244AADB10FFA59852B5F7BA8DB55B05F6188B7A800A7282D7389E02871D
                                                  Function 00494A14 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • 73A1A570.USER32(00000000,?,?,00000000), ref: 00494A25
                                                    • Part of subcall function 0041A1E0: CreateFontIndirectA.GDI32(?), ref: 0041A29F
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00494A47
                                                  • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00494FC5), ref: 00494A5B
                                                  • GetTextMetricsA.GDI32(00000000,?), ref: 00494A7D
                                                  • 73A1A480.USER32(00000000,00000000,00494AA7,00494AA0,?,00000000,?,?,00000000), ref: 00494A9A
                                                  Strings
                                                  • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00494A52
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                                  • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                  • API String ID: 1435929781-222967699
                                                  • Opcode ID: 8e4816187cf5e8e7c6dd84ba3c8161288e1479147e1e53052227e353a50aa1d3
                                                  • Instruction ID: 4a1d9e00790e4e8279befe01d539e981fbc0a950f87c09723c3c89301347e02c
                                                  • Opcode Fuzzy Hash: 8e4816187cf5e8e7c6dd84ba3c8161288e1479147e1e53052227e353a50aa1d3
                                                  • Instruction Fuzzy Hash: FA015E76A44604AFDB14DBA9CC41E5EB7ECDB48704F610476B604E7281DA78AE008B6C
                                                  Function 0041B45A Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SelectObject.GDI32(00000000,?), ref: 0041B468
                                                  • SelectObject.GDI32(?,00000000), ref: 0041B477
                                                  • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4A3
                                                  • SelectObject.GDI32(00000000,00000000), ref: 0041B4B1
                                                  • SelectObject.GDI32(?,00000000), ref: 0041B4BF
                                                  • DeleteDC.GDI32(00000000), ref: 0041B4C8
                                                  • DeleteDC.GDI32(?), ref: 0041B4D1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ObjectSelect$Delete$Stretch
                                                  • String ID:
                                                  • API String ID: 1458357782-0
                                                  • Opcode ID: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                  • Instruction ID: d121cbdfe682723b668f1aba97a5ca8eb2ba63952d9ca8216d3140e682204302
                                                  • Opcode Fuzzy Hash: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                  • Instruction Fuzzy Hash: 46115C72E00619ABDB10DAD9DD85FEFB7BCEF08704F144555B614F7281C678AC418BA8
                                                  Function 0042338C Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCursorPos.USER32 ref: 004233A7
                                                  • WindowFromPoint.USER32(?,?), ref: 004233B4
                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233C2
                                                  • GetCurrentThreadId.KERNEL32 ref: 004233C9
                                                  • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233E2
                                                  • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 004233F9
                                                  • SetCursor.USER32(00000000), ref: 0042340B
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                  • String ID:
                                                  • API String ID: 1770779139-0
                                                  • Opcode ID: c9ba26483528a121f971c2dd70aae3c664ebef1f4767206ef3dc65e1b1b17165
                                                  • Instruction ID: 5b5036a29de233914ad27f5bfe0a39b591155b03ca34aa4f0141610fd726b6de
                                                  • Opcode Fuzzy Hash: c9ba26483528a121f971c2dd70aae3c664ebef1f4767206ef3dc65e1b1b17165
                                                  • Instruction Fuzzy Hash: 3501D4323046102AD6217B755C82E2F26E8DB85B29F60447FF504BB287DA3DAD11936D
                                                  Function 00494838 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(user32.dll), ref: 00494848
                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00494855
                                                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00494862
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$HandleModule
                                                  • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                  • API String ID: 667068680-2254406584
                                                  • Opcode ID: 21af07142c53872dca5cd0674b34382539a139ddeec0bf3a3c9dc52e9c6734d9
                                                  • Instruction ID: 57979f0f623c6713f86cfc51a9e85cc39870524a60e3ac3170e58067450f8277
                                                  • Opcode Fuzzy Hash: 21af07142c53872dca5cd0674b34382539a139ddeec0bf3a3c9dc52e9c6734d9
                                                  • Instruction Fuzzy Hash: 68F0F69AB01F5526DA20B5A69C42E7B6ACCCBC17A4F150137FD04B73C2E99C8C0242FD
                                                  Function 0045D4A8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D4B1
                                                  • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D4C1
                                                  • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D4D1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc
                                                  • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                  • API String ID: 190572456-212574377
                                                  • Opcode ID: cecd0a63045edb33e2202c29c90cf8f934e5a60212dd894f2f8d3c432b3cebaf
                                                  • Instruction ID: 50a43070f27201e9cf87661d87b97551d06431c7276cd5b4b6d770057bc484c9
                                                  • Opcode Fuzzy Hash: cecd0a63045edb33e2202c29c90cf8f934e5a60212dd894f2f8d3c432b3cebaf
                                                  • Instruction Fuzzy Hash: 4AF0B2B0D00701DAE724DFB65CC77263A959B6431AF1084379A4D55373D67814498F2D
                                                  Function 0042EA14 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,00457011,004573B4,00456F68,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004808CA), ref: 0042EA2D
                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA33
                                                  • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA44
                                                    • Part of subcall function 0042E9A4: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA68,00000004,00499934,00457011,004573B4,00456F68,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9BA
                                                    • Part of subcall function 0042E9A4: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C0
                                                    • Part of subcall function 0042E9A4: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D1
                                                  • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,00457011,004573B4,00456F68,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA58
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                  • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                  • API String ID: 142928637-2676053874
                                                  • Opcode ID: 527a2f903435c6b8eae660c7438eac079e405392c9f84945f8436c24f6679cfa
                                                  • Instruction ID: b6413d45aefc5bd916056b1696ea31cacbebf8ca5ba9e8247451a7316c99a6de
                                                  • Opcode Fuzzy Hash: 527a2f903435c6b8eae660c7438eac079e405392c9f84945f8436c24f6679cfa
                                                  • Instruction Fuzzy Hash: C9E092A1741720EAEE10B7BA7D86FAA2558EB5072DF540037F100A51E1C7BD1C80CE9E
                                                  Function 0044C7D4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F081), ref: 0044C7E3
                                                  • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7F4
                                                  • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C804
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad
                                                  • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                  • API String ID: 2238633743-1050967733
                                                  • Opcode ID: 20d4d3efedc32434c77936c95fe9c73e42e1c540f2b792c07eccd7c7435f7152
                                                  • Instruction ID: ee0778b55076bf214b63aaf44073c79067fceb62e20c2f516a440ec7c4faf5ed
                                                  • Opcode Fuzzy Hash: 20d4d3efedc32434c77936c95fe9c73e42e1c540f2b792c07eccd7c7435f7152
                                                  • Instruction Fuzzy Hash: 2FF0FE70242302CAF750ABB5FDD97563694E7E471AF14237BE401551A1D7BD4444CB8C
                                                  Function 004786B4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498130), ref: 004786BA
                                                  • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004786C7
                                                  • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004786D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$HandleModule
                                                  • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                  • API String ID: 667068680-222143506
                                                  • Opcode ID: 037c1e48967f880c8f75eb608e42e3021eac6f548ba3101ad95a3bedc305e175
                                                  • Instruction ID: 2026d18a05cb2035c6a6e54b58e3f317de058d113ce64fa581f90165bcddcee3
                                                  • Opcode Fuzzy Hash: 037c1e48967f880c8f75eb608e42e3021eac6f548ba3101ad95a3bedc305e175
                                                  • Instruction Fuzzy Hash: F5C0E9F06C1701EA9640B7F15CDAD7A2558D520729720943F755EA6192D9BC4C104A6C
                                                  Function 0041B664 Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFocus.USER32 ref: 0041B73D
                                                  • 73A1A570.USER32(?), ref: 0041B749
                                                  • 73A18830.GDI32(00000000,?,00000000,00000000,0041B814,?,?), ref: 0041B77E
                                                  • 73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041B814,?,?), ref: 0041B78A
                                                  • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B7F2,?,00000000,0041B814,?,?), ref: 0041B7B8
                                                  • 73A18830.GDI32(00000000,00000000,00000000,0041B7F9,?,?,00000000,00000000,0041B7F2,?,00000000,0041B814,?,?), ref: 0041B7EC
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: A18830$A122A26310A570Focus
                                                  • String ID:
                                                  • API String ID: 3906783838-0
                                                  • Opcode ID: 7028b3360e085542d185f93eaa985fb71498e3c9d3761fe797ea6f9089370fd6
                                                  • Instruction ID: 1a6b37f464f6ee1ac690d44aa7d10d16b676852f44f67843991ec4a9ec0a7b01
                                                  • Opcode Fuzzy Hash: 7028b3360e085542d185f93eaa985fb71498e3c9d3761fe797ea6f9089370fd6
                                                  • Instruction Fuzzy Hash: D9512070A002099FCF11DFA9C891AEEBBF8EF49704F10446AF514A7790D7799981CBA9
                                                  Function 0041B934 Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFocus.USER32 ref: 0041BA0F
                                                  • 73A1A570.USER32(?), ref: 0041BA1B
                                                  • 73A18830.GDI32(00000000,?,00000000,00000000,0041BAE1,?,?), ref: 0041BA55
                                                  • 73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041BAE1,?,?), ref: 0041BA61
                                                  • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BABF,?,00000000,0041BAE1,?,?), ref: 0041BA85
                                                  • 73A18830.GDI32(00000000,00000000,00000000,0041BAC6,?,?,00000000,00000000,0041BABF,?,00000000,0041BAE1,?,?), ref: 0041BAB9
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: A18830$A122A26310A570Focus
                                                  • String ID:
                                                  • API String ID: 3906783838-0
                                                  • Opcode ID: 6afe2cc59a527faaede1d3d34b45dc336484c23e3dd063350b4c8de36bb0c79b
                                                  • Instruction ID: 148f6e74122d55113d3717465da8055643ee1b9490db959cdfcac8ccc7d3b8de
                                                  • Opcode Fuzzy Hash: 6afe2cc59a527faaede1d3d34b45dc336484c23e3dd063350b4c8de36bb0c79b
                                                  • Instruction Fuzzy Hash: FC513975A002089FDB11DFA9C881AAEBBF9FF49700F114466F904EB750D738AD40CBA8
                                                  Function 0041B500 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFocus.USER32 ref: 0041B576
                                                  • 73A1A570.USER32(?,00000000,0041B650,?,?,?,?), ref: 0041B582
                                                  • 73A24620.GDI32(?,00000068,00000000,0041B624,?,?,00000000,0041B650,?,?,?,?), ref: 0041B59E
                                                  • 73A4E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B624,?,?,00000000,0041B650,?,?,?,?), ref: 0041B5BB
                                                  • 73A4E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B624,?,?,00000000,0041B650), ref: 0041B5D2
                                                  • 73A1A480.USER32(?,?,0041B62B,?,?), ref: 0041B61E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: E680$A24620A480A570Focus
                                                  • String ID:
                                                  • API String ID: 3709697839-0
                                                  • Opcode ID: b97e33ea795034c912b2e17a9f5d54d6d1d1af920c0d7a51194e8edd97010b3d
                                                  • Instruction ID: df8759ecd31a85a201270414174f0a8fa00d18147156f7fa6755a0b35bba35d1
                                                  • Opcode Fuzzy Hash: b97e33ea795034c912b2e17a9f5d54d6d1d1af920c0d7a51194e8edd97010b3d
                                                  • Instruction Fuzzy Hash: E9410831A00258AFCB10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D50CBA5
                                                  Function 0045CE6C Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000057,00000000,0045CF38,?,?,?,?,00000000), ref: 0045CED7
                                                  • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045CFA4,?,00000000,0045CF38,?,?,?,?,00000000), ref: 0045CF16
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast
                                                  • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                  • API String ID: 1452528299-1580325520
                                                  • Opcode ID: 76cc67341227ff3c05617fb08029e3d04d7592c217e5ac47b77cb7a8c66e2160
                                                  • Instruction ID: 04ddcdc8736abbc18e914b4e1455ed0448250d7d0c77fa2ba5441d80ccfd4ce1
                                                  • Opcode Fuzzy Hash: 76cc67341227ff3c05617fb08029e3d04d7592c217e5ac47b77cb7a8c66e2160
                                                  • Instruction Fuzzy Hash: C7118736204304FFDB11DA91C9C2AAEB69EDB44746F6040776D00967C3D67C9F0AE56D
                                                  Function 0041BD84 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemMetrics.USER32(0000000B), ref: 0041BDCD
                                                  • GetSystemMetrics.USER32(0000000C), ref: 0041BDD7
                                                  • 73A1A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDE1
                                                  • 73A24620.GDI32(00000000,0000000E,00000000,0041BE54,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE08
                                                  • 73A24620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE54,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE15
                                                  • 73A1A480.USER32(00000000,00000000,0041BE5B,0000000E,00000000,0041BE54,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE4E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: A24620MetricsSystem$A480A570
                                                  • String ID:
                                                  • API String ID: 4042297458-0
                                                  • Opcode ID: b7d5d08e3e19f48413646ae1536af481ff140cf83ce15b3b4f218d501696187d
                                                  • Instruction ID: 747e2eb1a3f7a7c841cace1b59abe43854f3131f67fff351bf4eed9cd228abed
                                                  • Opcode Fuzzy Hash: b7d5d08e3e19f48413646ae1536af481ff140cf83ce15b3b4f218d501696187d
                                                  • Instruction Fuzzy Hash: 98215974E00748AFEB10EFA9C942BEEBBB4EB48714F10842AF514B7280D7785D40CB69
                                                  Function 0047DDA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowLongA.USER32(?,000000EC), ref: 0047DDAE
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CB69), ref: 0047DDD4
                                                  • GetWindowLongA.USER32(?,000000EC), ref: 0047DDE4
                                                  • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047DE05
                                                  • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047DE19
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047DE35
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window$Long$Show
                                                  • String ID:
                                                  • API String ID: 3609083571-0
                                                  • Opcode ID: 69fb56ec72bb48bf799d73a9f514c3e84a97c3b26dbd79650f0c817e19817d20
                                                  • Instruction ID: 8d1f2698ea79badf96abf755c5a3f857121e06e6ffc739f26560ae4cefe558a1
                                                  • Opcode Fuzzy Hash: 69fb56ec72bb48bf799d73a9f514c3e84a97c3b26dbd79650f0c817e19817d20
                                                  • Instruction Fuzzy Hash: CA0112B5651610ABE700D768DE45F7637E8AF1C324F094266B659DF3E3C738E8408B49
                                                  Function 0041B268 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A6D8: CreateBrushIndirect.GDI32 ref: 0041A743
                                                  • UnrealizeObject.GDI32(00000000), ref: 0041B274
                                                  • SelectObject.GDI32(?,00000000), ref: 0041B286
                                                  • SetBkColor.GDI32(?,00000000), ref: 0041B2A9
                                                  • SetBkMode.GDI32(?,00000002), ref: 0041B2B4
                                                  • SetBkColor.GDI32(?,00000000), ref: 0041B2CF
                                                  • SetBkMode.GDI32(?,00000001), ref: 0041B2DA
                                                    • Part of subcall function 0041A050: GetSysColor.USER32(?), ref: 0041A05A
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                  • String ID:
                                                  • API String ID: 3527656728-0
                                                  • Opcode ID: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                  • Instruction ID: 416fc8ddf3b290ca22d08e3f0d0fa9d59de125dbf6d826fc2ec32e7be4b681d8
                                                  • Opcode Fuzzy Hash: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                  • Instruction Fuzzy Hash: 15F072B56015009FDF00FFAAD9C6E5F67989F043197048456B948DF197C93DD8505B3A
                                                  Function 00453890 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,-cI,_iu,?,00000000,004539CA), ref: 0045397F
                                                  • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,-cI,_iu,?,00000000,004539CA), ref: 0045398F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateFileHandle
                                                  • String ID: -cI$.tmp$_iu
                                                  • API String ID: 3498533004-3964432171
                                                  • Opcode ID: 02fc6949860a742288c4963694ea4c9fb07eaa5c322dedd883b179278d380901
                                                  • Instruction ID: 987f34639f2954820d3a171204f3ba7a53f2c28fb23a6faa943e541cb6d42ed5
                                                  • Opcode Fuzzy Hash: 02fc6949860a742288c4963694ea4c9fb07eaa5c322dedd883b179278d380901
                                                  • Instruction Fuzzy Hash: 293195B0A00249ABCB11EFA5C942BAEBBB4AF44309F60456AF800B73C2D6785F059758
                                                  Function 00497268 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004242BC: SetWindowTextA.USER32(?,00000000), ref: 004242D4
                                                  • ShowWindow.USER32(?,00000005,00000000,004974CD,?,?,00000000), ref: 0049729E
                                                    • Part of subcall function 0042D8BC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8CF
                                                    • Part of subcall function 00407298: SetCurrentDirectoryA.KERNEL32(00000000,?,004972C6,00000000,00497499,?,?,00000005,00000000,004974CD,?,?,00000000), ref: 004072A3
                                                    • Part of subcall function 0042D444: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4D2,?,?,?,00000001,?,00456052,00000000,004560BA), ref: 0042D479
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                  • String ID: .dat$.msg$IMsg$Uninstall
                                                  • API String ID: 3312786188-1660910688
                                                  • Opcode ID: fee9eccc106b75620d129768861d1a7621c8bfd9450b5e9a776089888b3099eb
                                                  • Instruction ID: 502499af6c4fed57a8803849289841afdffa1b87ef326e8d9c35a034d288349d
                                                  • Opcode Fuzzy Hash: fee9eccc106b75620d129768861d1a7621c8bfd9450b5e9a776089888b3099eb
                                                  • Instruction Fuzzy Hash: 20317574A10214AFCB01EF65DC92D5E7BB5FB88318B51847AF800AB792D739BD05CB58
                                                  Function 0042EAA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EAD2
                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAD8
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB01
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressByteCharHandleModuleMultiProcWide
                                                  • String ID: ShutdownBlockReasonCreate$user32.dll
                                                  • API String ID: 828529508-2866557904
                                                  • Opcode ID: f0f9c1c29cdcfbee2e7a8f4e336c776c41a61f3b4eee9e965eb88e8c498f29e0
                                                  • Instruction ID: 08d6e73c43f4c72d4bf81f88f5f107f4332e42bd1359b104b354d246f0006fb7
                                                  • Opcode Fuzzy Hash: f0f9c1c29cdcfbee2e7a8f4e336c776c41a61f3b4eee9e965eb88e8c498f29e0
                                                  • Instruction Fuzzy Hash: 14F0F6D034062237E620B6BFAC82F7B59CC8F9472AF140036F109EB2C2E96C9905427F
                                                  Function 00457E18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00457E48
                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00457E69
                                                  • CloseHandle.KERNEL32(?,00457E9C), ref: 00457E8F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                  • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                  • API String ID: 2573145106-3235461205
                                                  • Opcode ID: fd83349507a0981e80b71893faadad776893e27a60c3cb1bdbbb378314d18f26
                                                  • Instruction ID: 364c7453444e38e17299d149b0285d9f966ded63b706bec2a35302b816cfa9f1
                                                  • Opcode Fuzzy Hash: fd83349507a0981e80b71893faadad776893e27a60c3cb1bdbbb378314d18f26
                                                  • Instruction Fuzzy Hash: 88018F71608304AFD711EBA99D03A2E73A9EB49715F6040B6FC10E72D3DA389D048619
                                                  Function 0042E9A4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA68,00000004,00499934,00457011,004573B4,00456F68,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9BA
                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C0
                                                  • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressExchangeHandleInterlockedModuleProc
                                                  • String ID: ChangeWindowMessageFilter$user32.dll
                                                  • API String ID: 3478007392-2498399450
                                                  • Opcode ID: e1b8650f68b4f5373240c16350828cc36d4525f286b48015e4a1be8ef0f4b549
                                                  • Instruction ID: 012688e8468ec3177747178b84a01981fc81215c8fc8f9e453d059575ed0bd59
                                                  • Opcode Fuzzy Hash: e1b8650f68b4f5373240c16350828cc36d4525f286b48015e4a1be8ef0f4b549
                                                  • Instruction Fuzzy Hash: B5E0ECA1740314EAEA203B66BE8AF573558E724B19F54003BF100A51F2C7BC1C80CA9E
                                                  Function 00477628 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 00477630
                                                  • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477727,0049C0A4,00000000), ref: 00477643
                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477649
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProcProcessThreadWindow
                                                  • String ID: AllowSetForegroundWindow$user32.dll
                                                  • API String ID: 1782028327-3855017861
                                                  • Opcode ID: f9c0aa6575de5325031961dc8c28253599d1abb86677e5186b48b355b3ec359b
                                                  • Instruction ID: 000833d094a070652a329d30f0dc0cedfc4963abb7563544beb27e38e0473342
                                                  • Opcode Fuzzy Hash: f9c0aa6575de5325031961dc8c28253599d1abb86677e5186b48b355b3ec359b
                                                  • Instruction Fuzzy Hash: 8DD05E90249B02A9D90073B94C46F6F224C8A90B68790843B7408F218ECA3CDC00AA3C
                                                  Function 00416C24 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • BeginPaint.USER32(00000000,?), ref: 00416C4A
                                                  • SaveDC.GDI32(?), ref: 00416C7B
                                                  • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D3D), ref: 00416CDC
                                                  • RestoreDC.GDI32(?,?), ref: 00416D03
                                                  • EndPaint.USER32(00000000,?,00416D44,00000000,00416D3D), ref: 00416D37
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                  • String ID:
                                                  • API String ID: 3808407030-0
                                                  • Opcode ID: b6c8991bbe38a25b063fe02cbbd384aaa1ab048ef0fa4b5957116aa5db27c33c
                                                  • Instruction ID: a024d51d8e1917fcb77b8775c892227abb36bb6ea51d3f2ecd71d44c14df9e09
                                                  • Opcode Fuzzy Hash: b6c8991bbe38a25b063fe02cbbd384aaa1ab048ef0fa4b5957116aa5db27c33c
                                                  • Instruction Fuzzy Hash: 90414170A04244AFCB04DBA9C595FAA77F5FF48304F1640AAE8459B362D778DD81CF54
                                                  Function 004147F8 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 76268f3067fd7e5b2c462dbffcea77bb187ec6f22ea95bd0c2474c45d8462d54
                                                  • Instruction ID: 35d93ad14ebc553eed2a21e9b47c67a907fa477780373b58b871235641bd8dc8
                                                  • Opcode Fuzzy Hash: 76268f3067fd7e5b2c462dbffcea77bb187ec6f22ea95bd0c2474c45d8462d54
                                                  • Instruction Fuzzy Hash: B23132746057409FC320EB69C584BABB7E8AF89714F04891EF9D9C7751C638EC818B19
                                                  Function 004297C4 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429800
                                                  • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 0042982F
                                                  • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 0042984B
                                                  • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 00429876
                                                  • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 00429894
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: 9f4218a80dfb6ea41a935cea72b52cc504d621f6de5a3555e5000c6e6653befd
                                                  • Instruction ID: c6a16a7b88e0b18788f8573a4e1e1ff521d0234e697c82a38616540cbd285451
                                                  • Opcode Fuzzy Hash: 9f4218a80dfb6ea41a935cea72b52cc504d621f6de5a3555e5000c6e6653befd
                                                  • Instruction Fuzzy Hash: 0621AF707507057AE710FB67DC82F8B7AECDB41708F54483EB905AB6D2DBB8AD418618
                                                  Function 0041BBB0 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemMetrics.USER32(0000000B), ref: 0041BBC2
                                                  • GetSystemMetrics.USER32(0000000C), ref: 0041BBCC
                                                  • 73A1A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC0A
                                                  • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD75,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC51
                                                  • DeleteObject.GDI32(00000000), ref: 0041BC92
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: MetricsSystem$A26310A570DeleteObject
                                                  • String ID:
                                                  • API String ID: 4277397052-0
                                                  • Opcode ID: e18963905fbda8c1d4957780915d0687961bfe8337bc9852c69d647676f2e28b
                                                  • Instruction ID: 58bffdd5ee351b83518612b46dbf543796c6efca4902a0296a584a1adfede215
                                                  • Opcode Fuzzy Hash: e18963905fbda8c1d4957780915d0687961bfe8337bc9852c69d647676f2e28b
                                                  • Instruction Fuzzy Hash: E2317F70E00208EFDB04DFA5C942AAEB7F5EB48704F21856AF514EB381D7789E80DB95
                                                  Function 004733C0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0045CE6C: SetLastError.KERNEL32(00000057,00000000,0045CF38,?,?,?,?,00000000), ref: 0045CED7
                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,00473494,?,?,0049C1D0,00000000), ref: 0047344D
                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,00473494,?,?,0049C1D0,00000000), ref: 00473463
                                                  Strings
                                                  • Setting permissions on registry key: %s\%s, xrefs: 00473412
                                                  • Could not set permissions on the registry key because it currently does not exist., xrefs: 00473457
                                                  • Failed to set permissions on registry key (%d)., xrefs: 00473474
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast
                                                  • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                  • API String ID: 1452528299-4018462623
                                                  • Opcode ID: c2b4e85895e31eb7a4579faef75fdd198930d34150e3eae1e6804dec0b8ec56e
                                                  • Instruction ID: 1dcd38469e34a8f7cdaf58011d69bd772563d378ec45d4c1a9cd481a7780d06e
                                                  • Opcode Fuzzy Hash: c2b4e85895e31eb7a4579faef75fdd198930d34150e3eae1e6804dec0b8ec56e
                                                  • Instruction Fuzzy Hash: 9221B370A042445FCB05DFAAC8816EEBBE8DF49319F50817AE448E7392D77C5E058BAD
                                                  Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                  • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                  • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$AllocString
                                                  • String ID:
                                                  • API String ID: 262959230-0
                                                  • Opcode ID: fdbd74c082f9815823b504bab77549cef434610d295dd08879ffad668e8b5e0c
                                                  • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                  • Opcode Fuzzy Hash: fdbd74c082f9815823b504bab77549cef434610d295dd08879ffad668e8b5e0c
                                                  • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                  Function 004143D8 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • 73A18830.GDI32(00000000,00000000,00000000), ref: 00414411
                                                  • 73A122A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414419
                                                  • 73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041442D
                                                  • 73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414433
                                                  • 73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041443E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: A122A18830$A480
                                                  • String ID:
                                                  • API String ID: 3325508737-0
                                                  • Opcode ID: 2e378a44b9d760f9e5f1bf7c9b236df4e5f96ed4aa47b9fb48d5ba9b1bbdbb58
                                                  • Instruction ID: 53d1df8a90047df028643ee63be254e951aa3f987763a81c259c8cb4a1af4cbb
                                                  • Opcode Fuzzy Hash: 2e378a44b9d760f9e5f1bf7c9b236df4e5f96ed4aa47b9fb48d5ba9b1bbdbb58
                                                  • Instruction Fuzzy Hash: 7101D43520C3806AE600A63D8C85A9F6BDD9FC6314F05446EF484DB282C979C801C761
                                                  Function 00401548 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 45memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,\"s,?,?,?,004018B4), ref: 00401566
                                                  • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,\"s,?,?,?,004018B4), ref: 0040158B
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,\"s,?,?,?,004018B4), ref: 004015B1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Virtual$Alloc$Free
                                                  • String ID: \"s$l"s
                                                  • API String ID: 3668210933-2368474644
                                                  • Opcode ID: 4da9ee4765cce6e6c7be3d7cc9adf05dad1d6bab5239e3db9b33b19d934b365d
                                                  • Instruction ID: ed10fda1d5a177d2a0c43996bc0be7fa2989f050302610c9045c0a13ae1d279a
                                                  • Opcode Fuzzy Hash: 4da9ee4765cce6e6c7be3d7cc9adf05dad1d6bab5239e3db9b33b19d934b365d
                                                  • Instruction Fuzzy Hash: AFF0C8716403206AEB315A294C85F133AD4DBC5754F104075BE09FF3DAD6B8980082AC
                                                  Function 00424CD8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041F06C: GetActiveWindow.USER32 ref: 0041F06F
                                                    • Part of subcall function 0041F06C: GetCurrentThreadId.KERNEL32 ref: 0041F084
                                                    • Part of subcall function 0041F06C: 73A25940.USER32(00000000,Function_0001F048), ref: 0041F08A
                                                    • Part of subcall function 004231A0: GetSystemMetrics.USER32(00000000), ref: 004231A2
                                                  • OffsetRect.USER32(?,?,?), ref: 00424DC1
                                                  • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E84
                                                  • OffsetRect.USER32(?,?,?), ref: 00424E95
                                                    • Part of subcall function 0042355C: GetCurrentThreadId.KERNEL32 ref: 00423571
                                                    • Part of subcall function 0042355C: SetWindowsHookExA.USER32(00000003,00423518,00000000,00000000), ref: 00423581
                                                    • Part of subcall function 0042355C: CreateThread.KERNEL32(00000000,000003E8,004234C8,00000000,00000000), ref: 004235A5
                                                    • Part of subcall function 00424B24: SetTimer.USER32(00000000,00000001,?,004234AC), ref: 00424B3F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Thread$CurrentOffsetRect$A25940ActiveCreateDrawHookMetricsSystemTextTimerWindowWindows
                                                  • String ID: nLB
                                                  • API String ID: 1906964682-2031493005
                                                  • Opcode ID: d69f4dabb7a698d4e2161d5678524c276ca36ddb1998852898fe681b10175c4d
                                                  • Instruction ID: 6ccba84303d4583ac65c185f09da03f8435108134aba783506c2f58cc8f90ba1
                                                  • Opcode Fuzzy Hash: d69f4dabb7a698d4e2161d5678524c276ca36ddb1998852898fe681b10175c4d
                                                  • Instruction Fuzzy Hash: A7812871A00218CFDB14DFA8D884ADEBBF4FF88314F51416AE905AB296E778AD45CF44
                                                  Function 00406F94 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00406FF3
                                                  • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040706D
                                                  • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070C5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Enum$NameOpenResourceUniversal
                                                  • String ID: Z
                                                  • API String ID: 3604996873-1505515367
                                                  • Opcode ID: 0cda032a99fccbc67731b5396545ffd3d82a8b59ae0714c8f86b613c94d89fe8
                                                  • Instruction ID: 6c201072c7e19ab920663406aa1001a3a7646b20d706545eb94c2f0a958ae389
                                                  • Opcode Fuzzy Hash: 0cda032a99fccbc67731b5396545ffd3d82a8b59ae0714c8f86b613c94d89fe8
                                                  • Instruction Fuzzy Hash: 17517070E04208ABDB11DF55C941A9EBBF9EF49304F1481BAE500BB3D1D778AE458B6A
                                                  Function 0044CFB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetRectEmpty.USER32(?), ref: 0044D046
                                                  • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D071
                                                  • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D0F9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: DrawText$EmptyRect
                                                  • String ID:
                                                  • API String ID: 182455014-2867612384
                                                  • Opcode ID: aa4c93a2d6761cb4316e3b9f58fd36adaf3be60b4be49a56ecc8a50fb57c6bd0
                                                  • Instruction ID: 2c01bf535b7fc2f64207dbeae616ffe24efc4250a83762b1f7dac36c1304b9fc
                                                  • Opcode Fuzzy Hash: aa4c93a2d6761cb4316e3b9f58fd36adaf3be60b4be49a56ecc8a50fb57c6bd0
                                                  • Instruction Fuzzy Hash: 6C517171E00248AFDB11DFA9C885BDEBBF8AF49308F14447AE845EB352D7389945CB64
                                                  Function 0042EF6C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • 73A1A570.USER32(00000000,00000000,0042F0C0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042EF96
                                                    • Part of subcall function 0041A1E0: CreateFontIndirectA.GDI32(?), ref: 0041A29F
                                                  • SelectObject.GDI32(?,00000000), ref: 0042EFB9
                                                  • 73A1A480.USER32(00000000,?,0042F0A5,00000000,0042F09E,?,00000000,00000000,0042F0C0,?,?,?,?,00000000,00000000,00000000), ref: 0042F098
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: A480A570CreateFontIndirectObjectSelect
                                                  • String ID: ...\
                                                  • API String ID: 2998766281-983595016
                                                  • Opcode ID: aaeb4b64b252ec620ee19bd92df8033ea15f110d648c0c566ea30b5701249572
                                                  • Instruction ID: 43f07ddd406d3cd78f52d868909731211d08e22d210600ca561f601472f043fe
                                                  • Opcode Fuzzy Hash: aaeb4b64b252ec620ee19bd92df8033ea15f110d648c0c566ea30b5701249572
                                                  • Instruction Fuzzy Hash: A6318570B00128ABDB11DF99D841BAEB7F9FB48708F90447BF410A7392C7785E44CA59
                                                  Function 0049771C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesA.KERNEL32(00000000,0049806C,00000000,00497812,?,?,00000000,0049B628), ref: 0049778C
                                                  • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,0049806C,00000000,00497812,?,?,00000000,0049B628), ref: 004977B5
                                                  • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004977CE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: File$Attributes$Move
                                                  • String ID: isRS-%.3u.tmp
                                                  • API String ID: 3839737484-3657609586
                                                  • Opcode ID: 5e447f30b23232af434533287497b31b90de18d305760ab90fd2fc5e7a108e0f
                                                  • Instruction ID: cfa846df06bac921d3cc7342383d8013e9ea743293dbac669405f5124aadd281
                                                  • Opcode Fuzzy Hash: 5e447f30b23232af434533287497b31b90de18d305760ab90fd2fc5e7a108e0f
                                                  • Instruction Fuzzy Hash: 05213271E14209AFCF00EBA9C8859AFBBB8AF54314F51457AB414B72D1D6385E01CB59
                                                  Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                  • ExitProcess.KERNEL32 ref: 00404E0D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ExitMessageProcess
                                                  • String ID: Error$Runtime error at 00000000
                                                  • API String ID: 1220098344-2970929446
                                                  • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                  • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                  • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                  • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                  Function 00456A1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042C7FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C820
                                                    • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                    • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                  • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456A70
                                                  • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456A9D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                  • String ID: LoadTypeLib$RegisterTypeLib
                                                  • API String ID: 1312246647-2435364021
                                                  • Opcode ID: e660801773f94f20b04beacac4d0dca05fe01ebd0f05b0c2a082d9499ce0d4df
                                                  • Instruction ID: dea98cbdfb45d66fad0868bd7db80167fcb8ebb816cd54e6ac056e4ed8ccdf78
                                                  • Opcode Fuzzy Hash: e660801773f94f20b04beacac4d0dca05fe01ebd0f05b0c2a082d9499ce0d4df
                                                  • Instruction Fuzzy Hash: A9119670B00604BFDB11DFA6CD51A5EB7BDEB8A705F518476BC04E3652DA389D04CA54
                                                  Function 00456F74 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00456F8E
                                                  • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045702B
                                                  Strings
                                                  • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00456FBA
                                                  • Failed to create DebugClientWnd, xrefs: 00456FF4
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                  • API String ID: 3850602802-3720027226
                                                  • Opcode ID: bc4e2302685a1611cdf589b1ebeb412e0de634acd2de00c3d71195a2fbe054b6
                                                  • Instruction ID: 364b6cfc2dd25a83f1288abab6954b7d1953a24f55fd1dbca2d44010d5bb0a44
                                                  • Opcode Fuzzy Hash: bc4e2302685a1611cdf589b1ebeb412e0de634acd2de00c3d71195a2fbe054b6
                                                  • Instruction Fuzzy Hash: 6D110471604240ABD310AB689C81B5F7BD49B15319F55403EFA849B3C3D3794C08C7BE
                                                  Function 00478180 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004242BC: SetWindowTextA.USER32(?,00000000), ref: 004242D4
                                                  • GetFocus.USER32 ref: 004781EB
                                                  • GetKeyState.USER32(0000007A), ref: 004781FD
                                                  • WaitMessage.USER32(?,00000000,00478224,?,00000000,0047824B,?,?,00000001,00000000,?,?,?,0047FA10,00000000,004808CA), ref: 00478207
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: FocusMessageStateTextWaitWindow
                                                  • String ID: Wnd=$%x
                                                  • API String ID: 1381870634-2927251529
                                                  • Opcode ID: 84218ba3482459bc906772e13e797513dd116e5c3cf85ca98293f9821701720b
                                                  • Instruction ID: 5f1c8258d991fabeb8ce52e8cfeede19b84d8dc0ceec509adeab196e5a3e054a
                                                  • Opcode Fuzzy Hash: 84218ba3482459bc906772e13e797513dd116e5c3cf85ca98293f9821701720b
                                                  • Instruction Fuzzy Hash: C011C430644645AFC700FBA5D845A9E7BF8EB49304B5184BEF408E7651DB386D00CA69
                                                  Function 0046E430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E438
                                                  • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E447
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Time$File$LocalSystem
                                                  • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                  • API String ID: 1748579591-1013271723
                                                  • Opcode ID: 45f4a363f224ef8c5fed3f77cd0aa38b31e29c1c09915091c8c286ec18076b3a
                                                  • Instruction ID: 72319f5cb05664b7e116556de8a44c1f4f08e856cbf185e3f572017f7e9d6813
                                                  • Opcode Fuzzy Hash: 45f4a363f224ef8c5fed3f77cd0aa38b31e29c1c09915091c8c286ec18076b3a
                                                  • Instruction Fuzzy Hash: 3011F8A440C3919ED340DF6AC44432BBAE4AB99708F04896FF9C8D6381E779C948DB77
                                                  Function 00453F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F57
                                                    • Part of subcall function 00406F40: DeleteFileA.KERNEL32(00000000,0049B628,00497BFD,00000000,00497C52,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F4B
                                                  • MoveFileA.KERNEL32(00000000,00000000), ref: 00453F7C
                                                    • Part of subcall function 00453470: GetLastError.KERNEL32(00000000,00454005,00000005,00000000,0045403A,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004978B1,00000000), ref: 00453473
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: File$AttributesDeleteErrorLastMove
                                                  • String ID: DeleteFile$MoveFile
                                                  • API String ID: 3024442154-139070271
                                                  • Opcode ID: b1543e803949c7e0bc7b6baa6fe4679c95893f4373d9700be0af1e5a7050e6bf
                                                  • Instruction ID: d61ccdf94e8101ca60a50ffa5b16d74e098655775539a7d8992e0f9997158dc0
                                                  • Opcode Fuzzy Hash: b1543e803949c7e0bc7b6baa6fe4679c95893f4373d9700be0af1e5a7050e6bf
                                                  • Instruction Fuzzy Hash: E6F062716041045BD701EBA2D94266EA3ECEB8430EFA0403BB900BB6C3DA3C9E09452D
                                                  Function 00459184 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004592C1,00000000,00459479,?,00000000,00000000,00000000), ref: 004591D1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseOpen
                                                  • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                  • API String ID: 47109696-2631785700
                                                  • Opcode ID: a4f8ebe625aa4241feead5212253246ce33a71640870ef86989e33138b66f8c9
                                                  • Instruction ID: b3b7ca93e3ee9f71f5f4917cf459f66c0bdee831e94fc7924cf2246e82346dcf
                                                  • Opcode Fuzzy Hash: a4f8ebe625aa4241feead5212253246ce33a71640870ef86989e33138b66f8c9
                                                  • Instruction Fuzzy Hash: 11F0A431300151EBD710EB5AD895B5E7698DB95356F50453BF940CB253C67CCC058B59
                                                  Function 00483180 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                  • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004831C1
                                                  • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004831E4
                                                  Strings
                                                  • CSDVersion, xrefs: 004831B8
                                                  • System\CurrentControlSet\Control\Windows, xrefs: 0048318E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                  • API String ID: 3677997916-1910633163
                                                  • Opcode ID: 8c4194736c198406f1c4615c9bef297240f0128b093a56b4b0574b173b8ea383
                                                  • Instruction ID: 86ea9b687bc925f919ffd8904499e524e0617f710df10bb4bfec30536caacf1e
                                                  • Opcode Fuzzy Hash: 8c4194736c198406f1c4615c9bef297240f0128b093a56b4b0574b173b8ea383
                                                  • Instruction Fuzzy Hash: 84F03175E40208A6DF10EAE18C49BAF73BCAB04F05F104567E910E7281EB7AAB048B59
                                                  Function 0042D8E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B2E,00000000,00453BD1,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FC1,00000000), ref: 0042D902
                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D908
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                  • API String ID: 1646373207-4063490227
                                                  • Opcode ID: 7b96dfeca4fb46ac12370e2a7164d548b2292eba5de3f20d368527ccba0e5576
                                                  • Instruction ID: 46d83308b3a0af851ef73fb55c1ff88b015d3a0f0a3b668622d7e336d39da5d8
                                                  • Opcode Fuzzy Hash: 7b96dfeca4fb46ac12370e2a7164d548b2292eba5de3f20d368527ccba0e5576
                                                  • Instruction Fuzzy Hash: F2E0DFE0B00B4122D720257A1C82B5B10894B84768FA0043B3888E52D6EDBCDD841A2D
                                                  Function 0042EB4C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAC8), ref: 0042EB5A
                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB60
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                  • API String ID: 1646373207-260599015
                                                  • Opcode ID: 3e5cb9d7abe0ff9b6486504588ced90e5b8f05a967361d48d4fc2df467991dfe
                                                  • Instruction ID: e22649ab5c5d02c0682c512352339c2c95c689ad11c13297e1ab925b23cbcb3c
                                                  • Opcode Fuzzy Hash: 3e5cb9d7abe0ff9b6486504588ced90e5b8f05a967361d48d4fc2df467991dfe
                                                  • Instruction Fuzzy Hash: B8D0C793711732566910B5FB3CD1DEB098C895427A39400B7F615E5541D55DDC1119AC
                                                  Function 0044F73C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004980FE), ref: 0044F777
                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F77D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: NotifyWinEvent$user32.dll
                                                  • API String ID: 1646373207-597752486
                                                  • Opcode ID: c1ce619e6872abdf5b4899d5f27880f5dd90b76e17064dac08d73993ed60d4d7
                                                  • Instruction ID: 704f9416b83fe6db864644e5aa21ade638d5456887e5d0d6230baff76c02d14e
                                                  • Opcode Fuzzy Hash: c1ce619e6872abdf5b4899d5f27880f5dd90b76e17064dac08d73993ed60d4d7
                                                  • Instruction Fuzzy Hash: 7DE012F0E4174499FB00BBB97A4671E3AD0E7A471CB00017FF454A62A1DB7C44184F9D
                                                  Function 00497E74 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498154,00000001,00000000,00498178), ref: 00497E7E
                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00497E84
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: DisableProcessWindowsGhosting$user32.dll
                                                  • API String ID: 1646373207-834958232
                                                  • Opcode ID: d26faf3502760f2b8304c8b29f1b377702d6f34381249b52cb9d82fc0845b7a8
                                                  • Instruction ID: a447a91dd4d4791f70ca82ece540bd513dbb2543541ea1319c0fea98b289aaf7
                                                  • Opcode Fuzzy Hash: d26faf3502760f2b8304c8b29f1b377702d6f34381249b52cb9d82fc0845b7a8
                                                  • Instruction Fuzzy Hash: 61B09280668712549C0032F30C02B2B0C094840728B1000B73414A00C6CE6C9C004A3D
                                                  Function 0046441C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0044B650: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F76D,004980FE), ref: 0044B677
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B68F
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A1
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6B3
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6C5
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6D7
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6E9
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B6FB
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B70D
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B71F
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B731
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B743
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B755
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B767
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B779
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B78B
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B79D
                                                    • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7AF
                                                  • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498126), ref: 0046442B
                                                  • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464431
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad
                                                  • String ID: SHPathPrepareForWriteA$shell32.dll
                                                  • API String ID: 2238633743-2683653824
                                                  • Opcode ID: 25a4dc9541e494d4f478376088f4118d6a1224d0a714e6d5fca985b35bc39c4d
                                                  • Instruction ID: 48aea337371b5dbca44804c24081d1198016d0c57ab59c55e23a700f58ea278e
                                                  • Opcode Fuzzy Hash: 25a4dc9541e494d4f478376088f4118d6a1224d0a714e6d5fca985b35bc39c4d
                                                  • Instruction Fuzzy Hash: 89B092A0640705A8CD047BB21857B0F2A4494A0B18790423B301475083EF7C88205A5E
                                                  Function 0047CE60 Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,0047CFD4,?,?,?,?,00000000,0047D129,?,?,?,00000000,?,0047D238), ref: 0047CFB0
                                                  • FindClose.KERNEL32(000000FF,0047CFDB,0047CFD4,?,?,?,?,00000000,0047D129,?,?,?,00000000,?,0047D238,00000000), ref: 0047CFCE
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFileNext
                                                  • String ID:
                                                  • API String ID: 2066263336-0
                                                  • Opcode ID: 9f09813f7918e7f3537418bbdf228f62d8dd8a495373f8467bf1863306f2bb6d
                                                  • Instruction ID: d4706787225a87a8d466f388a3eb94f1c6a992d4ef98e923761ffbb9731f628b
                                                  • Opcode Fuzzy Hash: 9f09813f7918e7f3537418bbdf228f62d8dd8a495373f8467bf1863306f2bb6d
                                                  • Instruction Fuzzy Hash: 32814B70D0024DAFCF11DF95CC91ADFBBB9EF49308F5080AAE808A7291D6399A46CF55
                                                  Function 00475394 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042EE28: GetTickCount.KERNEL32 ref: 0042EE2E
                                                    • Part of subcall function 0042EC80: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECB5
                                                  • GetLastError.KERNEL32(00000000,00475509,?,?,0049C1D0,00000000), ref: 004753F2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CountErrorFileLastMoveTick
                                                  • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                  • API String ID: 2406187244-2685451598
                                                  • Opcode ID: 7dd558b458d748696a875524af4e195e3f09e273ab8622730eb0a1e32a8ceb2d
                                                  • Instruction ID: 7c456f6db07972d04682c0112793eede51d985a58d5564732b5c120557be107c
                                                  • Opcode Fuzzy Hash: 7dd558b458d748696a875524af4e195e3f09e273ab8622730eb0a1e32a8ceb2d
                                                  • Instruction Fuzzy Hash: 5D419670A006099BCB10EFA5D882ADF77B5EF48314F608537E404BB355E7B89E458BAD
                                                  Function 00413CF0 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDesktopWindow.USER32 ref: 00413D3E
                                                  • GetDesktopWindow.USER32 ref: 00413DF6
                                                    • Part of subcall function 00418EB8: 6F59C6F0.COMCTL32(?,00000000,00413FBB,00000000,004140CB,?,?,0049B628), ref: 00418ED4
                                                    • Part of subcall function 00418EB8: ShowCursor.USER32(00000001,?,00000000,00413FBB,00000000,004140CB,?,?,0049B628), ref: 00418EF1
                                                  • SetCursor.USER32(00000000,?,?,?,?,00413AEB,00000000,00413AFE), ref: 00413E34
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CursorDesktopWindow$Show
                                                  • String ID:
                                                  • API String ID: 2074268717-0
                                                  • Opcode ID: d2c454668ecaa59f130cbdc0d7f98644b71464a6bea9d144c6b553ceac200a13
                                                  • Instruction ID: 9b0def8c9c64a2c96ee02a3ab3d0705208e3fbe4449c9c566199a376d490666d
                                                  • Opcode Fuzzy Hash: d2c454668ecaa59f130cbdc0d7f98644b71464a6bea9d144c6b553ceac200a13
                                                  • Instruction Fuzzy Hash: D2411931600210AFC710DF2AFA84B5677A5EB69329B16807BE405CB365DB38ED81CF9C
                                                  Function 00408A44 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A65
                                                  • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AD4
                                                  • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B6F
                                                  • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BAE
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: LoadString$FileMessageModuleName
                                                  • String ID:
                                                  • API String ID: 704749118-0
                                                  • Opcode ID: 6e4d3cb753bdbb9908acc8cdd2b86980fc3448728ff30d06669c4a0ffee8011d
                                                  • Instruction ID: 89cba0e7522a9b83fcc2071cfb28f1965358b02fab5b9b8693395207a1b0bde5
                                                  • Opcode Fuzzy Hash: 6e4d3cb753bdbb9908acc8cdd2b86980fc3448728ff30d06669c4a0ffee8011d
                                                  • Instruction Fuzzy Hash: A63110716083809AD330EB65CA45B9FB7D8AB85704F44483FB6C8E72D1DB7899048B6B
                                                  Function 0044E8BC Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E905
                                                    • Part of subcall function 0044CF48: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF7A
                                                  • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E989
                                                    • Part of subcall function 0042BBAC: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC0
                                                  • IsRectEmpty.USER32(?), ref: 0044E94B
                                                  • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E96E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                  • String ID:
                                                  • API String ID: 855768636-0
                                                  • Opcode ID: 0b47e4e74fbaa274a2738fa508d6e527e1083de5c38dc3a313e3f8e812d9ff7d
                                                  • Instruction ID: fae584cc962e85b422f7b584321c3529105593e75d7f1ff9ae22b75d4be52dd2
                                                  • Opcode Fuzzy Hash: 0b47e4e74fbaa274a2738fa508d6e527e1083de5c38dc3a313e3f8e812d9ff7d
                                                  • Instruction Fuzzy Hash: F1116A71B4030067E610BA3A8C86B5B76C99B98748F15093FB505EB3C2DE7DDC0983A9
                                                  Function 00494E30 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OffsetRect.USER32(?,?,00000000), ref: 00494E94
                                                  • OffsetRect.USER32(?,00000000,?), ref: 00494EAF
                                                  • OffsetRect.USER32(?,?,00000000), ref: 00494EC9
                                                  • OffsetRect.USER32(?,00000000,?), ref: 00494EE4
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: OffsetRect
                                                  • String ID:
                                                  • API String ID: 177026234-0
                                                  • Opcode ID: 6561eb4d383449756189e8e73bad2b2324663fde54b6a94536ab2f09e4d2584d
                                                  • Instruction ID: 1704218a4531d37ac2ab58ce54688b95f7f5c665c469e7ed4027bbe581d59bf2
                                                  • Opcode Fuzzy Hash: 6561eb4d383449756189e8e73bad2b2324663fde54b6a94536ab2f09e4d2584d
                                                  • Instruction Fuzzy Hash: C42190BA704201AFCB00DE69CD85E6BB7DAEFC4340F148A3AF944C7249E638ED058755
                                                  Function 00417210 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCursorPos.USER32 ref: 00417258
                                                  • SetCursor.USER32(00000000), ref: 0041729B
                                                  • GetLastActivePopup.USER32(?), ref: 004172C5
                                                  • GetForegroundWindow.USER32(?), ref: 004172CC
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                  • String ID:
                                                  • API String ID: 1959210111-0
                                                  • Opcode ID: 7e2e89ac6d78113517a7cdb08ff1bb3a8e6934fc8f6f5a4bd5de53d8afa5f26a
                                                  • Instruction ID: d8f212eab659ab8611038d963e52f28b2b0f2619fe8d71a0b25c9b868ff876e9
                                                  • Opcode Fuzzy Hash: 7e2e89ac6d78113517a7cdb08ff1bb3a8e6934fc8f6f5a4bd5de53d8afa5f26a
                                                  • Instruction Fuzzy Hash: B121B0303486008AC710AB69D944AEB33F1EF58724B1145BBF8459B392DB3DDC82CB8D
                                                  Function 00494AE8 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MulDiv.KERNEL32(8B500000,00000008,?), ref: 00494AFD
                                                  • MulDiv.KERNEL32(50142444,00000008,?), ref: 00494B11
                                                  • MulDiv.KERNEL32(F70A2BE8,00000008,?), ref: 00494B25
                                                  • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 00494B43
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: da8da1de4e7f5bc81aa34d833cd20809ae9834e6658fde7f29423bed1a0b2134
                                                  • Instruction ID: 4e21b8649f01b029d01931fbc34569bb41b57a17a8c4fb2cd57aac9c741bb68b
                                                  • Opcode Fuzzy Hash: da8da1de4e7f5bc81aa34d833cd20809ae9834e6658fde7f29423bed1a0b2134
                                                  • Instruction Fuzzy Hash: 1F113072605104AFCF40DFA9C8C5E9B7BECEF8D320B1541AAF908DB246D634ED418B68
                                                  Function 0041F478 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClassInfoA.USER32(00400000,0041F468,?), ref: 0041F499
                                                  • UnregisterClassA.USER32(0041F468,00400000), ref: 0041F4C2
                                                  • RegisterClassA.USER32(00499598), ref: 0041F4CC
                                                  • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F507
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Class$InfoLongRegisterUnregisterWindow
                                                  • String ID:
                                                  • API String ID: 4025006896-0
                                                  • Opcode ID: 369d2da58285a6866fdf7dc2e280d06892b8d6024adb0aca680e52ce00aa00df
                                                  • Instruction ID: e4d668e9dca91fd32e585eae6d60143d6dfbdf42e70c096e3b85bfad9ab1786c
                                                  • Opcode Fuzzy Hash: 369d2da58285a6866fdf7dc2e280d06892b8d6024adb0aca680e52ce00aa00df
                                                  • Instruction Fuzzy Hash: 63016D722001046BDB10EBACED81E9B3798A729314B10423FBA15E73A2D7399D458BAC
                                                  Function 0040D1F8 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D20F
                                                  • LoadResource.KERNEL32(00400000,72756F73,0040A9B0,00400000,00000001,00000000,?,0040D16C,00000000,?,00000000,?,?,0047C33C,0000000A,00000000), ref: 0040D229
                                                  • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A9B0,00400000,00000001,00000000,?,0040D16C,00000000,?,00000000,?,?,0047C33C), ref: 0040D243
                                                  • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A9B0,00400000,00000001,00000000,?,0040D16C,00000000,?,00000000,?), ref: 0040D24D
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Resource$FindLoadLockSizeof
                                                  • String ID:
                                                  • API String ID: 3473537107-0
                                                  • Opcode ID: 0bf80b66a5ada5cede639d51b96412ae59566757451319f02a49a05eb7d51380
                                                  • Instruction ID: 3283e33870439dafd25d8e1e147512606e62b5bf6a0133693b61d2317928fdf1
                                                  • Opcode Fuzzy Hash: 0bf80b66a5ada5cede639d51b96412ae59566757451319f02a49a05eb7d51380
                                                  • Instruction Fuzzy Hash: C5F04FB26056047F8B04EE99A881D5B77DDDE88264314027EF908EB242DA38DD018B69
                                                  Function 004703C0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,00000000), ref: 00470411
                                                  Strings
                                                  • Setting NTFS compression on file: %s, xrefs: 004703DF
                                                  • Unsetting NTFS compression on file: %s, xrefs: 004703F7
                                                  • Failed to set NTFS compression state (%d)., xrefs: 00470422
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast
                                                  • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                  • API String ID: 1452528299-3038984924
                                                  • Opcode ID: 32800ea80ef7f340448f7304649e5167e10847fac6a49cadc2e3199de093b0c6
                                                  • Instruction ID: 0d596443d05caf7374ea98a63d842d8765eee9d82fb477a7c18f0f713548320e
                                                  • Opcode Fuzzy Hash: 32800ea80ef7f340448f7304649e5167e10847fac6a49cadc2e3199de093b0c6
                                                  • Instruction Fuzzy Hash: 3601A730E0924896CB14D7AD94412EDBBB48F09304F54C1EFB85CE7382DB780A098B9A
                                                  Function 0046FC14 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000000,00000000), ref: 0046FC65
                                                  Strings
                                                  • Unsetting NTFS compression on directory: %s, xrefs: 0046FC4B
                                                  • Setting NTFS compression on directory: %s, xrefs: 0046FC33
                                                  • Failed to set NTFS compression state (%d)., xrefs: 0046FC76
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast
                                                  • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                  • API String ID: 1452528299-1392080489
                                                  • Opcode ID: b5dc9d2579f2018d9a7d7e75725accde34884e18dd6de742cde32242bcb11ea0
                                                  • Instruction ID: 1ff60dd8eb5a114f2a7af6b3d642365226de0c959c43d8a3966afd89414ec8a0
                                                  • Opcode Fuzzy Hash: b5dc9d2579f2018d9a7d7e75725accde34884e18dd6de742cde32242bcb11ea0
                                                  • Instruction Fuzzy Hash: 5B011730E0824C56CB04D7ADA4412DDBBB4AF4D314F54C5BFA899D7382EA790A0D879B
                                                  Function 00455D70 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                  • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B5CE,?,?,?,?,?,00000000,0045B5F5), ref: 00455DAC
                                                  • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B5CE,?,?,?,?,?,00000000), ref: 00455DB5
                                                  • RemoveFontResourceA.GDI32(00000000), ref: 00455DC2
                                                  • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455DD6
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                  • String ID:
                                                  • API String ID: 4283692357-0
                                                  • Opcode ID: cc4ceb729e222824fe1cac9382ec9995b1fa7ba0c709305ca7eece31e51928de
                                                  • Instruction ID: 990a694f9916720730b0810028faebd1b23d30e86244cf38efb64550af4b0806
                                                  • Opcode Fuzzy Hash: cc4ceb729e222824fe1cac9382ec9995b1fa7ba0c709305ca7eece31e51928de
                                                  • Instruction Fuzzy Hash: 7CF090B274070036EA10B6B65C46F2B12DC8F54745F10883AB500EF2C3D57CDC044629
                                                  Function 0047C52C Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CountSleepTick
                                                  • String ID:
                                                  • API String ID: 2227064392-0
                                                  • Opcode ID: 4bb6a74b997c72d79b8ad59ba38197016887a39ac959a09613ad40c6f540370d
                                                  • Instruction ID: a2b460aa88ecba94892aad5d964071206a8b0d845d3bc1a6a013ae29a0728730
                                                  • Opcode Fuzzy Hash: 4bb6a74b997c72d79b8ad59ba38197016887a39ac959a09613ad40c6f540370d
                                                  • Instruction Fuzzy Hash: 6FE02B627C916065C62131BE18C25BF464CCBC3364B24463FF0CCE7242C85D5C4A873E
                                                  Function 00477C98 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004808CA,?,?,?,?,?,004981E7,00000000), ref: 00477CA1
                                                  • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004808CA,?,?,?,?,?,004981E7), ref: 00477CA7
                                                  • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004808CA), ref: 00477CC9
                                                  • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004808CA), ref: 00477CDA
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                  • String ID:
                                                  • API String ID: 215268677-0
                                                  • Opcode ID: b789e398f767a3985276fb9b5d86dc0112f39c9ab3e6b0e60025eb20b1cc62c1
                                                  • Instruction ID: 672a73815fb629360b1666c66e1be5f1e4265ed7d7d078eef31aabbee9319095
                                                  • Opcode Fuzzy Hash: b789e398f767a3985276fb9b5d86dc0112f39c9ab3e6b0e60025eb20b1cc62c1
                                                  • Instruction Fuzzy Hash: 5FF037716447007FD600E6B58D81E5B73DCEB44354F04883A7E94D71C1D678DC08A726
                                                  Function 00424238 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastActivePopup.USER32(?), ref: 00424244
                                                  • IsWindowVisible.USER32(?), ref: 00424255
                                                  • IsWindowEnabled.USER32(?), ref: 0042425F
                                                  • SetForegroundWindow.USER32(?), ref: 00424269
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                  • String ID:
                                                  • API String ID: 2280970139-0
                                                  • Opcode ID: d650e12b06832ca1638fa5ec8b7c167202b76d470459cb5fe6943c9b368570a5
                                                  • Instruction ID: 914cdc97238bca482b123af495550876eb6964b08c7fad051248fc704dde4b2b
                                                  • Opcode Fuzzy Hash: d650e12b06832ca1638fa5ec8b7c167202b76d470459cb5fe6943c9b368570a5
                                                  • Instruction Fuzzy Hash: DEE0EC61706636D7AAA2767B2981A9F618D9DC53C434601ABFC04FB386DB2CDC1181BD
                                                  Function 0040626C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalHandle.KERNEL32 ref: 0040626F
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00406276
                                                  • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                  • GlobalLock.KERNEL32(00000000), ref: 00406281
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Global$AllocHandleLockUnlock
                                                  • String ID:
                                                  • API String ID: 2167344118-0
                                                  • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                  • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                  • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                  • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                  Function 00479BDC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047B44D,?,00000000,00000000,00000001,00000000,00479E79,?,00000000), ref: 00479E3D
                                                  Strings
                                                  • Failed to parse "reg" constant, xrefs: 00479E44
                                                  • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00479CB1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                  • API String ID: 3535843008-1938159461
                                                  • Opcode ID: 57bad9c4411a7bf74c6c2dc4fda695579502af0604f82715b5200038b1ffad30
                                                  • Instruction ID: 5eaaab04e28549974a1eae9ca1a9eb8293ffddd3d671f6967ea537ac56f3ac17
                                                  • Opcode Fuzzy Hash: 57bad9c4411a7bf74c6c2dc4fda695579502af0604f82715b5200038b1ffad30
                                                  • Instruction Fuzzy Hash: 81814174E00148AFCF11DF95C881ADEBBF9AF49314F50816AE815BB391D738AE45CB98
                                                  Function 00482B48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32(00000000,00482CD2,?,00000000,00482D13,?,?,?,?,00000000,00000000,00000000,?,0046BBB9), ref: 00482B81
                                                  • SetActiveWindow.USER32(?,00000000,00482CD2,?,00000000,00482D13,?,?,?,?,00000000,00000000,00000000,?,0046BBB9), ref: 00482B93
                                                  Strings
                                                  • Will not restart Windows automatically., xrefs: 00482CB2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window$ActiveForeground
                                                  • String ID: Will not restart Windows automatically.
                                                  • API String ID: 307657957-4169339592
                                                  • Opcode ID: 79c316d51ac1fd79a21ce3b82f97925ffc45febbfcb1c28b0a7bd5593e75f807
                                                  • Instruction ID: 4958210349c6873c441c743532f51790e4d62edc104a08ffbd951144213b1fca
                                                  • Opcode Fuzzy Hash: 79c316d51ac1fd79a21ce3b82f97925ffc45febbfcb1c28b0a7bd5593e75f807
                                                  • Instruction Fuzzy Hash: 3541F130248240AED711FBA5EE96BBD7BE4EB55304F540CB7E8405B3A2D2FD68419B1D
                                                  Function 00402088 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,004021FC), ref: 004020CB
                                                    • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0203C2BC,00003D40,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                    • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0203C2BC,00003D40,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                    • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0203C2BC,00003D40,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                    • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0203C2BC,00003D40,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                  • String ID: h*s
                                                  • API String ID: 296031713-534949668
                                                  • Opcode ID: 0ec3421781df831a678c5902f9bdaa3f76644b0125f074e6ded90038b86c12b3
                                                  • Instruction ID: 30adadd309813d1a6846ca6b4958dbaac508113c784b73a5bb8d11bfdb372a30
                                                  • Opcode Fuzzy Hash: 0ec3421781df831a678c5902f9bdaa3f76644b0125f074e6ded90038b86c12b3
                                                  • Instruction Fuzzy Hash: 3941E3B2E00304DFDB10CF69EE8521A77A4F7A8324B15417FD854A77E2D3789801DB88
                                                  Function 0046CA2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • Failed to proceed to next wizard page; aborting., xrefs: 0046CB44
                                                  • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CB58
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                  • API String ID: 0-1974262853
                                                  • Opcode ID: dc43be0607ecfeeda5f653db28b3a442006743007c0b64165f9b1b6a3889c3b5
                                                  • Instruction ID: 55592184c39aac83035684310b8d0626f6b8fe487ab2a4e85d8be474453688ef
                                                  • Opcode Fuzzy Hash: dc43be0607ecfeeda5f653db28b3a442006743007c0b64165f9b1b6a3889c3b5
                                                  • Instruction Fuzzy Hash: 49318D30604208DFD711EB99D98ABAA77F5EB05704F5500BBF448AB3A2D7797E40CB4A
                                                  Function 0047892C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                  • RegCloseKey.ADVAPI32(?,00478A12,?,?,00000001,00000000,00000000,00478A2D), ref: 004789FB
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478986
                                                  • %s\%s_is1, xrefs: 004789A4
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseOpen
                                                  • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                  • API String ID: 47109696-1598650737
                                                  • Opcode ID: 203e9cdef3f3c7d05f9cd135bcc4e7d95a8ba7022c08c76649149ec0e531cbaf
                                                  • Instruction ID: 1902e23b80ae68d1a407740dd401f48df33a1007776b0bbafa0d95379bb3c34b
                                                  • Opcode Fuzzy Hash: 203e9cdef3f3c7d05f9cd135bcc4e7d95a8ba7022c08c76649149ec0e531cbaf
                                                  • Instruction Fuzzy Hash: AF216474B402449FDB01DBAACC556DEBBE8EB89704F91847FE408E7381DB789D018B59
                                                  Function 0045013C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501D1
                                                  • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00450202
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ExecuteMessageSendShell
                                                  • String ID: open
                                                  • API String ID: 812272486-2758837156
                                                  • Opcode ID: d3a35c962c87995e6f353dcc7f0390f1f3aba8aca929dc82464802214bb86f4f
                                                  • Instruction ID: 7e6871a26ddddf45a22869efb5a26db0f3e7f81d2927c2b78b58bd6f76e5dadf
                                                  • Opcode Fuzzy Hash: d3a35c962c87995e6f353dcc7f0390f1f3aba8aca929dc82464802214bb86f4f
                                                  • Instruction Fuzzy Hash: EE216274E00204AFDB04DFA5C889E9EB7F8EB44705F2085BAB814E7292D7789E44CA48
                                                  Function 00455264 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00455300
                                                  • GetLastError.KERNEL32(0000003C,00000000,00455349,?,?,?), ref: 00455311
                                                    • Part of subcall function 0042D8BC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8CF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: DirectoryErrorExecuteLastShellSystem
                                                  • String ID: <
                                                  • API String ID: 893404051-4251816714
                                                  • Opcode ID: 9439c815502d76cae9d9bfb6546d04338fea16b38e0c711b75209bdd8176d4bf
                                                  • Instruction ID: ab6e9011ac2a47c3b5942fb44236b8cd8890e3b7caf9c3a2037be21c94c6989b
                                                  • Opcode Fuzzy Hash: 9439c815502d76cae9d9bfb6546d04338fea16b38e0c711b75209bdd8176d4bf
                                                  • Instruction Fuzzy Hash: 3F212370600609AFDB10EF65D8926EE7BE8AF48355F90403AFC44E7281D7789E45CB98
                                                  Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                  • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                    • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0203C2BC,00003D40,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                    • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0203C2BC,00003D40,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                    • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0203C2BC,00003D40,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                    • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0203C2BC,00003D40,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                  • String ID: )
                                                  • API String ID: 2227675388-1084416617
                                                  • Opcode ID: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                  • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                  • Opcode Fuzzy Hash: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                  • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                  Function 0049603A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496075
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Window
                                                  • String ID: /INITPROCWND=$%x $@
                                                  • API String ID: 2353593579-4169826103
                                                  • Opcode ID: ecbf6afcec96af61fcb478e5b0f8d10ed6ae26bf43725b19494f09826110d62b
                                                  • Instruction ID: 17582354874f3a564912cfd2224966d9f48ebc88dda7ed38b5aba0a92b935dc2
                                                  • Opcode Fuzzy Hash: ecbf6afcec96af61fcb478e5b0f8d10ed6ae26bf43725b19494f09826110d62b
                                                  • Instruction Fuzzy Hash: 1111B731A042448FDF01DBA4D892BAE7FE8EB48314F51447BE504E7282D73C9905CB5C
                                                  Function 0044740C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                    • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                  • SysFreeString.OLEAUT32(?), ref: 004474BE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: String$AllocByteCharFreeMultiWide
                                                  • String ID: NIL Interface Exception$Unknown Method
                                                  • API String ID: 3952431833-1023667238
                                                  • Opcode ID: 456d6725a948a64f68b75857ecf673ecd15b77dd67b08c070dfb7a2d7b0a1602
                                                  • Instruction ID: e495528c603fed7e49a6c7636a2d67f8de45625ce5c80b81863372b855da2a7d
                                                  • Opcode Fuzzy Hash: 456d6725a948a64f68b75857ecf673ecd15b77dd67b08c070dfb7a2d7b0a1602
                                                  • Instruction Fuzzy Hash: 7A11D670604208AFEB14DFA58952A6EBFBCEB08304F91447EF504E7282D7789D05CB69
                                                  Function 004958AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495974,?,00495968,00000000,0049594F), ref: 0049591A
                                                  • CloseHandle.KERNEL32(004959B4,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495974,?,00495968,00000000), ref: 00495931
                                                    • Part of subcall function 00495804: GetLastError.KERNEL32(00000000,0049589C,?,?,?,?), ref: 00495828
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateErrorHandleLastProcess
                                                  • String ID: <cI
                                                  • API String ID: 3798668922-2480932022
                                                  • Opcode ID: 34c6542742eff2dadab3d088a7a61d5c053afa182c64a6caa50429fa903ca566
                                                  • Instruction ID: 6201355901f458c0f36557428e85d419ca31de49550c26c5d668688d9bb1e683
                                                  • Opcode Fuzzy Hash: 34c6542742eff2dadab3d088a7a61d5c053afa182c64a6caa50429fa903ca566
                                                  • Instruction Fuzzy Hash: 660161B1644648AFEF05DBA2DC42FAEBBACDF48714F61003BF504E7291D6785E05CA68
                                                  Function 0042DD5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD70
                                                  • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Value$EnumQuery
                                                  • String ID: Inno Setup: No Icons
                                                  • API String ID: 1576479698-2016326496
                                                  • Opcode ID: 388e812ecd06e97e1b31d188035ef8f8b81e1277dc232162d6a0b94f1a497a96
                                                  • Instruction ID: 0d60c2ceabc561baab214a4f8badfae1c51fae2703c03b7062d0178a0b9483fa
                                                  • Opcode Fuzzy Hash: 388e812ecd06e97e1b31d188035ef8f8b81e1277dc232162d6a0b94f1a497a96
                                                  • Instruction Fuzzy Hash: C3012632B55B307AFB3085256C42F7B568CCF46B60F68003BF981EA2C1D6989C04936E
                                                  Function 00497510 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0047C8B0: FreeLibrary.KERNEL32(6FBC0000,00480FF3), ref: 0047C8C6
                                                    • Part of subcall function 0047C580: GetTickCount.KERNEL32 ref: 0047C5CA
                                                    • Part of subcall function 004570B4: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004570D3
                                                  • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,00497E67), ref: 00497565
                                                  • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,00497E67), ref: 0049756B
                                                  Strings
                                                  • Detected restart. Removing temporary directory., xrefs: 0049751F
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                  • String ID: Detected restart. Removing temporary directory.
                                                  • API String ID: 1717587489-3199836293
                                                  • Opcode ID: 10733e8d0c2fcbcf81e8bc1e4ca83bd3e168a9b9b9b758ab357db50908ba3c86
                                                  • Instruction ID: 3a6ec644de21484b963019a16799c2105d01f9358526232ca3662f3e81dafe78
                                                  • Opcode Fuzzy Hash: 10733e8d0c2fcbcf81e8bc1e4ca83bd3e168a9b9b9b758ab357db50908ba3c86
                                                  • Instruction Fuzzy Hash: C5E0E57121C6007EDE4177B6BC6295B3F9CD745778752483BF40881952E52D5810C6BD
                                                  Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(00000000,004980C2), ref: 0040334B
                                                  • GetCommandLineA.KERNEL32(00000000,004980C2), ref: 00403356
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: CommandHandleLineModule
                                                  • String ID: H6q
                                                  • API String ID: 2123368496-802608565
                                                  • Opcode ID: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                  • Instruction ID: ff8fa06d391bd0b31f892a344b3e95d40f530220570fde7b1ba7fad45aeb04f1
                                                  • Opcode Fuzzy Hash: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                  • Instruction Fuzzy Hash: 45C002609013058AD754AF7579467162A94D751349F80447FF114BA3E1D77C82055BDD
                                                  Function 00455648 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.3007277415.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000001.00000002.3007253529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007375599.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007415316.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007440732.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000001.00000002.3007498592.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_AUCHKVG4Ic.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastSleep
                                                  • String ID:
                                                  • API String ID: 1458359878-0
                                                  • Opcode ID: defff66af4325d3c28b570447d2f47c0b7c8b64933ddb782de5565f815c6b007
                                                  • Instruction ID: de14e8d07cc4d1fec6b94f0f99926b65e7014e25a7505cf550c56fab82152177
                                                  • Opcode Fuzzy Hash: defff66af4325d3c28b570447d2f47c0b7c8b64933ddb782de5565f815c6b007
                                                  • Instruction Fuzzy Hash: 91F0F672640954978A20B5DB89A1A3F724CDA94365760012BEC0CD7203C579CC494BAD

                                                  Execution Graph

                                                  Execution Coverage:1.1%
                                                  Dynamic/Decrypted Code Coverage:67.8%
                                                  Signature Coverage:18.2%
                                                  Total number of Nodes:522
                                                  Total number of Limit Nodes:30
                                                  execution_graph 61649 402840 61650 40d08c LoadLibraryExA 61649->61650 61651 40d603 61650->61651 61652 402142 61653 40287b RegQueryValueExA 61652->61653 61654 402b6b RegCloseKey 61653->61654 61656 2e84caa 61657 2e93f82 61656->61657 61660 2e0ead8 LoadLibraryA 61657->61660 61661 2e0eb01 GetProcAddress 61660->61661 61662 2e0ebbb 61660->61662 61663 2e0ebb4 FreeLibrary 61661->61663 61664 2e0eb15 61661->61664 61663->61662 61665 2e0eb27 GetAdaptersInfo 61664->61665 61666 2e0ebaf 61664->61666 61668 2e12c8c 60 API calls 3 library calls 61664->61668 61665->61664 61666->61663 61668->61664 61669 402d43 Sleep 61670 2e73163 61671 2e9b1e8 CreateFileA 61670->61671 61672 2e9df76 61671->61672 61673 4026c8 61674 402b71 61673->61674 61675 40d6ff RegOpenKeyExA 61673->61675 61676 40dee4 61674->61676 61677 40d4c4 RegCloseKey 61674->61677 61675->61674 61678 2e064ec 61707 2e061ac shared_ptr __recalloc 61678->61707 61679 2e061c6 RtlEnterCriticalSection RtlLeaveCriticalSection 61679->61678 61680 2e061c0 Sleep 61680->61679 61681 2e0655c RtlEnterCriticalSection RtlLeaveCriticalSection 61718 2e1147c 61681->61718 61683 2e1147c 66 API calls 61683->61707 61686 2e068b7 RtlEnterCriticalSection RtlLeaveCriticalSection 61686->61707 61690 2e06a1b RtlEnterCriticalSection 61691 2e06a48 RtlLeaveCriticalSection 61690->61691 61690->61707 61755 2e03c67 72 API calls Mailbox 61691->61755 61694 2e120ec 59 API calls _malloc 61694->61707 61697 2e12726 60 API calls _strtok 61697->61707 61698 2e09856 73 API calls 61698->61707 61700 2e120b4 59 API calls _free 61700->61707 61707->61679 61707->61680 61707->61681 61707->61683 61707->61686 61707->61690 61707->61691 61707->61694 61707->61697 61707->61698 61707->61700 61707->61707 61711 2e06834 Sleep 61707->61711 61712 2e0682f shared_ptr 61707->61712 61715 2e05ccd 61707->61715 61728 2e120ec 61707->61728 61745 2e11990 59 API calls _vscan_fn 61707->61745 61746 2e12c8c 60 API calls 3 library calls 61707->61746 61747 2e08868 6 API calls __EH_prolog 61707->61747 61748 2e09980 60 API calls 2 library calls 61707->61748 61749 2e05119 103 API calls 3 library calls 61707->61749 61750 2e09d40 88 API calls 3 library calls 61707->61750 61752 2e04100 GetProcessHeap HeapFree 61707->61752 61753 2e11558 79 API calls 3 library calls 61707->61753 61754 2e01ba7 RtlEnterCriticalSection RtlLeaveCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection __EH_prolog 61707->61754 61756 2e03d7e 64 API calls 61707->61756 61757 2e0746c 89 API calls 61707->61757 61758 2e0c248 73 API calls Mailbox 61707->61758 61759 2e0751b 71 API calls Mailbox 61707->61759 61760 2e033b2 86 API calls 61707->61760 61761 2e08134 88 API calls __EH_prolog 61707->61761 61762 2e0534d 93 API calls 2 library calls 61707->61762 61751 2e10a30 GetProcessHeap HeapFree 61711->61751 61712->61711 61716 2e120ec _malloc 59 API calls 61715->61716 61717 2e05ce0 61716->61717 61719 2e114ab 61718->61719 61720 2e11488 61718->61720 61765 2e114c3 66 API calls 5 library calls 61719->61765 61720->61719 61721 2e1148e 61720->61721 61763 2e14f9b 59 API calls __getptd_noexit 61721->61763 61724 2e114be 61724->61707 61725 2e11493 61764 2e14035 9 API calls __mbsnbicmp_l 61725->61764 61727 2e1149e 61727->61707 61729 2e12167 61728->61729 61738 2e120f8 61728->61738 61772 2e17343 RtlDecodePointer 61729->61772 61731 2e1216d 61773 2e14f9b 59 API calls __getptd_noexit 61731->61773 61734 2e1212b RtlAllocateHeap 61734->61738 61744 2e065fe RtlEnterCriticalSection RtlLeaveCriticalSection 61734->61744 61736 2e12103 61736->61738 61766 2e17813 59 API calls __NMSG_WRITE 61736->61766 61767 2e17870 59 API calls 7 library calls 61736->61767 61768 2e1745c GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 61736->61768 61737 2e12153 61770 2e14f9b 59 API calls __getptd_noexit 61737->61770 61738->61734 61738->61736 61738->61737 61742 2e12151 61738->61742 61769 2e17343 RtlDecodePointer 61738->61769 61771 2e14f9b 59 API calls __getptd_noexit 61742->61771 61744->61707 61745->61707 61746->61707 61747->61707 61748->61707 61749->61707 61750->61707 61751->61707 61752->61707 61753->61707 61754->61707 61755->61707 61756->61707 61757->61707 61758->61707 61759->61707 61760->61707 61761->61707 61762->61707 61763->61725 61764->61727 61765->61724 61766->61736 61767->61736 61769->61738 61770->61742 61771->61744 61772->61731 61773->61744 61774 403310 GetVersion 61798 404454 HeapCreate 61774->61798 61776 40336f 61777 403374 61776->61777 61778 40337c 61776->61778 61873 40342b 8 API calls 61777->61873 61810 404134 61778->61810 61781 403384 GetCommandLineA 61824 404002 61781->61824 61786 40339e 61856 403cfc 61786->61856 61788 4033a3 61789 4033a8 GetStartupInfoA 61788->61789 61869 403ca4 61789->61869 61791 4033ba GetModuleHandleA 61793 4033de 61791->61793 61874 403a4b GetCurrentProcess TerminateProcess ExitProcess 61793->61874 61795 4033e7 61875 403b20 UnhandledExceptionFilter 61795->61875 61797 4033f8 61799 404474 61798->61799 61800 4044aa 61798->61800 61876 40430c 19 API calls 61799->61876 61800->61776 61802 404479 61803 404490 61802->61803 61804 404483 61802->61804 61805 4044ad 61803->61805 61878 40507c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 61803->61878 61877 40482b HeapAlloc 61804->61877 61805->61776 61808 40448d 61808->61805 61809 40449e HeapDestroy 61808->61809 61809->61800 61879 40344f 61810->61879 61813 404153 GetStartupInfoA 61821 404264 61813->61821 61823 40419f 61813->61823 61816 4042cb SetHandleCount 61816->61781 61817 40428b GetStdHandle 61819 404299 GetFileType 61817->61819 61817->61821 61818 40344f 12 API calls 61818->61823 61819->61821 61820 404210 61820->61821 61822 404232 GetFileType 61820->61822 61821->61816 61821->61817 61822->61820 61823->61818 61823->61820 61823->61821 61825 404050 61824->61825 61826 40401d GetEnvironmentStringsW 61824->61826 61828 404025 61825->61828 61829 404041 61825->61829 61827 404031 GetEnvironmentStrings 61826->61827 61826->61828 61827->61829 61830 403394 61827->61830 61831 404069 WideCharToMultiByte 61828->61831 61832 40405d GetEnvironmentStringsW 61828->61832 61829->61830 61833 4040e3 GetEnvironmentStrings 61829->61833 61834 4040ef 61829->61834 61847 403db5 61830->61847 61836 40409d 61831->61836 61837 4040cf FreeEnvironmentStringsW 61831->61837 61832->61830 61832->61831 61833->61830 61833->61834 61838 40344f 12 API calls 61834->61838 61839 40344f 12 API calls 61836->61839 61837->61830 61843 40410a 61838->61843 61840 4040a3 61839->61840 61840->61837 61841 4040ac WideCharToMultiByte 61840->61841 61844 4040c6 61841->61844 61845 4040bd 61841->61845 61842 404120 FreeEnvironmentStringsA 61842->61830 61843->61842 61844->61837 61888 403501 61845->61888 61848 403dc7 61847->61848 61849 403dcc GetModuleFileNameA 61847->61849 61901 406614 19 API calls 61848->61901 61850 403def 61849->61850 61852 40344f 12 API calls 61850->61852 61853 403e10 61852->61853 61855 403e20 61853->61855 61902 403406 7 API calls 61853->61902 61855->61786 61857 403d09 61856->61857 61860 403d0e 61856->61860 61903 406614 19 API calls 61857->61903 61859 40344f 12 API calls 61861 403d3b 61859->61861 61860->61859 61868 403d4f 61861->61868 61904 403406 7 API calls 61861->61904 61863 403d92 61864 403501 7 API calls 61863->61864 61865 403d9e 61864->61865 61865->61788 61866 40344f 12 API calls 61866->61868 61868->61863 61868->61866 61905 403406 7 API calls 61868->61905 61870 403cad 61869->61870 61872 403cb2 61869->61872 61906 406614 19 API calls 61870->61906 61872->61791 61874->61795 61875->61797 61876->61802 61877->61808 61878->61808 61883 403461 61879->61883 61882 403406 7 API calls 61882->61813 61884 40345e 61883->61884 61886 403468 61883->61886 61884->61813 61884->61882 61886->61884 61887 40348d 12 API calls 61886->61887 61887->61886 61889 403529 61888->61889 61890 40350d 61888->61890 61889->61844 61891 403517 61890->61891 61892 40352d 61890->61892 61894 403559 HeapFree 61891->61894 61895 403523 61891->61895 61893 403558 61892->61893 61897 403547 61892->61897 61893->61894 61894->61889 61899 40489e VirtualFree VirtualFree HeapFree 61895->61899 61900 40532f VirtualFree HeapFree VirtualFree 61897->61900 61899->61889 61900->61889 61901->61849 61902->61855 61903->61860 61904->61868 61905->61868 61906->61872 61907 4021d4 RegCreateKeyExA 61908 4021e2 SetEvent 61907->61908 61910 40d58a 61908->61910 61911 402995 lstrcmpiW 61912 402d0e 61911->61912 61913 2e4ed79 CloseHandle 61914 2e57855 61913->61914 61915 40d9df CreateDirectoryA 61916 2e4c2c7 61917 2e4c252 61916->61917 61918 2e4f92b WriteFile 61917->61918 61919 2e4c2e0 61917->61919 61920 2e68304 61918->61920 61921 4026a4 61925 2e12e4f 61921->61925 61926 2e12e58 61925->61926 61927 2e12e5d 61925->61927 61939 2e1aa21 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 61926->61939 61931 2e12e72 61927->61931 61930 4026aa Sleep 61932 2e12e7e __fcloseall 61931->61932 61933 2e12f29 __fcloseall 61932->61933 61935 2e12ecc ___DllMainCRTStartup 61932->61935 61940 2e12cdd 61932->61940 61933->61930 61935->61933 61937 2e12cdd __CRT_INIT@12 138 API calls 61935->61937 61938 2e12f06 61935->61938 61936 2e12cdd __CRT_INIT@12 138 API calls 61936->61933 61937->61938 61938->61933 61938->61936 61939->61927 61941 2e12ce9 __fcloseall 61940->61941 61942 2e12cf1 61941->61942 61943 2e12d6b 61941->61943 61988 2e17326 GetProcessHeap 61942->61988 61945 2e12dd4 61943->61945 61946 2e12d6f 61943->61946 61948 2e12e37 61945->61948 61949 2e12dd9 61945->61949 61951 2e12d90 61946->61951 61978 2e12cfa __fcloseall __CRT_INIT@12 61946->61978 62077 2e1759b 59 API calls _doexit 61946->62077 61947 2e12cf6 61947->61978 61989 2e14ed4 61947->61989 61948->61978 62092 2e14d64 59 API calls 2 library calls 61948->62092 62082 2e1830b TlsGetValue 61949->62082 62078 2e17472 61 API calls _free 61951->62078 61956 2e12d06 __RTC_Initialize 61965 2e12d16 GetCommandLineA 61956->61965 61956->61978 61957 2e12de4 61957->61978 62083 2e17bac 61957->62083 61958 2e12d95 61960 2e12da6 __CRT_INIT@12 61958->61960 62079 2e1a6bf 60 API calls _free 61958->62079 62081 2e12dbf 62 API calls __mtterm 61960->62081 61964 2e12da1 62080 2e14f4a 62 API calls 2 library calls 61964->62080 62010 2e1aabd GetEnvironmentStringsW 61965->62010 61969 2e12e0d 61971 2e12e13 61969->61971 61972 2e12e2b 61969->61972 62090 2e14e21 59 API calls 4 library calls 61971->62090 62091 2e120b4 59 API calls 2 library calls 61972->62091 61976 2e12d30 61979 2e12d34 61976->61979 62042 2e1a711 61976->62042 61977 2e12e1b GetCurrentThreadId 61977->61978 61978->61935 62075 2e14f4a 62 API calls 2 library calls 61979->62075 61983 2e12d54 61983->61978 62076 2e1a6bf 60 API calls _free 61983->62076 61988->61947 62093 2e17642 36 API calls 2 library calls 61989->62093 61991 2e14ed9 62094 2e17b5e InitializeCriticalSectionAndSpinCount __alloc_osfhnd 61991->62094 61993 2e14ede 61994 2e14ee2 61993->61994 62096 2e182ce TlsAlloc 61993->62096 62095 2e14f4a 62 API calls 2 library calls 61994->62095 61997 2e14ee7 61997->61956 61998 2e14ef4 61998->61994 61999 2e14eff 61998->61999 62000 2e17bac __calloc_crt 59 API calls 61999->62000 62001 2e14f0c 62000->62001 62002 2e14f41 62001->62002 62097 2e1832a TlsSetValue 62001->62097 62099 2e14f4a 62 API calls 2 library calls 62002->62099 62005 2e14f20 62005->62002 62007 2e14f26 62005->62007 62006 2e14f46 62006->61956 62098 2e14e21 59 API calls 4 library calls 62007->62098 62009 2e14f2e GetCurrentThreadId 62009->61956 62014 2e1aad0 WideCharToMultiByte 62010->62014 62016 2e12d26 62010->62016 62012 2e1ab03 62100 2e17bf4 59 API calls 2 library calls 62012->62100 62013 2e1ab3a FreeEnvironmentStringsW 62013->62016 62014->62012 62014->62013 62023 2e1a40b 62016->62023 62017 2e1ab09 62017->62013 62018 2e1ab10 WideCharToMultiByte 62017->62018 62019 2e1ab26 62018->62019 62020 2e1ab2f FreeEnvironmentStringsW 62018->62020 62101 2e120b4 59 API calls 2 library calls 62019->62101 62020->62016 62022 2e1ab2c 62022->62020 62024 2e1a417 __fcloseall 62023->62024 62102 2e17a2d 62024->62102 62026 2e1a41e 62027 2e17bac __calloc_crt 59 API calls 62026->62027 62028 2e1a42f 62027->62028 62029 2e1a49a GetStartupInfoW 62028->62029 62032 2e1a43a __fcloseall @_EH4_CallFilterFunc@8 62028->62032 62030 2e1a4af 62029->62030 62031 2e1a5de 62029->62031 62030->62031 62035 2e17bac __calloc_crt 59 API calls 62030->62035 62039 2e1a4fd 62030->62039 62033 2e1a6a6 62031->62033 62036 2e1a62b GetStdHandle 62031->62036 62037 2e1a63e GetFileType 62031->62037 62110 2e1834c InitializeCriticalSectionAndSpinCount 62031->62110 62032->61976 62111 2e1a6b6 RtlLeaveCriticalSection _doexit 62033->62111 62035->62030 62036->62031 62037->62031 62038 2e1a531 GetFileType 62038->62039 62039->62031 62039->62038 62109 2e1834c InitializeCriticalSectionAndSpinCount 62039->62109 62043 2e1a724 GetModuleFileNameA 62042->62043 62044 2e1a71f 62042->62044 62046 2e1a751 62043->62046 62120 2e143ca 71 API calls __setmbcp 62044->62120 62114 2e1a7c4 62046->62114 62048 2e12d40 62048->61983 62053 2e1a940 62048->62053 62051 2e1a78a 62051->62048 62052 2e1a7c4 _parse_cmdline 59 API calls 62051->62052 62052->62048 62054 2e1a949 62053->62054 62056 2e1a94e _strlen 62053->62056 62124 2e143ca 71 API calls __setmbcp 62054->62124 62057 2e17bac __calloc_crt 59 API calls 62056->62057 62060 2e12d49 62056->62060 62065 2e1a984 _strlen 62057->62065 62058 2e1a9d6 62126 2e120b4 59 API calls 2 library calls 62058->62126 62060->61983 62069 2e175aa 62060->62069 62061 2e17bac __calloc_crt 59 API calls 62061->62065 62062 2e1a9fd 62127 2e120b4 59 API calls 2 library calls 62062->62127 62065->62058 62065->62060 62065->62061 62065->62062 62066 2e1aa14 62065->62066 62125 2e15dfc 59 API calls 2 library calls 62065->62125 62128 2e14045 8 API calls 2 library calls 62066->62128 62068 2e1aa20 62071 2e175b6 __IsNonwritableInCurrentImage 62069->62071 62129 2e1c41f 62071->62129 62072 2e175d4 __initterm_e 62074 2e175f3 __cinit __IsNonwritableInCurrentImage 62072->62074 62132 2e124e4 62072->62132 62074->61983 62075->61978 62076->61979 62077->61951 62078->61958 62079->61964 62080->61960 62081->61978 62082->61957 62084 2e17bb3 62083->62084 62086 2e12df5 62084->62086 62088 2e17bd1 62084->62088 62167 2e1f5f8 62084->62167 62086->61978 62089 2e1832a TlsSetValue 62086->62089 62088->62084 62088->62086 62175 2e18645 Sleep 62088->62175 62089->61969 62090->61977 62091->61978 62092->61978 62093->61991 62094->61993 62095->61997 62096->61998 62097->62005 62098->62009 62099->62006 62100->62017 62101->62022 62103 2e17a51 RtlEnterCriticalSection 62102->62103 62104 2e17a3e 62102->62104 62103->62026 62112 2e17ab5 59 API calls 10 library calls 62104->62112 62106 2e17a44 62106->62103 62113 2e1757f 59 API calls 3 library calls 62106->62113 62109->62039 62110->62031 62111->62032 62112->62106 62116 2e1a7e6 62114->62116 62118 2e1a84a 62116->62118 62122 2e20716 59 API calls x_ismbbtype_l 62116->62122 62117 2e1a767 62117->62048 62121 2e17bf4 59 API calls 2 library calls 62117->62121 62118->62117 62123 2e20716 59 API calls x_ismbbtype_l 62118->62123 62120->62043 62121->62051 62122->62116 62123->62118 62124->62056 62125->62065 62126->62060 62127->62060 62128->62068 62130 2e1c422 RtlEncodePointer 62129->62130 62130->62130 62131 2e1c43c 62130->62131 62131->62072 62135 2e123e8 62132->62135 62134 2e124ef 62134->62074 62136 2e123f4 __fcloseall 62135->62136 62143 2e176d2 62136->62143 62142 2e1241b __fcloseall 62142->62134 62144 2e17a2d __lock 59 API calls 62143->62144 62145 2e123fd 62144->62145 62146 2e1242c RtlDecodePointer RtlDecodePointer 62145->62146 62147 2e12459 62146->62147 62148 2e12409 62146->62148 62147->62148 62160 2e1829d 60 API calls 2 library calls 62147->62160 62157 2e12426 62148->62157 62150 2e124bc RtlEncodePointer RtlEncodePointer 62150->62148 62151 2e1246b 62151->62150 62153 2e12490 62151->62153 62161 2e17c3b 62 API calls 2 library calls 62151->62161 62153->62148 62156 2e124aa RtlEncodePointer 62153->62156 62162 2e17c3b 62 API calls 2 library calls 62153->62162 62155 2e124a4 62155->62148 62155->62156 62156->62150 62163 2e176db 62157->62163 62160->62151 62161->62153 62162->62155 62166 2e17b97 RtlLeaveCriticalSection 62163->62166 62165 2e1242b 62165->62142 62166->62165 62168 2e1f603 62167->62168 62169 2e1f61e 62167->62169 62168->62169 62170 2e1f60f 62168->62170 62172 2e1f62e RtlAllocateHeap 62169->62172 62173 2e1f614 62169->62173 62177 2e17343 RtlDecodePointer 62169->62177 62176 2e14f9b 59 API calls __getptd_noexit 62170->62176 62172->62169 62172->62173 62173->62084 62175->62088 62176->62173 62177->62169 62178 40db2a 62179 40db2b 62178->62179 62179->62179 62180 40db36 CopyFileA 62179->62180 62181 40db3d 62180->62181 62182 2e0104d 62183 2e124e4 __cinit 68 API calls 62182->62183 62184 2e01057 62183->62184 62187 2e01aa9 InterlockedIncrement 62184->62187 62188 2e01ac5 WSAStartup InterlockedExchange 62187->62188 62189 2e0105c 62187->62189 62188->62189 62190 4022ad 62191 40d50a 62190->62191 62194 40212f 62191->62194 62195 402cc6 VirtualAlloc 62194->62195 62197 40d346 62195->62197 62198 2e4f7ca 62199 2e620e5 WriteFile 62198->62199 62200 2e6fc2c 62199->62200 62201 402632 CopyFileA 62202 40d44e 62201->62202 62203 2e0e9d4 CreateFileA 62204 2e0ead0 62203->62204 62205 2e0ea05 62203->62205 62206 2e0ea1d DeviceIoControl 62205->62206 62207 2e0eac6 CloseHandle 62205->62207 62208 2e0ea92 GetLastError 62205->62208 62210 2e12c8c 60 API calls 3 library calls 62205->62210 62206->62205 62207->62204 62208->62205 62208->62207 62210->62205 62211 4025b5 62212 402981 RegSetValueExA 62211->62212 62214 40d6e1 RegCloseKey 62212->62214 62215 40ddb5 62218 401f64 FindResourceA 62215->62218 62217 40ddba 62219 401f86 GetLastError SizeofResource 62218->62219 62225 401f9f 62218->62225 62220 401fa6 LoadResource LockResource GlobalAlloc 62219->62220 62219->62225 62221 401fd2 62220->62221 62222 401ffb GetTickCount 62221->62222 62224 402005 GlobalAlloc 62222->62224 62224->62225 62225->62217 62226 402679 62229 401f27 62226->62229 62230 401f3c 62229->62230 62233 401a1d 62230->62233 62232 401f45 62234 401a2c 62233->62234 62239 401a4f CreateFileA 62234->62239 62238 401a3e 62238->62232 62240 401a35 62239->62240 62242 401a7d 62239->62242 62247 401b4b LoadLibraryA 62240->62247 62241 401a98 DeviceIoControl 62241->62242 62242->62241 62243 401b3a CloseHandle 62242->62243 62245 401b0e GetLastError 62242->62245 62256 403106 7 API calls 62242->62256 62257 4030f8 12 API calls 62242->62257 62243->62240 62245->62242 62245->62243 62248 401c21 62247->62248 62249 401b6e GetProcAddress 62247->62249 62248->62238 62250 401c18 FreeLibrary 62249->62250 62254 401b85 62249->62254 62250->62248 62251 401b95 GetAdaptersInfo 62251->62254 62253 401c15 62253->62250 62254->62251 62254->62253 62258 403106 7 API calls 62254->62258 62259 4030f8 12 API calls 62254->62259 62256->62242 62257->62242 62258->62254 62259->62254 62260 2e05f1a RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 62261 2e05f87 GetTickCount 62260->62261 62331 2e042c7 62260->62331 62332 2e05a93 62261->62332 62264 2e05fa4 GetVersionExA 62265 2e05fe5 __recalloc 62264->62265 62266 2e120ec _malloc 59 API calls 62265->62266 62267 2e05ff2 62266->62267 62268 2e120ec _malloc 59 API calls 62267->62268 62269 2e06002 62268->62269 62270 2e120ec _malloc 59 API calls 62269->62270 62271 2e0600d 62270->62271 62272 2e120ec _malloc 59 API calls 62271->62272 62273 2e06018 62272->62273 62274 2e120ec _malloc 59 API calls 62273->62274 62275 2e06023 62274->62275 62276 2e120ec _malloc 59 API calls 62275->62276 62277 2e0602e 62276->62277 62278 2e120ec _malloc 59 API calls 62277->62278 62279 2e06039 62278->62279 62280 2e120ec _malloc 59 API calls 62279->62280 62281 2e06045 6 API calls 62280->62281 62282 2e06092 __recalloc 62281->62282 62283 2e060ab RtlEnterCriticalSection RtlLeaveCriticalSection 62282->62283 62284 2e120ec _malloc 59 API calls 62283->62284 62285 2e060e7 62284->62285 62286 2e120ec _malloc 59 API calls 62285->62286 62287 2e060f5 62286->62287 62288 2e120ec _malloc 59 API calls 62287->62288 62289 2e060fc 62288->62289 62290 2e120ec _malloc 59 API calls 62289->62290 62291 2e0611d QueryPerformanceCounter Sleep 62290->62291 62292 2e120ec _malloc 59 API calls 62291->62292 62293 2e06143 62292->62293 62294 2e120ec _malloc 59 API calls 62293->62294 62323 2e06153 __recalloc 62294->62323 62295 2e061c6 RtlEnterCriticalSection RtlLeaveCriticalSection 62295->62323 62296 2e061c0 Sleep 62296->62295 62297 2e0655c RtlEnterCriticalSection RtlLeaveCriticalSection 62298 2e1147c 66 API calls 62297->62298 62298->62323 62299 2e120ec _malloc 59 API calls 62300 2e065fe RtlEnterCriticalSection RtlLeaveCriticalSection 62299->62300 62300->62323 62301 2e068b7 RtlEnterCriticalSection RtlLeaveCriticalSection 62301->62323 62302 2e05ccd 59 API calls 62302->62323 62303 2e11558 _sprintf 79 API calls 62303->62323 62304 2e01ba7 RtlEnterCriticalSection RtlLeaveCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 62304->62323 62305 2e06a1b RtlEnterCriticalSection 62306 2e06a48 RtlLeaveCriticalSection 62305->62306 62305->62323 62307 2e03c67 72 API calls 62306->62307 62307->62323 62308 2e1147c 66 API calls 62308->62323 62309 2e0534d 93 API calls 62309->62323 62310 2e120ec 59 API calls _malloc 62310->62323 62311 2e120b4 59 API calls _free 62311->62323 62312 2e03d7e 64 API calls 62312->62323 62313 2e0746c 89 API calls 62313->62323 62314 2e12726 60 API calls _strtok 62314->62323 62315 2e08134 88 API calls 62315->62323 62316 2e12c8c _Allocate 60 API calls 62316->62323 62317 2e0751b 71 API calls 62317->62323 62318 2e11990 _swscanf 59 API calls 62318->62323 62319 2e033b2 86 API calls 62319->62323 62320 2e09856 73 API calls 62320->62323 62321 2e08868 6 API calls 62321->62323 62322 2e09980 60 API calls 62322->62323 62323->62295 62323->62296 62323->62297 62323->62299 62323->62301 62323->62302 62323->62303 62323->62304 62323->62305 62323->62306 62323->62308 62323->62309 62323->62310 62323->62311 62323->62312 62323->62313 62323->62314 62323->62315 62323->62316 62323->62317 62323->62318 62323->62319 62323->62320 62323->62321 62323->62322 62323->62323 62324 2e05119 103 API calls 62323->62324 62325 2e0c248 73 API calls 62323->62325 62326 2e09d40 88 API calls 62323->62326 62327 2e06834 Sleep 62323->62327 62329 2e0682f shared_ptr 62323->62329 62324->62323 62325->62323 62326->62323 62328 2e10a30 GetProcessHeap HeapFree 62327->62328 62328->62329 62329->62323 62329->62327 62330 2e04100 GetProcessHeap HeapFree 62329->62330 62330->62329 62333 2e120ec _malloc 59 API calls 62332->62333 62334 2e05aa6 62333->62334 62335 2e4f89a 62336 2e73241 ReadFile 62335->62336 62338 40d2be OpenSCManagerA

                                                  Executed Functions

                                                  Function 02E05F1A Relevance: 68.5, APIs: 34, Strings: 5, Instructions: 210memorysleeplibraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 250 2e05f1a-2e05f80 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 251 2e05f87-2e061a8 GetTickCount call 2e05a93 GetVersionExA call 2e13c30 call 2e120ec * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2e13c30 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2e120ec * 4 QueryPerformanceCounter Sleep call 2e120ec * 2 call 2e13c30 * 2 250->251 252 2e05f82 call 2e042c7 250->252 295 2e061ac-2e061ae 251->295 252->251 296 2e061b0-2e061b5 295->296 297 2e061b7-2e061b9 295->297 300 2e061c0 Sleep 296->300 298 2e061c6-2e06506 RtlEnterCriticalSection RtlLeaveCriticalSection 297->298 299 2e061bb 297->299 303 2e06522-2e0652c 298->303 304 2e06508-2e0650e 298->304 299->300 300->298 303->295 307 2e06532-2e06556 call 2e13c30 call 2e0439c 303->307 305 2e06510-2e06512 304->305 306 2e06514-2e06521 call 2e053ec 304->306 305->303 306->303 307->295 314 2e0655c-2e06587 RtlEnterCriticalSection RtlLeaveCriticalSection call 2e1147c 307->314 317 2e065d1-2e065e9 call 2e1147c 314->317 318 2e06589-2e06598 call 2e1147c 314->318 323 2e06892-2e068a1 call 2e1147c 317->323 324 2e065ef-2e065f1 317->324 318->317 325 2e0659a-2e065a9 call 2e1147c 318->325 332 2e068a3-2e068a5 323->332 333 2e068e6-2e068f5 call 2e1147c 323->333 324->323 327 2e065f7-2e066a2 call 2e120ec RtlEnterCriticalSection RtlLeaveCriticalSection call 2e13c30 * 5 call 2e0439c * 2 324->327 325->317 335 2e065ab-2e065ba call 2e1147c 325->335 386 2e066a4-2e066a6 327->386 387 2e066df 327->387 332->333 336 2e068a7-2e068e1 call 2e13c30 RtlEnterCriticalSection RtlLeaveCriticalSection 332->336 346 2e068f7-2e06900 call 2e05ccd call 2e05ddb 333->346 347 2e0690a-2e06919 call 2e1147c 333->347 335->317 348 2e065bc-2e065cb call 2e1147c 335->348 336->295 362 2e06905 346->362 357 2e06c30-2e06c3f call 2e1147c 347->357 358 2e0691f-2e06921 347->358 348->295 348->317 357->295 368 2e06c45-2e06c71 call 2e120ec call 2e13c30 call 2e0439c 357->368 358->357 363 2e06927-2e06940 call 2e0439c 358->363 362->295 363->295 372 2e06946-2e06a14 call 2e11558 call 2e01ba7 363->372 395 2e06c73-2e06c75 call 2e0534d 368->395 396 2e06c7a-2e06c81 call 2e120b4 368->396 389 2e06a16 call 2e0143f 372->389 390 2e06a1b-2e06a3c RtlEnterCriticalSection 372->390 386->387 393 2e066a8-2e066ba call 2e1147c 386->393 394 2e066e3-2e06711 call 2e120ec call 2e13c30 call 2e0439c 387->394 389->390 391 2e06a48-2e06aaf RtlLeaveCriticalSection call 2e03c67 call 2e03d7e call 2e0746c 390->391 392 2e06a3e-2e06a45 390->392 420 2e06ab5-2e06af7 call 2e09856 391->420 421 2e06c17-2e06c2b call 2e08134 391->421 392->391 393->387 408 2e066bc-2e066dd call 2e0439c 393->408 418 2e06752-2e0675b call 2e120b4 394->418 419 2e06713-2e06722 call 2e12726 394->419 395->396 396->295 408->394 430 2e06880-2e0688d 418->430 431 2e06761-2e06779 call 2e12c8c 418->431 419->418 432 2e06724 419->432 433 2e06be1-2e06c12 call 2e0751b call 2e033b2 420->433 434 2e06afd-2e06b04 420->434 421->295 430->295 443 2e06785 431->443 444 2e0677b-2e06783 call 2e08868 431->444 436 2e06729-2e0673b call 2e11990 432->436 433->421 438 2e06b07-2e06b0c 434->438 449 2e06740-2e06750 call 2e12726 436->449 450 2e0673d 436->450 438->438 442 2e06b0e-2e06b53 call 2e09856 438->442 442->433 453 2e06b59-2e06b5f 442->453 451 2e06787-2e0682d call 2e09980 call 2e03863 call 2e05119 call 2e03863 call 2e09c26 call 2e09d40 443->451 444->451 449->418 449->436 450->449 476 2e06834-2e0685f Sleep call 2e10a30 451->476 477 2e0682f call 2e0380b 451->477 457 2e06b62-2e06b67 453->457 457->457 460 2e06b69-2e06ba4 call 2e09856 457->460 460->433 466 2e06ba6-2e06be0 call 2e0c248 460->466 466->433 481 2e06861-2e0686a call 2e04100 476->481 482 2e0686b-2e06879 476->482 477->476 481->482 482->430 484 2e0687b call 2e0380b 482->484 484->430
                                                  APIs
                                                  • RtlInitializeCriticalSection.NTDLL(02E36008), ref: 02E05F4E
                                                  • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02E05F65
                                                  • GetProcAddress.KERNEL32(00000000), ref: 02E05F6E
                                                  • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02E05F7D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 02E05F80
                                                  • GetTickCount.KERNEL32 ref: 02E05F94
                                                    • Part of subcall function 02E05A93: _malloc.LIBCMT ref: 02E05AA1
                                                  • GetVersionExA.KERNEL32(02E35E58), ref: 02E05FC1
                                                  • _malloc.LIBCMT ref: 02E05FED
                                                    • Part of subcall function 02E120EC: __FF_MSGBANNER.LIBCMT ref: 02E12103
                                                    • Part of subcall function 02E120EC: __NMSG_WRITE.LIBCMT ref: 02E1210A
                                                    • Part of subcall function 02E120EC: RtlAllocateHeap.NTDLL(00900000,00000000,00000001), ref: 02E1212F
                                                  • _malloc.LIBCMT ref: 02E05FFD
                                                  • _malloc.LIBCMT ref: 02E06008
                                                  • _malloc.LIBCMT ref: 02E06013
                                                  • _malloc.LIBCMT ref: 02E0601E
                                                  • _malloc.LIBCMT ref: 02E06029
                                                  • _malloc.LIBCMT ref: 02E06034
                                                  • _malloc.LIBCMT ref: 02E06040
                                                  • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02E06057
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02E06060
                                                  • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02E0606C
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02E0606F
                                                  • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02E0607A
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02E0607D
                                                  • RtlEnterCriticalSection.NTDLL(02E36008), ref: 02E060B4
                                                  • RtlLeaveCriticalSection.NTDLL(02E36008), ref: 02E060C1
                                                  • _malloc.LIBCMT ref: 02E060E2
                                                  • _malloc.LIBCMT ref: 02E060F0
                                                  • _malloc.LIBCMT ref: 02E060F7
                                                  • _malloc.LIBCMT ref: 02E06118
                                                  • QueryPerformanceCounter.KERNEL32(00000200), ref: 02E06124
                                                  • Sleep.KERNEL32(00000000), ref: 02E06132
                                                  • _malloc.LIBCMT ref: 02E0613E
                                                  • _malloc.LIBCMT ref: 02E0614E
                                                  • Sleep.KERNEL32(0000EA60), ref: 02E061C0
                                                  • RtlEnterCriticalSection.NTDLL(02E36008), ref: 02E061CB
                                                  • RtlLeaveCriticalSection.NTDLL(02E36008), ref: 02E061DC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3008595636.0000000002E01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E01000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2e01000_darelvideostudio32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _malloc$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                  • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                  • API String ID: 4273019447-1038016512
                                                  • Opcode ID: 6ee480c15ad206dff556bbd2f800f41339f734af0a6b09ddf620b6a192bd6d62
                                                  • Instruction ID: 5f7a1532b0d4a2dce2e2d869059c169edfe3b99de0d3bd1c81229a14b6c5c361
                                                  • Opcode Fuzzy Hash: 6ee480c15ad206dff556bbd2f800f41339f734af0a6b09ddf620b6a192bd6d62
                                                  • Instruction Fuzzy Hash: 3371E271DC43A0ABD730AB359C49B5F7BECAF49300F11992AF68597280DA754884CFA6
                                                  Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 889 401b4b-401b68 LoadLibraryA 890 401c21-401c25 889->890 891 401b6e-401b7f GetProcAddress 889->891 892 401b85-401b8e 891->892 893 401c18-401c1b FreeLibrary 891->893 894 401b95-401ba5 GetAdaptersInfo 892->894 893->890 895 401ba7-401bb0 894->895 896 401bdb-401be3 894->896 899 401bc1-401bd7 call 403120 call 4018cc 895->899 900 401bb2-401bb6 895->900 897 401be5-401beb call 403106 896->897 898 401bec-401bf0 896->898 897->898 902 401bf2-401bf6 898->902 903 401c15-401c17 898->903 899->896 900->896 904 401bb8-401bbf 900->904 902->903 907 401bf8-401bfb 902->907 903->893 904->899 904->900 909 401c06-401c13 call 4030f8 907->909 910 401bfd-401c03 907->910 909->894 909->903 910->909
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00401B5D
                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                  • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                  • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                  • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                  • API String ID: 514930453-3667123677
                                                  • Opcode ID: a648eded5dba78bf16f4a137e2c2b6b7b052dc293c02733a72e5b458839b5e0e
                                                  • Instruction ID: a9f54c968f2091474e8feb0d981771773be25d9c6ef5ebc30493122ab1168d3f
                                                  • Opcode Fuzzy Hash: a648eded5dba78bf16f4a137e2c2b6b7b052dc293c02733a72e5b458839b5e0e
                                                  • Instruction Fuzzy Hash: E821B870904209AEDF219F65C9447EF7FB8EF45345F0440BAE604B62A1E7389A85CB69
                                                  Function 02E0EAD8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 940 2e0ead8-2e0eafb LoadLibraryA 941 2e0eb01-2e0eb0f GetProcAddress 940->941 942 2e0ebbb-2e0ebc2 940->942 943 2e0ebb4-2e0ebb5 FreeLibrary 941->943 944 2e0eb15-2e0eb25 941->944 943->942 945 2e0eb27-2e0eb33 GetAdaptersInfo 944->945 946 2e0eb35 945->946 947 2e0eb6b-2e0eb73 945->947 950 2e0eb37-2e0eb3e 946->950 948 2e0eb75-2e0eb7b call 2e128e8 947->948 949 2e0eb7c-2e0eb81 947->949 948->949 952 2e0eb83-2e0eb86 949->952 953 2e0ebaf-2e0ebb3 949->953 954 2e0eb40-2e0eb44 950->954 955 2e0eb48-2e0eb50 950->955 952->953 959 2e0eb88-2e0eb8d 952->959 953->943 954->950 956 2e0eb46 954->956 957 2e0eb53-2e0eb58 955->957 956->947 957->957 960 2e0eb5a-2e0eb67 call 2e0e827 957->960 961 2e0eb9a-2e0eba5 call 2e12c8c 959->961 962 2e0eb8f-2e0eb97 959->962 960->947 961->953 967 2e0eba7-2e0ebaa 961->967 962->961 967->945
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02E0EAEE
                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02E0EB07
                                                  • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02E0EB2C
                                                  • FreeLibrary.KERNEL32(00000000), ref: 02E0EBB5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3008595636.0000000002E01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E01000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2e01000_darelvideostudio32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                  • String ID: GetAdaptersInfo$iphlpapi.dll
                                                  • API String ID: 514930453-3114217049
                                                  • Opcode ID: a3d942e2736a302c34d11e6ee8b0fac422705abf042a3ae299529793e5e94314
                                                  • Instruction ID: fa52def935990a7e56637cd2d2a2f4483ecd7af4786ca0438cafc54a012dbc6f
                                                  • Opcode Fuzzy Hash: a3d942e2736a302c34d11e6ee8b0fac422705abf042a3ae299529793e5e94314
                                                  • Instruction Fuzzy Hash: B321EB71A802159BDB20DF64D8D4AEDBBF8DF05214F1CA4B9D506E7281D7309986CF60
                                                  Function 02E0E9D4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 968 2e0e9d4-2e0e9ff CreateFileA 969 2e0ead0-2e0ead7 968->969 970 2e0ea05-2e0ea1a 968->970 971 2e0ea1d-2e0ea3f DeviceIoControl 970->971 972 2e0ea41-2e0ea49 971->972 973 2e0ea78-2e0ea80 971->973 976 2e0ea52-2e0ea57 972->976 977 2e0ea4b-2e0ea50 972->977 974 2e0ea82-2e0ea88 call 2e128e8 973->974 975 2e0ea89-2e0ea8b 973->975 974->975 979 2e0eac6-2e0eacf CloseHandle 975->979 980 2e0ea8d-2e0ea90 975->980 976->973 981 2e0ea59-2e0ea61 976->981 977->973 979->969 984 2e0ea92-2e0ea9b GetLastError 980->984 985 2e0eaac-2e0eab9 call 2e12c8c 980->985 982 2e0ea64-2e0ea69 981->982 982->982 986 2e0ea6b-2e0ea77 call 2e0e827 982->986 984->979 987 2e0ea9d-2e0eaa0 984->987 985->979 992 2e0eabb-2e0eac1 985->992 986->973 987->985 990 2e0eaa2-2e0eaa9 987->990 990->985 992->971
                                                  APIs
                                                  • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02E0E9F3
                                                  • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02E0EA31
                                                  • GetLastError.KERNEL32 ref: 02E0EA92
                                                  • CloseHandle.KERNEL32(?), ref: 02E0EAC9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3008595636.0000000002E01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E01000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2e01000_darelvideostudio32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                  • String ID: \\.\PhysicalDrive0
                                                  • API String ID: 4026078076-1180397377
                                                  • Opcode ID: 09a9912ad33d7dddbd9e7685c8707d7863919a35c866cc49277d8527a386b2d3
                                                  • Instruction ID: 61095739751ad15db955cf566f77e7f24adc8b3c1116854cbf85d3f913f9d1dc
                                                  • Opcode Fuzzy Hash: 09a9912ad33d7dddbd9e7685c8707d7863919a35c866cc49277d8527a386b2d3
                                                  • Instruction Fuzzy Hash: 2631E571D80229EBDF24CF96C884AEEBB78FF08714F188579E505A3280D7705A85CB90
                                                  Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 994 401a4f-401a77 CreateFileA 995 401b45-401b4a 994->995 996 401a7d-401a91 994->996 997 401a98-401ac0 DeviceIoControl 996->997 998 401ac2-401aca 997->998 999 401af3-401afb 997->999 1000 401ad4-401ad9 998->1000 1001 401acc-401ad2 998->1001 1002 401b04-401b07 999->1002 1003 401afd-401b03 call 403106 999->1003 1000->999 1006 401adb-401af1 call 403120 call 4018cc 1000->1006 1001->999 1004 401b09-401b0c 1002->1004 1005 401b3a-401b44 CloseHandle 1002->1005 1003->1002 1008 401b27-401b34 call 4030f8 1004->1008 1009 401b0e-401b17 GetLastError 1004->1009 1005->995 1006->999 1008->997 1008->1005 1009->1005 1012 401b19-401b1c 1009->1012 1012->1008 1015 401b1e-401b24 1012->1015 1015->1008
                                                  APIs
                                                  • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                  • DeviceIoControl.KERNEL32(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                  • GetLastError.KERNEL32 ref: 00401B0E
                                                  • CloseHandle.KERNEL32(?), ref: 00401B3D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                  • String ID: \\.\PhysicalDrive0
                                                  • API String ID: 4026078076-1180397377
                                                  • Opcode ID: 5b2aa4f6f1db506efa266d4c362af4cf52cfeed2701d30c33ae5bfe5944f1550
                                                  • Instruction ID: ae54cd8959710a424601ffd4623f532e2396a469a493930b182490efebea7a61
                                                  • Opcode Fuzzy Hash: 5b2aa4f6f1db506efa266d4c362af4cf52cfeed2701d30c33ae5bfe5944f1550
                                                  • Instruction Fuzzy Hash: 50318D71D01118EECB21EF95CD809EFBBB8EF45750F20807AE514B22A0E7785E45CB98
                                                  Function 02E05E89 Relevance: 68.5, APIs: 34, Strings: 5, Instructions: 262COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 2e05e89-2e05e95 1 2e05e97-2e05e9a 0->1 2 2e05ebc 0->2 4 2e05eec-2e05ef8 1->4 5 2e05e9c-2e05e9d 1->5 3 2e05ebe-2e05ec5 2->3 9 2e05f31-2e061a8 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 2e042c7 GetTickCount call 2e05a93 GetVersionExA call 2e13c30 call 2e120ec * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2e13c30 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2e120ec * 4 QueryPerformanceCounter Sleep call 2e120ec * 2 call 2e13c30 * 2 3->9 10 2e05ec7 3->10 6 2e05ef9-2e05f19 4->6 5->3 7 2e05eaf-2e05eba 5->7 7->2 7->7 58 2e061ac-2e061ae 9->58 12 2e05ec4-2e05ec5 10->12 13 2e05ec9-2e05ed6 10->13 12->9 12->10 13->6 15 2e05ed8-2e05eea 13->15 15->4 59 2e061b0-2e061b5 58->59 60 2e061b7-2e061b9 58->60 63 2e061c0 Sleep 59->63 61 2e061c6-2e06506 RtlEnterCriticalSection RtlLeaveCriticalSection 60->61 62 2e061bb 60->62 66 2e06522-2e0652c 61->66 67 2e06508-2e0650e 61->67 62->63 63->61 66->58 70 2e06532-2e06556 call 2e13c30 call 2e0439c 66->70 68 2e06510-2e06512 67->68 69 2e06514-2e06521 call 2e053ec 67->69 68->66 69->66 70->58 77 2e0655c-2e06587 RtlEnterCriticalSection RtlLeaveCriticalSection call 2e1147c 70->77 80 2e065d1-2e065e9 call 2e1147c 77->80 81 2e06589-2e06598 call 2e1147c 77->81 86 2e06892-2e068a1 call 2e1147c 80->86 87 2e065ef-2e065f1 80->87 81->80 88 2e0659a-2e065a9 call 2e1147c 81->88 95 2e068a3-2e068a5 86->95 96 2e068e6-2e068f5 call 2e1147c 86->96 87->86 90 2e065f7-2e066a2 call 2e120ec RtlEnterCriticalSection RtlLeaveCriticalSection call 2e13c30 * 5 call 2e0439c * 2 87->90 88->80 98 2e065ab-2e065ba call 2e1147c 88->98 149 2e066a4-2e066a6 90->149 150 2e066df 90->150 95->96 99 2e068a7-2e068e1 call 2e13c30 RtlEnterCriticalSection RtlLeaveCriticalSection 95->99 109 2e068f7-2e06905 call 2e05ccd call 2e05ddb 96->109 110 2e0690a-2e06919 call 2e1147c 96->110 98->80 111 2e065bc-2e065cb call 2e1147c 98->111 99->58 109->58 120 2e06c30-2e06c3f call 2e1147c 110->120 121 2e0691f-2e06921 110->121 111->58 111->80 120->58 131 2e06c45-2e06c71 call 2e120ec call 2e13c30 call 2e0439c 120->131 121->120 126 2e06927-2e06940 call 2e0439c 121->126 126->58 135 2e06946-2e06a14 call 2e11558 call 2e01ba7 126->135 158 2e06c73-2e06c75 call 2e0534d 131->158 159 2e06c7a-2e06c81 call 2e120b4 131->159 152 2e06a16 call 2e0143f 135->152 153 2e06a1b-2e06a3c RtlEnterCriticalSection 135->153 149->150 156 2e066a8-2e066ba call 2e1147c 149->156 157 2e066e3-2e06711 call 2e120ec call 2e13c30 call 2e0439c 150->157 152->153 154 2e06a48-2e06aaf RtlLeaveCriticalSection call 2e03c67 call 2e03d7e call 2e0746c 153->154 155 2e06a3e-2e06a45 153->155 183 2e06ab5-2e06af7 call 2e09856 154->183 184 2e06c17-2e06c2b call 2e08134 154->184 155->154 156->150 171 2e066bc-2e066dd call 2e0439c 156->171 181 2e06752-2e0675b call 2e120b4 157->181 182 2e06713-2e06722 call 2e12726 157->182 158->159 159->58 171->157 193 2e06880-2e0688d 181->193 194 2e06761-2e06779 call 2e12c8c 181->194 182->181 195 2e06724 182->195 196 2e06be1-2e06c12 call 2e0751b call 2e033b2 183->196 197 2e06afd-2e06b04 183->197 184->58 193->58 206 2e06785 194->206 207 2e0677b-2e06783 call 2e08868 194->207 199 2e06729-2e0673b call 2e11990 195->199 196->184 201 2e06b07-2e06b0c 197->201 212 2e06740-2e06750 call 2e12726 199->212 213 2e0673d 199->213 201->201 205 2e06b0e-2e06b53 call 2e09856 201->205 205->196 216 2e06b59-2e06b5f 205->216 214 2e06787-2e0682d call 2e09980 call 2e03863 call 2e05119 call 2e03863 call 2e09c26 call 2e09d40 206->214 207->214 212->181 212->199 213->212 239 2e06834-2e0685f Sleep call 2e10a30 214->239 240 2e0682f call 2e0380b 214->240 220 2e06b62-2e06b67 216->220 220->220 223 2e06b69-2e06ba4 call 2e09856 220->223 223->196 229 2e06ba6-2e06be0 call 2e0c248 223->229 229->196 244 2e06861-2e0686a call 2e04100 239->244 245 2e0686b-2e06879 239->245 240->239 244->245 245->193 247 2e0687b call 2e0380b 245->247 247->193
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3008595636.0000000002E01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E01000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2e01000_darelvideostudio32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                  • API String ID: 0-1038016512
                                                  • Opcode ID: 81475ad8706d887712c93956b71084d6c5c4a3b4c939ec4356368fe9e5443ef2
                                                  • Instruction ID: 1c0762b936ae3f0ffe8df27e90427b902999d8018abd59a0891227da47cbb8b1
                                                  • Opcode Fuzzy Hash: 81475ad8706d887712c93956b71084d6c5c4a3b4c939ec4356368fe9e5443ef2
                                                  • Instruction Fuzzy Hash: 0A816771DC83909FD320AF359C49B4FBBEDAF85300F50882AF68587241DA758885CFA5
                                                  Function 02E0644E Relevance: 60.1, APIs: 21, Strings: 13, Instructions: 635COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 487 2e0644e-2e06458 488 2e0649a-2e064a5 487->488 489 2e0645a-2e06467 487->489 492 2e06486-2e06488 488->492 493 2e064a7-2e064a8 488->493 490 2e06469-2e0646d 489->490 491 2e064ce-2e064d4 489->491 494 2e0646e-2e06470 490->494 499 2e06504-2e06506 491->499 500 2e064d6-2e064eb 491->500 495 2e06471-2e0647c 492->495 496 2e0648a-2e06493 492->496 493->491 497 2e06443-2e06445 493->497 494->495 501 2e06495 495->501 502 2e0647e-2e0647f 495->502 503 2e06480-2e06485 496->503 497->487 505 2e06522-2e0652c 499->505 506 2e06508-2e0650e 499->506 501->488 502->503 504 2e06436-2e0643d 502->504 503->492 504->494 511 2e0643f-2e06442 504->511 509 2e06532-2e06556 call 2e13c30 call 2e0439c 505->509 510 2e061ac-2e061ae 505->510 507 2e06510-2e06512 506->507 508 2e06514-2e06521 call 2e053ec 506->508 507->505 508->505 509->510 524 2e0655c-2e06587 RtlEnterCriticalSection RtlLeaveCriticalSection call 2e1147c 509->524 513 2e061b0-2e061b5 510->513 514 2e061b7-2e061b9 510->514 511->497 519 2e061c0 Sleep 513->519 517 2e061c6-2e06500 RtlEnterCriticalSection RtlLeaveCriticalSection 514->517 518 2e061bb 514->518 517->499 518->519 519->517 527 2e065d1-2e065e9 call 2e1147c 524->527 528 2e06589-2e06598 call 2e1147c 524->528 533 2e06892-2e068a1 call 2e1147c 527->533 534 2e065ef-2e065f1 527->534 528->527 535 2e0659a-2e065a9 call 2e1147c 528->535 542 2e068a3-2e068a5 533->542 543 2e068e6-2e068f5 call 2e1147c 533->543 534->533 537 2e065f7-2e066a2 call 2e120ec RtlEnterCriticalSection RtlLeaveCriticalSection call 2e13c30 * 5 call 2e0439c * 2 534->537 535->527 545 2e065ab-2e065ba call 2e1147c 535->545 596 2e066a4-2e066a6 537->596 597 2e066df 537->597 542->543 546 2e068a7-2e068e1 call 2e13c30 RtlEnterCriticalSection RtlLeaveCriticalSection 542->546 556 2e068f7-2e06905 call 2e05ccd call 2e05ddb 543->556 557 2e0690a-2e06919 call 2e1147c 543->557 545->527 558 2e065bc-2e065cb call 2e1147c 545->558 546->510 556->510 567 2e06c30-2e06c3f call 2e1147c 557->567 568 2e0691f-2e06921 557->568 558->510 558->527 567->510 578 2e06c45-2e06c71 call 2e120ec call 2e13c30 call 2e0439c 567->578 568->567 573 2e06927-2e06940 call 2e0439c 568->573 573->510 582 2e06946-2e06a14 call 2e11558 call 2e01ba7 573->582 605 2e06c73-2e06c75 call 2e0534d 578->605 606 2e06c7a-2e06c81 call 2e120b4 578->606 599 2e06a16 call 2e0143f 582->599 600 2e06a1b-2e06a3c RtlEnterCriticalSection 582->600 596->597 603 2e066a8-2e066ba call 2e1147c 596->603 604 2e066e3-2e06711 call 2e120ec call 2e13c30 call 2e0439c 597->604 599->600 601 2e06a48-2e06aaf RtlLeaveCriticalSection call 2e03c67 call 2e03d7e call 2e0746c 600->601 602 2e06a3e-2e06a45 600->602 630 2e06ab5-2e06af7 call 2e09856 601->630 631 2e06c17-2e06c2b call 2e08134 601->631 602->601 603->597 618 2e066bc-2e066dd call 2e0439c 603->618 628 2e06752-2e0675b call 2e120b4 604->628 629 2e06713-2e06722 call 2e12726 604->629 605->606 606->510 618->604 640 2e06880-2e0688d 628->640 641 2e06761-2e06779 call 2e12c8c 628->641 629->628 642 2e06724 629->642 643 2e06be1-2e06c12 call 2e0751b call 2e033b2 630->643 644 2e06afd-2e06b04 630->644 631->510 640->510 653 2e06785 641->653 654 2e0677b-2e06783 call 2e08868 641->654 646 2e06729-2e0673b call 2e11990 642->646 643->631 648 2e06b07-2e06b0c 644->648 659 2e06740-2e06750 call 2e12726 646->659 660 2e0673d 646->660 648->648 652 2e06b0e-2e06b53 call 2e09856 648->652 652->643 663 2e06b59-2e06b5f 652->663 661 2e06787-2e0682d call 2e09980 call 2e03863 call 2e05119 call 2e03863 call 2e09c26 call 2e09d40 653->661 654->661 659->628 659->646 660->659 686 2e06834-2e0685f Sleep call 2e10a30 661->686 687 2e0682f call 2e0380b 661->687 667 2e06b62-2e06b67 663->667 667->667 670 2e06b69-2e06ba4 call 2e09856 667->670 670->643 676 2e06ba6-2e06be0 call 2e0c248 670->676 676->643 691 2e06861-2e0686a call 2e04100 686->691 692 2e0686b-2e06879 686->692 687->686 691->692 692->640 694 2e0687b call 2e0380b 692->694 694->640
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3008595636.0000000002E01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E01000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2e01000_darelvideostudio32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
                                                  • API String ID: 0-1839899575
                                                  • Opcode ID: 0da63738f3a8126e2dd83fa310bb0714f2aa1c6d4c6f2f6dc35b556ff41f858c
                                                  • Instruction ID: 52ec23be69eaf1df33fec0144f6ea57ad04aea23e24ce734153e0a6d4dd3b1b4
                                                  • Opcode Fuzzy Hash: 0da63738f3a8126e2dd83fa310bb0714f2aa1c6d4c6f2f6dc35b556ff41f858c
                                                  • Instruction Fuzzy Hash: BA2248325C83819FD7349B24D881BAF77E9AF85704F14E81DF18A8B2D1DB70948ACB56
                                                  Function 02E064EC Relevance: 42.3, APIs: 14, Strings: 10, Instructions: 314COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 697 2e064ec-2e06500 698 2e06504-2e06506 697->698 699 2e06522-2e0652c 698->699 700 2e06508-2e0650e 698->700 703 2e06532-2e06556 call 2e13c30 call 2e0439c 699->703 704 2e061ac-2e061ae 699->704 701 2e06510-2e06512 700->701 702 2e06514-2e06521 call 2e053ec 700->702 701->699 702->699 703->704 716 2e0655c-2e06587 RtlEnterCriticalSection RtlLeaveCriticalSection call 2e1147c 703->716 706 2e061b0-2e061b5 704->706 707 2e061b7-2e061b9 704->707 712 2e061c0 Sleep 706->712 710 2e061c6-2e061f5 RtlEnterCriticalSection RtlLeaveCriticalSection 707->710 711 2e061bb 707->711 710->697 711->712 712->710 719 2e065d1-2e065e9 call 2e1147c 716->719 720 2e06589-2e06598 call 2e1147c 716->720 725 2e06892-2e068a1 call 2e1147c 719->725 726 2e065ef-2e065f1 719->726 720->719 727 2e0659a-2e065a9 call 2e1147c 720->727 734 2e068a3-2e068a5 725->734 735 2e068e6-2e068ec call 2e1147c 725->735 726->725 729 2e065f7-2e066a2 call 2e120ec RtlEnterCriticalSection RtlLeaveCriticalSection call 2e13c30 * 5 call 2e0439c * 2 726->729 727->719 737 2e065ab-2e065ba call 2e1147c 727->737 788 2e066a4-2e066a6 729->788 789 2e066df 729->789 734->735 738 2e068a7-2e068e1 call 2e13c30 RtlEnterCriticalSection RtlLeaveCriticalSection 734->738 744 2e068f1-2e068f5 735->744 737->719 750 2e065bc-2e065cb call 2e1147c 737->750 738->704 748 2e068f7-2e06900 call 2e05ccd call 2e05ddb 744->748 749 2e0690a-2e06919 call 2e1147c 744->749 764 2e06905 748->764 759 2e06c30-2e06c3f call 2e1147c 749->759 760 2e0691f-2e06921 749->760 750->704 750->719 759->704 770 2e06c45-2e06c71 call 2e120ec call 2e13c30 call 2e0439c 759->770 760->759 765 2e06927-2e06940 call 2e0439c 760->765 764->704 765->704 774 2e06946-2e06a14 call 2e11558 call 2e01ba7 765->774 797 2e06c73-2e06c75 call 2e0534d 770->797 798 2e06c7a-2e06c81 call 2e120b4 770->798 791 2e06a16 call 2e0143f 774->791 792 2e06a1b-2e06a3c RtlEnterCriticalSection 774->792 788->789 795 2e066a8-2e066ba call 2e1147c 788->795 796 2e066e3-2e06711 call 2e120ec call 2e13c30 call 2e0439c 789->796 791->792 793 2e06a48-2e06aaf RtlLeaveCriticalSection call 2e03c67 call 2e03d7e call 2e0746c 792->793 794 2e06a3e-2e06a45 792->794 822 2e06ab5-2e06af7 call 2e09856 793->822 823 2e06c17-2e06c2b call 2e08134 793->823 794->793 795->789 810 2e066bc-2e066dd call 2e0439c 795->810 820 2e06752-2e0675b call 2e120b4 796->820 821 2e06713-2e06722 call 2e12726 796->821 797->798 798->704 810->796 832 2e06880-2e0688d 820->832 833 2e06761-2e06779 call 2e12c8c 820->833 821->820 834 2e06724 821->834 835 2e06be1-2e06c12 call 2e0751b call 2e033b2 822->835 836 2e06afd-2e06b04 822->836 823->704 832->704 845 2e06785 833->845 846 2e0677b-2e06783 call 2e08868 833->846 838 2e06729-2e0673b call 2e11990 834->838 835->823 840 2e06b07-2e06b0c 836->840 851 2e06740-2e06750 call 2e12726 838->851 852 2e0673d 838->852 840->840 844 2e06b0e-2e06b53 call 2e09856 840->844 844->835 855 2e06b59-2e06b5f 844->855 853 2e06787-2e0682d call 2e09980 call 2e03863 call 2e05119 call 2e03863 call 2e09c26 call 2e09d40 845->853 846->853 851->820 851->838 852->851 878 2e06834-2e06843 Sleep 853->878 879 2e0682f call 2e0380b 853->879 859 2e06b62-2e06b67 855->859 859->859 862 2e06b69-2e06ba4 call 2e09856 859->862 862->835 868 2e06ba6-2e06be0 call 2e0c248 862->868 868->835 881 2e0684b-2e0685f call 2e10a30 878->881 879->878 883 2e06861-2e0686a call 2e04100 881->883 884 2e0686b-2e06879 881->884 883->884 884->832 886 2e0687b call 2e0380b 884->886 886->832
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3008595636.0000000002E01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E01000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2e01000_darelvideostudio32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave_malloc_strtok$_free_swscanf
                                                  • String ID: <htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls
                                                  • API String ID: 2211298692-1437582238
                                                  • Opcode ID: 104a3e7a6bd5792927e4bc6b480c7383de89ba5450f92f8e4945d83c752b1474
                                                  • Instruction ID: 42519221cf7ce59250a4f51612b37d22289b0a71c665e956c3a4ea9289ae2e92
                                                  • Opcode Fuzzy Hash: 104a3e7a6bd5792927e4bc6b480c7383de89ba5450f92f8e4945d83c752b1474
                                                  • Instruction Fuzzy Hash: C9A1EC326C83415BE620A774DC81B5F77DA9F86B04F14F42DF28A972C1DB708886CB26
                                                  Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 915 401f64-401f84 FindResourceA 916 401f86-401f9d GetLastError SizeofResource 915->916 917 401f9f-401fa1 915->917 916->917 919 401fa6-401fec LoadResource LockResource GlobalAlloc call 402d60 * 2 916->919 918 402096-40209a 917->918 924 401fee-401ff9 919->924 924->924 925 401ffb-402003 GetTickCount 924->925 926 402032-402038 925->926 927 402005-402007 925->927 928 402053-402083 GlobalAlloc call 401c26 926->928 930 40203a-40204a 926->930 927->928 929 402009-40200f 927->929 935 402088-402093 928->935 929->928 934 402011-402023 929->934 931 40204c 930->931 932 40204e-402051 930->932 931->932 932->928 932->930 936 402025 934->936 937 402027-40202a 934->937 935->918 936->937 937->934 938 40202c-40202e 937->938 938->929 939 402030 938->939 939->928
                                                  APIs
                                                  • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                  • GetLastError.KERNEL32 ref: 00401F86
                                                  • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                  • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                  • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                  • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FBF
                                                  • GetTickCount.KERNEL32 ref: 00401FFB
                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00402061
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                  • String ID:
                                                  • API String ID: 564119183-0
                                                  • Opcode ID: 4b406982c55cd146a53e35bcfe0d224a47769fdd51ac53a5645699cce47c5184
                                                  • Instruction ID: b01298f5e92dfabffd3260d40ec81ee59ee3d80feb476c4020a7475af27d6630
                                                  • Opcode Fuzzy Hash: 4b406982c55cd146a53e35bcfe0d224a47769fdd51ac53a5645699cce47c5184
                                                  • Instruction Fuzzy Hash: 60315C32900255EFDB105FB89F8896F7B68EF45344B10807AFA86F7281DA748941C7A8
                                                  Function 0040D38F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1019 40d38f 1020 40d391-40d3a5 1019->1020 1021 40d3a7-40d3c0 1020->1021 1022 40d3ed-40d4ca RegCloseKey 1020->1022 1023 40d3c1-40d3c8 1021->1023 1023->1020 1026 40d3c9-40d3d6 1023->1026 1026->1023 1027 40d3d7-40d734 1026->1027
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID: cros$e\Mi$oft\$twar
                                                  • API String ID: 3535843008-1925812714
                                                  • Opcode ID: 209e51a4deb7f885c339a3cdb2322b01f776470df48c8f7b0149394ce31b47b3
                                                  • Instruction ID: c7e25cb524b08df1a1539cf7dbd5854748d9bbe3ba05b2b22b901e10d909b148
                                                  • Opcode Fuzzy Hash: 209e51a4deb7f885c339a3cdb2322b01f776470df48c8f7b0149394ce31b47b3
                                                  • Instruction Fuzzy Hash: 31012430454642CBC3418FD1CFA8694BFA1FA053803A4163FD483A66E2C739A50BDB0E
                                                  Function 00403310 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetVersion.KERNEL32 ref: 00403336
                                                    • Part of subcall function 00404454: HeapCreate.KERNEL32(00000000,00001000,00000000,0040336F,00000000), ref: 00404465
                                                    • Part of subcall function 00404454: HeapDestroy.KERNEL32 ref: 004044A4
                                                  • GetCommandLineA.KERNEL32 ref: 00403384
                                                  • GetStartupInfoA.KERNEL32(?), ref: 004033AF
                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004033D2
                                                    • Part of subcall function 0040342B: ExitProcess.KERNEL32 ref: 00403448
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                  • String ID:
                                                  • API String ID: 2057626494-0
                                                  • Opcode ID: b08ae2b8b777e4e577008e5565d37e94f80acee913e276c938b9cc00b58d7c54
                                                  • Instruction ID: a936b3102d24e78b19d7c169988c3063d29dd1dd2c17feae02d4b7387c8d63d1
                                                  • Opcode Fuzzy Hash: b08ae2b8b777e4e577008e5565d37e94f80acee913e276c938b9cc00b58d7c54
                                                  • Instruction Fuzzy Hash: 172183B1900615AED704AFB5DE45A6E7F68EF44705F10413EF901B72D2DB385900CB58
                                                  Function 02E01AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1057 2e01aa9-2e01ac3 InterlockedIncrement 1058 2e01ac5-2e01ad7 WSAStartup InterlockedExchange 1057->1058 1059 2e01add-2e01ae0 1057->1059 1058->1059
                                                  APIs
                                                  • InterlockedIncrement.KERNEL32(02E362DC), ref: 02E01ABA
                                                  • WSAStartup.WS2_32(00000002,00000000), ref: 02E01ACB
                                                  • InterlockedExchange.KERNEL32(02E362E0,00000000), ref: 02E01AD7
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3008595636.0000000002E01000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E01000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2e01000_darelvideostudio32.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Interlocked$ExchangeIncrementStartup
                                                  • String ID:
                                                  • API String ID: 1856147945-0
                                                  • Opcode ID: 7ec34f91ac8d12faabedfec07debb2e155482a0cf63d0e01ada640661916720c
                                                  • Instruction ID: 0c2f71afa2f710cf9cf191055873d5850e0a70eb836bee054dba05f7f377e8be
                                                  • Opcode Fuzzy Hash: 7ec34f91ac8d12faabedfec07debb2e155482a0cf63d0e01ada640661916720c
                                                  • Instruction Fuzzy Hash: E2D05E31DC02186BF230A6A2AC0EE38776CF706712F814711FC6FC00C0EA526968C5AB
                                                  Function 004026C8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1060 4026c8-4026ce 1061 402b71-40d4ca RegCloseKey 1060->1061 1062 40d6ff-40d70c RegOpenKeyExA 1060->1062 1063 40dede 1062->1063 1063->1061 1065 40dee4-40def3 1063->1065
                                                  APIs
                                                  • RegOpenKeyExA.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders), ref: 0040D704
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004026C9
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                  • API String ID: 71445658-2036018995
                                                  • Opcode ID: 0150be17bf5ca2dbb10e456239fb4f02b64711a31dacefa03631bf0d6616e76f
                                                  • Instruction ID: 916054622adacee50fd9857d95908d52c43abfe82f57b0f7ad2c01c4b575cad9
                                                  • Opcode Fuzzy Hash: 0150be17bf5ca2dbb10e456239fb4f02b64711a31dacefa03631bf0d6616e76f
                                                  • Instruction Fuzzy Hash: 0FD05E74918119EDDB009FD08DD9BBA77B8AB04784F208877E803B61C0D6BC560EA92E
                                                  Function 004021D4 Relevance: 3.0, APIs: 2, Instructions: 43registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1068 4021d4-4021dc RegCreateKeyExA 1069 4021e2-4021ed 1068->1069 1070 402a5f-40d590 SetEvent 1068->1070 1069->1070 1075 40d595 1070->1075 1075->1075
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: CreateEvent
                                                  • String ID:
                                                  • API String ID: 2692171526-0
                                                  • Opcode ID: 02e61aa0505392b71236edeb5cfb3e180c281e091ee39fc9dcfe7291b4e407ac
                                                  • Instruction ID: ff797e1d8ef2b009a8df5f22335a5240c937463d2eddfa240122c76af1f1e2b8
                                                  • Opcode Fuzzy Hash: 02e61aa0505392b71236edeb5cfb3e180c281e091ee39fc9dcfe7291b4e407ac
                                                  • Instruction Fuzzy Hash: 6901B131A082819BC3108B70FF51BE27FB69702360B1405BAD682A72B3C638480ADB19
                                                  Function 00404454 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1076 404454-404472 HeapCreate 1077 404474-404481 call 40430c 1076->1077 1078 4044aa-4044ac 1076->1078 1081 404490-404493 1077->1081 1082 404483-40448e call 40482b 1077->1082 1083 404495 call 40507c 1081->1083 1084 4044ad-4044b0 1081->1084 1088 40449a-40449c 1082->1088 1083->1088 1088->1084 1089 40449e-4044a4 HeapDestroy 1088->1089 1089->1078
                                                  APIs
                                                  • HeapCreate.KERNEL32(00000000,00001000,00000000,0040336F,00000000), ref: 00404465
                                                    • Part of subcall function 0040430C: GetVersionExA.KERNEL32 ref: 0040432B
                                                  • HeapDestroy.KERNEL32 ref: 004044A4
                                                    • Part of subcall function 0040482B: HeapAlloc.KERNEL32(00000000,00000140,0040448D,000003F8), ref: 00404838
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocCreateDestroyVersion
                                                  • String ID:
                                                  • API String ID: 2507506473-0
                                                  • Opcode ID: 86f647c1e17f9121db62508107f35f7b6bb1c87a2647d7f3c89694d97ca3aca0
                                                  • Instruction ID: 6792b556898a49359456169ba0c82f011abfeecbff717d74d0c7f117a7ac5838
                                                  • Opcode Fuzzy Hash: 86f647c1e17f9121db62508107f35f7b6bb1c87a2647d7f3c89694d97ca3aca0
                                                  • Instruction Fuzzy Hash: 90F065F0A01302DAEB206B70AE4572A3695DBC0755F20483BFA04F51E0EA788884A91D
                                                  Function 00402142 Relevance: 3.0, APIs: 2, Instructions: 14registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: CloseQueryValue
                                                  • String ID:
                                                  • API String ID: 3356406503-0
                                                  • Opcode ID: 413915a8258534a5350047b3c2677d04b1ebb7333c5c35f22435b67568e4e7ab
                                                  • Instruction ID: 01e77b9307d9e258aa4810526f0fe921a1407c29fdd1deb7c8543d670c6e82a9
                                                  • Opcode Fuzzy Hash: 413915a8258534a5350047b3c2677d04b1ebb7333c5c35f22435b67568e4e7ab
                                                  • Instruction Fuzzy Hash: FAD0C731D48501DAC7551FF05B4C53936707A0438573189379153B10D0D7FC950AB62F
                                                  Function 004025B5 Relevance: 3.0, APIs: 2, Instructions: 11registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: CloseValue
                                                  • String ID:
                                                  • API String ID: 3132538880-0
                                                  • Opcode ID: 6399cbe46973dbe686e9e4caaf329cc53ee07da94be21aa975d40eae946b4562
                                                  • Instruction ID: 1209fceb08f4b590fe9206c9c0a92d042eef42b425e6a433fde08a04ffa3aa22
                                                  • Opcode Fuzzy Hash: 6399cbe46973dbe686e9e4caaf329cc53ee07da94be21aa975d40eae946b4562
                                                  • Instruction Fuzzy Hash: F2D0C970D08414EBCB052FC0AB484ADBB31FB45301F2180BAE496700E5CBB9096AEF1E
                                                  Function 02E4C16A Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3008595636.0000000002E39000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E39000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2e39000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 01a5904f18e80c7576faf32454e8b99b2eb7d5fb5de6004004d3d0e91fd78acd
                                                  • Instruction ID: dad3064eed4f8e3508429671c91c66f8eb2e724fa3d2691fbf0e9a4eeab38bcd
                                                  • Opcode Fuzzy Hash: 01a5904f18e80c7576faf32454e8b99b2eb7d5fb5de6004004d3d0e91fd78acd
                                                  • Instruction Fuzzy Hash: C14179B254C640ABD7156F2DEC84AFAFFE9EF51324F0A866EE5C587341DA314402CB86
                                                  Function 02E4F89A Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNEL32(6BB6263E), ref: 02E8D8E0
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3008595636.0000000002E39000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E39000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2e39000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: e1bb4949747268362c090647190c7ed4ad1eb7fd7654c305a047d034ae778381
                                                  • Instruction ID: 75ef1a1ba2040353fabea2edef23e1b0ca616f91d9d24047366252fe23af7b9d
                                                  • Opcode Fuzzy Hash: e1bb4949747268362c090647190c7ed4ad1eb7fd7654c305a047d034ae778381
                                                  • Instruction Fuzzy Hash: E5414EF254C304AFE711BF59EC816BAFBE8EF58720F15492DE6C483740E63598448A97
                                                  Function 02E4C2C7 Relevance: 1.6, APIs: 1, Instructions: 106fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3008595636.0000000002E39000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E39000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2e39000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: bf3f7a7d4b2732d48997cfdd93550e14c954ca5c779f1f089137a0d78b6e9f62
                                                  • Instruction ID: 7cf2e1a05e14d135a66e11d6e5ca41dfbd322bfbac6ede5b0d0545cc72522d58
                                                  • Opcode Fuzzy Hash: bf3f7a7d4b2732d48997cfdd93550e14c954ca5c779f1f089137a0d78b6e9f62
                                                  • Instruction Fuzzy Hash: F53158B254D200ABD7186F19EC846FEBBE4EF84770F06952EE9C987340DA325801C6C6
                                                  Function 02E4C207 Relevance: 1.6, APIs: 1, Instructions: 99fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3008595636.0000000002E39000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E39000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2e39000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: 0e9dc87a1136e125b74c59fa420e262a4c8ff1a1886a1582684441c895cefafd
                                                  • Instruction ID: 19a98af0b8ad5c2879d0cb65c60a9dfa66c0199267276963ab161845e4465725
                                                  • Opcode Fuzzy Hash: 0e9dc87a1136e125b74c59fa420e262a4c8ff1a1886a1582684441c895cefafd
                                                  • Instruction Fuzzy Hash: 9131E5B254D200ABD7096F1DEC555BEFBE9EF94760F16892EE5C987300DA3218108686
                                                  Function 02E4C21E Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3008595636.0000000002E39000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E39000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2e39000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: 17104ae1511bac87ef2b0f477efdd563a2116b76d18ec3bbac6a9d9345777c50
                                                  • Instruction ID: aa72d44ab0712e898b073a173b4628751f15e8850b9bd0dcfeb382d3105baadc
                                                  • Opcode Fuzzy Hash: 17104ae1511bac87ef2b0f477efdd563a2116b76d18ec3bbac6a9d9345777c50
                                                  • Instruction Fuzzy Hash: 3031C5B254C600EBD7047F1DDC856BAFBE9EF84720F06892EE6C987740DA3159518B87
                                                  Function 004027A7 Relevance: 1.6, APIs: 1, Instructions: 67libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExA.KERNEL32(?,00000000), ref: 0040D08C
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: e23acfdd87337159855e203997392705db7a89d218a9535dd32e86848d6365d7
                                                  • Instruction ID: 311dc2ee3a004b20af078f44e7cb5a86d72b2d8593ba17ce43a912bd12fc17e4
                                                  • Opcode Fuzzy Hash: e23acfdd87337159855e203997392705db7a89d218a9535dd32e86848d6365d7
                                                  • Instruction Fuzzy Hash: E311DC36548357DFC3108BB99C04AE13FB0EF06B30F0443AA81A2AB1D2D330D00BE24A
                                                  Function 02E4F7CA Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3008595636.0000000002E39000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E39000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2e39000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: 515e1ae41072c2cc8882fe4e887bac97235d4d70336d8b3d608b44d4fec157da
                                                  • Instruction ID: 32e12a62d49ae52a56356dbee7e57798b462f06e2b59541e53d44d9c7d9511f8
                                                  • Opcode Fuzzy Hash: 515e1ae41072c2cc8882fe4e887bac97235d4d70336d8b3d608b44d4fec157da
                                                  • Instruction Fuzzy Hash: DA11C2B318C200AFE705BE69EC416BDFBE9EB58720F1A4C3DE6C1C2241E23464408B57
                                                  Function 02E73163 Relevance: 1.6, APIs: 1, Instructions: 50fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3008595636.0000000002E39000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E39000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2e39000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 19243e633a883d9a33f59fd68bb85d06719f716501c61dabb3b5aa2cf3df346a
                                                  • Instruction ID: b57f1228e7ecda720ed32faeb4aa90b1e520f49eee6b407559105e770820ffca
                                                  • Opcode Fuzzy Hash: 19243e633a883d9a33f59fd68bb85d06719f716501c61dabb3b5aa2cf3df346a
                                                  • Instruction Fuzzy Hash: 5F016DB2C0C624DBD3007F59D8445AAFBE4EF54660F06893DD9D993350E6316D10CAD3
                                                  Function 0040DB2A Relevance: 1.5, APIs: 1, Instructions: 40fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: CopyFile
                                                  • String ID:
                                                  • API String ID: 1304948518-0
                                                  • Opcode ID: 39818af0a6651c0cc585a116cc756bd5cf0f903eb5b603715ebff66fb17b780b
                                                  • Instruction ID: b111f574f586ad871baa197591a13c437a7f10d6d4b8677152828ab893cc4509
                                                  • Opcode Fuzzy Hash: 39818af0a6651c0cc585a116cc756bd5cf0f903eb5b603715ebff66fb17b780b
                                                  • Instruction Fuzzy Hash: 50F0463291568107CA0C23B87E73BE67BE8E305361749817EA1A7E22F2E6381805CB18
                                                  Function 00402B31 Relevance: 1.5, APIs: 1, Instructions: 40fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: CopyFile
                                                  • String ID:
                                                  • API String ID: 1304948518-0
                                                  • Opcode ID: 851f53a55a260e35ae5d283d75b322b8c531a98ae95fcf3385f5e3475a790ece
                                                  • Instruction ID: 0e32856413cc30e38407ccc3590898eb644064845f5bc3c488a4fa8ecc03264a
                                                  • Opcode Fuzzy Hash: 851f53a55a260e35ae5d283d75b322b8c531a98ae95fcf3385f5e3475a790ece
                                                  • Instruction Fuzzy Hash: A2F04C21C0454147C70C53B86E72BE77BF8D705360B0541BAA5A3F31F2D2385C45CB18
                                                  Function 00402840 Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExA.KERNEL32(?,00000000), ref: 0040D08C
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 7741702e88f324ac97a4f74159563b935ad949b60302fe71a5987c90464ce55c
                                                  • Instruction ID: 8625e0ca0aa36d29561d2e2cb2ef69385413bc4442cfae6169f7e9bac0e88de0
                                                  • Opcode Fuzzy Hash: 7741702e88f324ac97a4f74159563b935ad949b60302fe71a5987c90464ce55c
                                                  • Instruction Fuzzy Hash: 7EE02E75828202CFEB008FA4EC1A2C53BF0FB01320F254239DC13B7546E778A00BAA5A
                                                  Function 00402632 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: CopyFile
                                                  • String ID:
                                                  • API String ID: 1304948518-0
                                                  • Opcode ID: 20bbdb455223f4c3488fa8618608c83a905564d18cd540ba091a588824b7a482
                                                  • Instruction ID: f83830848d842b7037fe332384b705ec182a9869abcfd403a47624136d6d1cfb
                                                  • Opcode Fuzzy Hash: 20bbdb455223f4c3488fa8618608c83a905564d18cd540ba091a588824b7a482
                                                  • Instruction Fuzzy Hash: 85C04C7090D105EAD21489904E48AB577AC5B4AB84B6504B7A507B00E0D67C6A4E652F
                                                  Function 0040D9DF Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectory
                                                  • String ID:
                                                  • API String ID: 4241100979-0
                                                  • Opcode ID: 17cda5859819ee864a7a6782c2df11757645cb83a17f1201f80f71bf09317314
                                                  • Instruction ID: 536955b0ee0cd84f82c9fe487b9c42532880d944a9e972f96076b63e26e1b0a3
                                                  • Opcode Fuzzy Hash: 17cda5859819ee864a7a6782c2df11757645cb83a17f1201f80f71bf09317314
                                                  • Instruction Fuzzy Hash: 12A00231189911D6D1012F505F5DB5976386B157C17618137A242B00E14AFC1506966F
                                                  Function 0040D2BE Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: ManagerOpen
                                                  • String ID:
                                                  • API String ID: 1889721586-0
                                                  • Opcode ID: 9827b72226fec9dd42bb7239fc862aaa0a5010e05c8efd1215e48036aba3b969
                                                  • Instruction ID: a8551b2229487cb0078f96ca8ada641bf1229c711d81d67ada3c5184156b719d
                                                  • Opcode Fuzzy Hash: 9827b72226fec9dd42bb7239fc862aaa0a5010e05c8efd1215e48036aba3b969
                                                  • Instruction Fuzzy Hash: 099002201044119AC6900E105FAC118265351443163610439D242E00E0CA744449A52E
                                                  Function 02E4ED79 Relevance: 1.3, APIs: 1, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3008595636.0000000002E39000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E39000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2e39000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle
                                                  • String ID:
                                                  • API String ID: 2962429428-0
                                                  • Opcode ID: b85d906a1f6f7d465544181bae753b80cabe1c6ecfe021697169f7b8b3de08f5
                                                  • Instruction ID: d91b9bb8b2cc47990c7441120be4c02d99d05156934ebf97a246833435b3aabc
                                                  • Opcode Fuzzy Hash: b85d906a1f6f7d465544181bae753b80cabe1c6ecfe021697169f7b8b3de08f5
                                                  • Instruction Fuzzy Hash: C4216BB28186109BD7197F28D8857BAFBE4AF44710F06493CDAC553340EA395954CACB
                                                  Function 0040212F Relevance: 1.3, APIs: 1, Instructions: 35memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,0040909C), ref: 0040D250
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 88629085243354a6c85b0d155aa014b4f25b4866a7b88da2d30cf257f2d7da9e
                                                  • Instruction ID: 3b391632bbf3b5026c2a11c1d1182e74985920ac7aa886108167d61874f7c67e
                                                  • Opcode Fuzzy Hash: 88629085243354a6c85b0d155aa014b4f25b4866a7b88da2d30cf257f2d7da9e
                                                  • Instruction Fuzzy Hash: 68F0E972944304BBE7005A654E4AF563A6DF7C4B40F224025AA49331C1C6749C1696E7
                                                  Function 00402C50 Relevance: 1.3, APIs: 1, Instructions: 33memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,0040909C), ref: 0040D250
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 1239d422dac58f0bdb6db408e64321c0ba28eef2fd6329b0f272e09f47b006d1
                                                  • Instruction ID: bad5844ee6061df29dbb81da092a4da12344c734909069d1f7f11f77f43cecba
                                                  • Opcode Fuzzy Hash: 1239d422dac58f0bdb6db408e64321c0ba28eef2fd6329b0f272e09f47b006d1
                                                  • Instruction Fuzzy Hash: 65F05CB3504306AFE3085F744E49FA03AAAFB84B04F330025E20AB71C1C7BAC4129797
                                                  Function 00402995 Relevance: 1.3, APIs: 1, Instructions: 31stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: lstrcmpi
                                                  • String ID:
                                                  • API String ID: 1586166983-0
                                                  • Opcode ID: ca827134478c860202b5c665420958a9d779f22d723bd162dfea7f49d4f6f888
                                                  • Instruction ID: e0d7eba5a2cc3ec65d573862bc41c846a07ceaa8e44c144d1d2377c3f4dff526
                                                  • Opcode Fuzzy Hash: ca827134478c860202b5c665420958a9d779f22d723bd162dfea7f49d4f6f888
                                                  • Instruction Fuzzy Hash: B1F05970E0C241C9EB098F70AA682BE3BB0AB09341720407FD4C2BA1C2C73C4C0AA75E
                                                  Function 004026A4 Relevance: 1.3, APIs: 1, Instructions: 8sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: 646f045cfb0dc0e39bf640527616bfcdca4a6ae15975d230be061d543e3e160e
                                                  • Instruction ID: 14fd1629b361dcdfb1fa0a1d03c7f67ab527eeff0c88d1ff5723bd2484bdf2bc
                                                  • Opcode Fuzzy Hash: 646f045cfb0dc0e39bf640527616bfcdca4a6ae15975d230be061d543e3e160e
                                                  • Instruction Fuzzy Hash: FAC09B30D04700EFD6415BE4DE4CD687768AB043007110122B50AD50D0CB755A59D75B
                                                  Function 00402D43 Relevance: 1.3, APIs: 1, Instructions: 3sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3007253928.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.3007253928.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: 38cee57808533a4e4afc277cc3b3865730efa09160fe71ac1357bd9d35d5c2b4
                                                  • Instruction ID: ad3151d4daf7a80ea06ef4df0c3dd259bdba9261a36898f3f57fc217e48573b5
                                                  • Opcode Fuzzy Hash: 38cee57808533a4e4afc277cc3b3865730efa09160fe71ac1357bd9d35d5c2b4
                                                  • Instruction Fuzzy Hash: C3900226944D0097D14016606B0DB1435106304705F1142266342740E049B54045560E

                                                  Non-executed Functions

                                                  Function 6096748C Relevance: 131.0, APIs: 72, Strings: 2, Instructions: 1504COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_malloc.SQLITE3 ref: 609674C6
                                                    • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                    • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                    • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                    • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                  • sqlite3_step.SQLITE3 ref: 6096755A
                                                  • sqlite3_malloc.SQLITE3 ref: 6096783A
                                                  • sqlite3_bind_int64.SQLITE3 ref: 609678A8
                                                  • sqlite3_column_bytes.SQLITE3 ref: 609678E8
                                                  • sqlite3_column_blob.SQLITE3 ref: 60967901
                                                  • sqlite3_column_int64.SQLITE3 ref: 6096791A
                                                  • sqlite3_column_int64.SQLITE3 ref: 60967931
                                                  • sqlite3_column_int64.SQLITE3 ref: 60967950
                                                  • sqlite3_step.SQLITE3 ref: 609679C3
                                                  • sqlite3_bind_int64.SQLITE3 ref: 60967AA9
                                                  • sqlite3_step.SQLITE3 ref: 60967AB4
                                                  • sqlite3_column_int.SQLITE3 ref: 60967AC7
                                                  • sqlite3_reset.SQLITE3 ref: 60967AD4
                                                  • sqlite3_bind_int.SQLITE3 ref: 60967B89
                                                  • sqlite3_step.SQLITE3 ref: 60967B94
                                                  • sqlite3_column_int64.SQLITE3 ref: 60967BB0
                                                  • sqlite3_column_int64.SQLITE3 ref: 60967BCF
                                                  • sqlite3_column_int64.SQLITE3 ref: 60967BE6
                                                  • sqlite3_column_bytes.SQLITE3 ref: 60967C05
                                                  • sqlite3_column_blob.SQLITE3 ref: 60967C1E
                                                    • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED50
                                                  • sqlite3_bind_int64.SQLITE3 ref: 60967C72
                                                  • sqlite3_step.SQLITE3 ref: 60967C7D
                                                  • memcmp.MSVCRT ref: 60967D4C
                                                  • sqlite3_free.SQLITE3 ref: 60967D69
                                                  • sqlite3_free.SQLITE3 ref: 60967D74
                                                  • sqlite3_free.SQLITE3 ref: 60967FF7
                                                  • sqlite3_free.SQLITE3 ref: 60968002
                                                    • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                    • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                    • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                    • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                    • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                  • sqlite3_reset.SQLITE3 ref: 60967C93
                                                    • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                    • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                  • sqlite3_reset.SQLITE3 ref: 60967CA7
                                                  • sqlite3_reset.SQLITE3 ref: 60968035
                                                  • sqlite3_bind_int64.SQLITE3 ref: 60967B72
                                                    • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6096809D
                                                  • sqlite3_bind_int64.SQLITE3 ref: 609680C6
                                                  • sqlite3_step.SQLITE3 ref: 609680D1
                                                  • sqlite3_column_int.SQLITE3 ref: 609680F3
                                                  • sqlite3_reset.SQLITE3 ref: 60968104
                                                  • sqlite3_step.SQLITE3 ref: 60968139
                                                  • sqlite3_column_int64.SQLITE3 ref: 60968151
                                                  • sqlite3_reset.SQLITE3 ref: 6096818A
                                                    • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED2B
                                                    • Part of subcall function 6095ECA6: sqlite3_bind_value.SQLITE3 ref: 6095EDDF
                                                  • sqlite3_reset.SQLITE3 ref: 609679E9
                                                    • Part of subcall function 609160CD: sqlite3_realloc.SQLITE3 ref: 609160EF
                                                  • sqlite3_column_bytes.SQLITE3 ref: 60967587
                                                    • Part of subcall function 6091D5DC: sqlite3_value_bytes.SQLITE3 ref: 6091D5F4
                                                  • sqlite3_column_blob.SQLITE3 ref: 60967572
                                                    • Part of subcall function 6091D57E: sqlite3_value_blob.SQLITE3 ref: 6091D596
                                                  • sqlite3_reset.SQLITE3 ref: 609675B7
                                                  • sqlite3_bind_int.SQLITE3 ref: 60967641
                                                  • sqlite3_step.SQLITE3 ref: 6096764C
                                                  • sqlite3_column_int64.SQLITE3 ref: 6096766E
                                                  • sqlite3_reset.SQLITE3 ref: 6096768B
                                                  • sqlite3_bind_int.SQLITE3 ref: 6096754F
                                                    • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                  • sqlite3_bind_int.SQLITE3 ref: 609690B2
                                                  • sqlite3_bind_blob.SQLITE3 ref: 609690DB
                                                  • sqlite3_step.SQLITE3 ref: 609690E6
                                                  • sqlite3_reset.SQLITE3 ref: 609690F1
                                                  • sqlite3_free.SQLITE3 ref: 60969102
                                                  • sqlite3_free.SQLITE3 ref: 6096910D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_reset$sqlite3_step$sqlite3_column_int64sqlite3_free$sqlite3_bind_int64$sqlite3_bind_int$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mprintf$sqlite3_column_intsqlite3_mutex_leave$memcmpsqlite3_bind_blobsqlite3_bind_valuesqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_initializesqlite3_mutex_entersqlite3_prepare_v2sqlite3_reallocsqlite3_value_blobsqlite3_value_bytes
                                                  • String ID: $d
                                                  • API String ID: 2451604321-2084297493
                                                  • Opcode ID: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                  • Instruction ID: 6b7ea73e19bc996eb6a422b8fcf26663d3cb25e4dd91ceba81a4d6a678ae72ab
                                                  • Opcode Fuzzy Hash: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                  • Instruction Fuzzy Hash: 2CF2CF74A152288FDB54CF68C980B9EBBF2BF69304F1185A9E888A7341D774ED85CF41
                                                  Function 6096A5EE Relevance: 81.5, APIs: 45, Strings: 1, Instructions: 1006COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_value_text.SQLITE3 ref: 6096A64C
                                                  • sqlite3_value_bytes.SQLITE3 ref: 6096A656
                                                  • sqlite3_strnicmp.SQLITE3 ref: 6096A682
                                                  • sqlite3_strnicmp.SQLITE3 ref: 6096A6BC
                                                  • sqlite3_mprintf.SQLITE3 ref: 6096A6F9
                                                  • sqlite3_malloc.SQLITE3 ref: 6096A754
                                                  • sqlite3_step.SQLITE3 ref: 6096A969
                                                  • sqlite3_free.SQLITE3 ref: 6096A9AC
                                                  • sqlite3_finalize.SQLITE3 ref: 6096A9BB
                                                  • sqlite3_strnicmp.SQLITE3 ref: 6096B04A
                                                    • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                    • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                    • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                  • sqlite3_value_int.SQLITE3 ref: 6096B241
                                                  • sqlite3_malloc.SQLITE3 ref: 6096B270
                                                  • sqlite3_bind_null.SQLITE3 ref: 6096B2DF
                                                  • sqlite3_step.SQLITE3 ref: 6096B2EA
                                                  • sqlite3_reset.SQLITE3 ref: 6096B2F5
                                                  • sqlite3_value_int.SQLITE3 ref: 6096B43B
                                                  • sqlite3_value_text.SQLITE3 ref: 6096B530
                                                  • sqlite3_value_bytes.SQLITE3 ref: 6096B576
                                                  • sqlite3_free.SQLITE3 ref: 6096B5F4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_stepsqlite3_strnicmp$sqlite3_freesqlite3_mallocsqlite3_resetsqlite3_value_bytessqlite3_value_intsqlite3_value_text$sqlite3_bind_intsqlite3_bind_nullsqlite3_finalizesqlite3_mprintf
                                                  • String ID: optimize
                                                  • API String ID: 1540667495-3797040228
                                                  • Opcode ID: ab382b16e3f59fac809a38361d516dac1e6c4c02a096abfb60effccae4f38c9b
                                                  • Instruction ID: 15d53f9c7948a495e2c6926a79545eea34293df74e7a3e63ea56b3727437b729
                                                  • Opcode Fuzzy Hash: ab382b16e3f59fac809a38361d516dac1e6c4c02a096abfb60effccae4f38c9b
                                                  • Instruction Fuzzy Hash: 54B2F670A142198FEB14DF68C890B9DBBF6BF68304F1085A9E889AB351E774DD85CF41
                                                  Function 609660FA Relevance: 39.4, APIs: 19, Strings: 3, Instructions: 926COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_finalize.SQLITE3 ref: 60966178
                                                  • sqlite3_free.SQLITE3 ref: 60966183
                                                  • sqlite3_value_numeric_type.SQLITE3 ref: 609661AE
                                                  • sqlite3_value_numeric_type.SQLITE3 ref: 609661DE
                                                  • sqlite3_value_text.SQLITE3 ref: 60966236
                                                  • sqlite3_value_int.SQLITE3 ref: 60966274
                                                  • memcmp.MSVCRT ref: 6096639E
                                                    • Part of subcall function 60940A5B: sqlite3_malloc.SQLITE3 ref: 60940AA1
                                                    • Part of subcall function 60940A5B: sqlite3_free.SQLITE3 ref: 60940C1D
                                                  • sqlite3_mprintf.SQLITE3 ref: 60966B51
                                                  • sqlite3_mprintf.SQLITE3 ref: 60966B7D
                                                    • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                    • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_numeric_type$memcmpsqlite3_finalizesqlite3_initializesqlite3_mallocsqlite3_value_intsqlite3_value_textsqlite3_vmprintf
                                                  • String ID: ASC$DESC$x
                                                  • API String ID: 4082667235-1162196452
                                                  • Opcode ID: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                  • Instruction ID: 01f4316cc9c65235d83944c747b96ccca9397e1276bdc6c450b31a73d7ca280a
                                                  • Opcode Fuzzy Hash: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                  • Instruction Fuzzy Hash: AD921274A14319CFEB10CFA9C99079DBBB6BF69304F20816AD858AB342D774E985CF41
                                                  Function 609687A7 Relevance: 36.3, APIs: 24, Instructions: 282COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6096882B
                                                  • sqlite3_bind_int.SQLITE3 ref: 60968842
                                                  • sqlite3_step.SQLITE3 ref: 6096884D
                                                  • sqlite3_reset.SQLITE3 ref: 60968858
                                                  • sqlite3_bind_int64.SQLITE3 ref: 60968907
                                                  • sqlite3_bind_int.SQLITE3 ref: 60968924
                                                  • sqlite3_step.SQLITE3 ref: 6096892F
                                                  • sqlite3_column_blob.SQLITE3 ref: 60968947
                                                  • sqlite3_column_bytes.SQLITE3 ref: 6096895C
                                                  • sqlite3_column_int64.SQLITE3 ref: 60968975
                                                  • sqlite3_reset.SQLITE3 ref: 609689B0
                                                    • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                    • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                    • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                    • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                    • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                  • sqlite3_free.SQLITE3 ref: 60968A68
                                                  • sqlite3_bind_int64.SQLITE3 ref: 60968B00
                                                  • sqlite3_bind_int64.SQLITE3 ref: 60968B2D
                                                  • sqlite3_step.SQLITE3 ref: 60968B38
                                                  • sqlite3_reset.SQLITE3 ref: 60968B43
                                                  • sqlite3_bind_int64.SQLITE3 ref: 60968B9F
                                                  • sqlite3_bind_blob.SQLITE3 ref: 60968BC8
                                                  • sqlite3_bind_int64.SQLITE3 ref: 60968BEF
                                                  • sqlite3_bind_int.SQLITE3 ref: 60968C0C
                                                  • sqlite3_step.SQLITE3 ref: 60968C17
                                                  • sqlite3_reset.SQLITE3 ref: 60968C22
                                                  • sqlite3_free.SQLITE3 ref: 60968C2F
                                                  • sqlite3_free.SQLITE3 ref: 60968C3A
                                                    • Part of subcall function 60916390: sqlite3_free.SQLITE3 ref: 609164E9
                                                    • Part of subcall function 60916390: sqlite3_free.SQLITE3 ref: 609164F4
                                                    • Part of subcall function 6095F772: sqlite3_bind_int64.SQLITE3 ref: 6095F7AC
                                                    • Part of subcall function 6095F772: sqlite3_bind_blob.SQLITE3 ref: 6095F7D5
                                                    • Part of subcall function 6095F772: sqlite3_step.SQLITE3 ref: 6095F7E0
                                                    • Part of subcall function 6095F772: sqlite3_reset.SQLITE3 ref: 6095F7EB
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_bind_int64$sqlite3_free$sqlite3_resetsqlite3_step$sqlite3_bind_int$sqlite3_bind_blob$sqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_column_blobsqlite3_column_bytessqlite3_column_int64sqlite3_malloc
                                                  • String ID:
                                                  • API String ID: 2526640242-0
                                                  • Opcode ID: 80c4178694f9100467d9f8914e06a53f74e1fc263bd09a9052fbc3a5e85adfd3
                                                  • Instruction ID: ecb2fadc30329ad4410b738d56806f6ecd0ac298638076f7c65242d8805d2ed1
                                                  • Opcode Fuzzy Hash: 80c4178694f9100467d9f8914e06a53f74e1fc263bd09a9052fbc3a5e85adfd3
                                                  • Instruction Fuzzy Hash: A0D1C2B4A153189FDB14DF68C884B8EBBF2BFA9304F118599E888A7344E774D985CF41
                                                  Function 6096923E Relevance: 29.3, APIs: 19, Instructions: 779COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_bind_int64.SQLITE3(?,?), ref: 609693A5
                                                  • sqlite3_step.SQLITE3(?,?), ref: 609693B0
                                                  • sqlite3_column_int64.SQLITE3(?,?), ref: 609693DC
                                                    • Part of subcall function 6096A2BD: sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                    • Part of subcall function 6096A2BD: sqlite3_step.SQLITE3 ref: 6096A32D
                                                    • Part of subcall function 6096A2BD: sqlite3_column_int.SQLITE3 ref: 6096A347
                                                    • Part of subcall function 6096A2BD: sqlite3_reset.SQLITE3 ref: 6096A354
                                                  • sqlite3_reset.SQLITE3(?,?), ref: 609693F3
                                                  • sqlite3_malloc.SQLITE3(?), ref: 60969561
                                                  • sqlite3_malloc.SQLITE3(?), ref: 6096958D
                                                  • sqlite3_step.SQLITE3(?), ref: 609695D2
                                                  • sqlite3_column_int64.SQLITE3(?), ref: 609695EA
                                                  • sqlite3_reset.SQLITE3(?), ref: 60969604
                                                  • sqlite3_realloc.SQLITE3(?), ref: 609697D0
                                                  • sqlite3_realloc.SQLITE3(?), ref: 609698A9
                                                    • Part of subcall function 609129D5: sqlite3_initialize.SQLITE3(?,?,?,60915F55,?,?,?,?,?,?,00000000,?,?,?,60915FE2,00000000), ref: 609129E0
                                                  • sqlite3_bind_int64.SQLITE3(?,?), ref: 609699B8
                                                  • sqlite3_bind_int64.SQLITE3(?), ref: 6096934D
                                                    • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                  • sqlite3_bind_int64.SQLITE3(?,?), ref: 60969A6A
                                                  • sqlite3_step.SQLITE3(?,?), ref: 60969A75
                                                  • sqlite3_reset.SQLITE3(?,?), ref: 60969A80
                                                  • sqlite3_free.SQLITE3(?), ref: 60969D41
                                                  • sqlite3_free.SQLITE3(?), ref: 60969D4C
                                                  • sqlite3_free.SQLITE3(?), ref: 60969D5B
                                                    • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                    • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                    • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_bind_int64$sqlite3_freesqlite3_resetsqlite3_step$sqlite3_column_int64sqlite3_mallocsqlite3_realloc$sqlite3_column_intsqlite3_initializesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2
                                                  • String ID:
                                                  • API String ID: 961572588-0
                                                  • Opcode ID: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                  • Instruction ID: dba6eef834311e7f80380fc62c490a647dd1765b4da9a7e0a506f520bf28697a
                                                  • Opcode Fuzzy Hash: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                  • Instruction Fuzzy Hash: 9872F275A042298FDB24CF69C88078DB7F6FF98314F1586A9D889AB341D774AD81CF81
                                                  Function 6095F883 Relevance: 12.1, APIs: 8, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                    • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                    • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6095F8E5
                                                    • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                  • sqlite3_bind_int.SQLITE3 ref: 6095F8FF
                                                    • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6095F920
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6095F941
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6095F962
                                                  • sqlite3_bind_blob.SQLITE3 ref: 6095F98B
                                                  • sqlite3_step.SQLITE3 ref: 6095F996
                                                  • sqlite3_reset.SQLITE3 ref: 6095F9A1
                                                    • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                    • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_bind_int64$sqlite3_mutex_leave$sqlite3_bind_blobsqlite3_bind_intsqlite3_freesqlite3_mprintfsqlite3_mutex_entersqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                  • String ID:
                                                  • API String ID: 1154799056-0
                                                  • Opcode ID: e44b370a1dfa701ff5b9885cc4cf0a2423246689aee604e01ba9336684cc4512
                                                  • Instruction ID: 4c6ccefb8af807723b251ff764995e511564b2c054836566e23fd100615de26c
                                                  • Opcode Fuzzy Hash: e44b370a1dfa701ff5b9885cc4cf0a2423246689aee604e01ba9336684cc4512
                                                  • Instruction Fuzzy Hash: A3415DB4908708AFCB04DF69D18469EBBF1EF98314F11C91AE898A7344E775D9448F92
                                                  Function 60963143 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 301COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_bind_int64sqlite3_mutex_leavesqlite3_stricmp
                                                  • String ID: 2$foreign key$indexed
                                                  • API String ID: 4126863092-702264400
                                                  • Opcode ID: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                  • Instruction ID: 3d5d194cd292e354de8359ea213fef7e5121ae3f60f7d2d7ba557b44893e8b9c
                                                  • Opcode Fuzzy Hash: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                  • Instruction Fuzzy Hash: 6BE1B374A142099FDB04CFA8D590A9DBBF2BFA9304F21C129E855AB754DB35ED82CF40
                                                  Function 6094A6C5 Relevance: 10.6, APIs: 7, Instructions: 144COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6094A72B
                                                  • sqlite3_step.SQLITE3 ref: 6094A73C
                                                  • sqlite3_column_blob.SQLITE3 ref: 6094A760
                                                  • sqlite3_column_bytes.SQLITE3 ref: 6094A77C
                                                  • sqlite3_malloc.SQLITE3 ref: 6094A793
                                                  • sqlite3_reset.SQLITE3 ref: 6094A7F2
                                                  • sqlite3_free.SQLITE3(?), ref: 6094A87C
                                                    • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_bind_int64sqlite3_column_blobsqlite3_column_bytessqlite3_freesqlite3_mallocsqlite3_mutex_entersqlite3_resetsqlite3_step
                                                  • String ID:
                                                  • API String ID: 2794791986-0
                                                  • Opcode ID: 324244e72ed1eb068e97444324dd06558e7f5640642cd65f7376e38a8826fd77
                                                  • Instruction ID: 088d5e00ded46b3eb5457b54e5d33bc48436a4b712d77f6ae5dc1ca3eb859b7b
                                                  • Opcode Fuzzy Hash: 324244e72ed1eb068e97444324dd06558e7f5640642cd65f7376e38a8826fd77
                                                  • Instruction Fuzzy Hash: BE5110B5A042058FCB04CF69C48069ABBF6FF68318F158569E858AB345D734EC82CF90
                                                  Function 6093323D Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 432COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_stricmp
                                                  • String ID: USING COVERING INDEX $DISTINCT$ORDER BY
                                                  • API String ID: 912767213-1308749736
                                                  • Opcode ID: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                  • Instruction ID: 4f43644a9add5c5df618cbd47cd61ce2203d262f2077f605e752fe25420d36ab
                                                  • Opcode Fuzzy Hash: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                  • Instruction Fuzzy Hash: 2412D674A08268CFDB25DF28C880B5AB7B3AFA9314F1085E9E8899B355D774DD81CF41
                                                  Function 6094B407 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6094B488
                                                  • sqlite3_step.SQLITE3 ref: 6094B496
                                                  • sqlite3_reset.SQLITE3 ref: 6094B4A4
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6094B4D2
                                                  • sqlite3_step.SQLITE3 ref: 6094B4E0
                                                  • sqlite3_reset.SQLITE3 ref: 6094B4EE
                                                    • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_bind_int64sqlite3_resetsqlite3_step$memmove
                                                  • String ID:
                                                  • API String ID: 4082478743-0
                                                  • Opcode ID: 967f7dd55d0e0ed5657609aa573e07de9c17706341fbe9ef37ba536950e7892f
                                                  • Instruction ID: 9e7f29540a3c6f2d28ce6b101cd1a975f5529a8f599b89b7128c34d749e8d9ce
                                                  • Opcode Fuzzy Hash: 967f7dd55d0e0ed5657609aa573e07de9c17706341fbe9ef37ba536950e7892f
                                                  • Instruction Fuzzy Hash: DD41D2B4A087018FCB50DF69C484A9EB7F6EFA8364F158929EC99CB315E734E8418F51
                                                  Function 6094D33B Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_mutex_enter.SQLITE3 ref: 6094D354
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 6094D546
                                                    • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905D8B
                                                    • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DA4
                                                    • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DB8
                                                  • sqlite3_stricmp.SQLITE3 ref: 6094D3DA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_stricmp$sqlite3_mutex_entersqlite3_mutex_leave
                                                  • String ID: BINARY$INTEGER
                                                  • API String ID: 317512412-1676293250
                                                  • Opcode ID: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                  • Instruction ID: cace79839434994537c0410bddb438ad3d501bddbf1b20fcc6a8a8bdb5da7fdd
                                                  • Opcode Fuzzy Hash: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                  • Instruction Fuzzy Hash: 8E712978A056099BDB05CF69C49079EBBF2BFA8308F11C529EC55AB3A4D734E941CF80
                                                  Function 6094B54C Relevance: 7.6, APIs: 5, Instructions: 145COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6094B582
                                                  • sqlite3_step.SQLITE3 ref: 6094B590
                                                  • sqlite3_column_int64.SQLITE3 ref: 6094B5AD
                                                  • sqlite3_reset.SQLITE3 ref: 6094B5EE
                                                  • memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: memmovesqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_step
                                                  • String ID:
                                                  • API String ID: 2802900177-0
                                                  • Opcode ID: f7dd783d858009ac2aa36dfb06bc3a4e86bc75c1920f7d1bf53ec4d0fe99899e
                                                  • Instruction ID: fa681a173a9aa7ad5377a8f3376375fc0286f70c891b696e42c92f52458a3a0e
                                                  • Opcode Fuzzy Hash: f7dd783d858009ac2aa36dfb06bc3a4e86bc75c1920f7d1bf53ec4d0fe99899e
                                                  • Instruction Fuzzy Hash: 0B517D75A082018FCB14CF69C48169EF7F7FBA8314F25C669D8499B318EA74EC81CB81
                                                  Function 6093F42E Relevance: 6.4, APIs: 4, Instructions: 416COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_mutex_enter.SQLITE3 ref: 6093F443
                                                    • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                  • sqlite3_mutex_enter.SQLITE3 ref: 6093F45C
                                                    • Part of subcall function 60939559: memcmp.MSVCRT ref: 60939694
                                                    • Part of subcall function 60939559: memcmp.MSVCRT ref: 609396CA
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 6093F8CD
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 6093F8E3
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: memcmpsqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
                                                  • String ID:
                                                  • API String ID: 4038589952-0
                                                  • Opcode ID: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                  • Instruction ID: 916146ddc5613ce70bfe97dc7fabc38680eb49f4f4fdba01105907ea2da9c682
                                                  • Opcode Fuzzy Hash: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                  • Instruction Fuzzy Hash: 87F13674A046158FDB18CFA9C590A9EB7F7AFA8308F248429E846AB355D774EC42CF40
                                                  Function 6094C64A Relevance: 6.2, APIs: 4, Instructions: 201COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                    • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                    • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                    • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6094C719
                                                  • sqlite3_step.SQLITE3 ref: 6094C72A
                                                  • sqlite3_reset.SQLITE3 ref: 6094C73B
                                                    • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                    • Part of subcall function 6094A9F5: sqlite3_free.SQLITE3(?,?,?,00000000,?,?,6094AC3F), ref: 6094AA7A
                                                  • sqlite3_free.SQLITE3 ref: 6094C881
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_bind_int64sqlite3_freesqlite3_resetsqlite3_step$memmovesqlite3_column_int64
                                                  • String ID:
                                                  • API String ID: 3487101843-0
                                                  • Opcode ID: 010aee262a3d8dae5049234a4ef50880699508b325a3cdc2c8e6f431e5b9abd3
                                                  • Instruction ID: dadb85a3919e548a164012fc2e04d9b0ab11445217433cc10b515e99a95ed5c3
                                                  • Opcode Fuzzy Hash: 010aee262a3d8dae5049234a4ef50880699508b325a3cdc2c8e6f431e5b9abd3
                                                  • Instruction Fuzzy Hash: 3681FA74A046098FCB44DF99C480A9DF7F7AFA8354F258529E855AB314EB34EC46CF90
                                                  Function 6096A38C Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                    • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                    • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                  • sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                    • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                  • sqlite3_column_int.SQLITE3 ref: 6096A3F3
                                                  • sqlite3_step.SQLITE3 ref: 6096A435
                                                  • sqlite3_reset.SQLITE3 ref: 6096A445
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_bind_intsqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                  • String ID:
                                                  • API String ID: 247099642-0
                                                  • Opcode ID: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                  • Instruction ID: 69535c0605dcb565d56369453fd68d3a3097adfd173720c6e67b3d4aca8354ad
                                                  • Opcode Fuzzy Hash: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                  • Instruction Fuzzy Hash: FF2151B0A143148BEB109FA9D88479EB7FAEF64308F00852DE89597350EBB8D845CF51
                                                  Function 6096A2BD Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                    • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                    • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                    • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                  • sqlite3_step.SQLITE3 ref: 6096A32D
                                                  • sqlite3_column_int.SQLITE3 ref: 6096A347
                                                    • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                  • sqlite3_reset.SQLITE3 ref: 6096A354
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2sqlite3_resetsqlite3_stepsqlite3_value_int
                                                  • String ID:
                                                  • API String ID: 326482775-0
                                                  • Opcode ID: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                  • Instruction ID: 7c1586c82cd56d85cf32929a5cd575737867df940847ca2bf63216634e784e33
                                                  • Opcode Fuzzy Hash: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                  • Instruction Fuzzy Hash: 0E214DB0A043049BDB04DFA9C480B9EF7FAEFA8354F04C429E8959B340E778D8418B51
                                                  Function 6094A894 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                    • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                  • sqlite3_step.SQLITE3 ref: 6094A8CE
                                                  • sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                  • sqlite3_reset.SQLITE3 ref: 6094A90F
                                                    • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                    • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_mutex_leave$sqlite3_bind_int64sqlite3_column_int64sqlite3_mutex_entersqlite3_resetsqlite3_step
                                                  • String ID:
                                                  • API String ID: 3728028068-0
                                                  • Opcode ID: 4480569ff34e75ea7b3577054b4356c5dff4901ba2a75f55588298fac9ec1789
                                                  • Instruction ID: ee155327ad46b109c371b626633bea00b74b78c8347343cda40424352d7c4f30
                                                  • Opcode Fuzzy Hash: 4480569ff34e75ea7b3577054b4356c5dff4901ba2a75f55588298fac9ec1789
                                                  • Instruction Fuzzy Hash: 31010C7060A3009FDB00EF2CC48539ABBE5EF64358F15887DE88C8B345E775D8508B82
                                                  Function 6095F7F7 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                    • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                    • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6095F83D
                                                    • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6095F85E
                                                  • sqlite3_step.SQLITE3 ref: 6095F869
                                                  • sqlite3_reset.SQLITE3 ref: 6095F874
                                                    • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                    • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_bind_int64sqlite3_mutex_leave$sqlite3_freesqlite3_mprintfsqlite3_mutex_entersqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                  • String ID:
                                                  • API String ID: 2747803115-0
                                                  • Opcode ID: e7ba5a424be07f97404f27e37360827cc19527dc01f9216413d7b5c44ff8a2c2
                                                  • Instruction ID: f00e87c6dd3c8672f4b8fa92d33f96d93ee8ab4b9f2e93312e2458fba8eee522
                                                  • Opcode Fuzzy Hash: e7ba5a424be07f97404f27e37360827cc19527dc01f9216413d7b5c44ff8a2c2
                                                  • Instruction Fuzzy Hash: 9311DBB4A046049FCB04DF69C0C565AF7F6EFA8318F05C869E8898B349E735E894CB91
                                                  Function 6095F772 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                    • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                    • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6095F7AC
                                                    • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                  • sqlite3_bind_blob.SQLITE3 ref: 6095F7D5
                                                  • sqlite3_step.SQLITE3 ref: 6095F7E0
                                                  • sqlite3_reset.SQLITE3 ref: 6095F7EB
                                                    • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                    • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_mutex_leave$sqlite3_bind_blobsqlite3_bind_int64sqlite3_freesqlite3_mprintfsqlite3_mutex_entersqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                  • String ID:
                                                  • API String ID: 1956248851-0
                                                  • Opcode ID: 50d15a15163a625fc2631aa0d6ee46575d14479fce2c17ccb278089255f39c88
                                                  • Instruction ID: 4081a9388348d49f983bc2db4af636c0e8f58482a36dc41ad0278772ae94fdf0
                                                  • Opcode Fuzzy Hash: 50d15a15163a625fc2631aa0d6ee46575d14479fce2c17ccb278089255f39c88
                                                  • Instruction Fuzzy Hash: 2E01AEB4908304AFDB00EF69D48579EFBE5EF68358F00885EE89887345E7B5D9448B82
                                                  Function 60925778 Relevance: 4.6, APIs: 3, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_bind_int64.SQLITE3 ref: 609257D2
                                                    • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                  • sqlite3_bind_double.SQLITE3 ref: 609257EA
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_bind_doublesqlite3_bind_int64sqlite3_mutex_leave
                                                  • String ID:
                                                  • API String ID: 1465616180-0
                                                  • Opcode ID: 9530f87787b8119f4c9cc68ae88dcf3bf39b5687c460dfc3dfef9c72e832448e
                                                  • Instruction ID: 7d90fc06d4cce0e838b429dd10c1bf3c3a361cb752c215b3ba3cb2f1ab2ab036
                                                  • Opcode Fuzzy Hash: 9530f87787b8119f4c9cc68ae88dcf3bf39b5687c460dfc3dfef9c72e832448e
                                                  • Instruction Fuzzy Hash: 3D314CB1918304DBCB08DF19E49519ABBE6EB98324F10C51EEC994B38DD378C990CB91
                                                  Function 6094B6ED Relevance: 4.5, APIs: 3, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6094B71E
                                                    • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6094B73C
                                                  • sqlite3_step.SQLITE3 ref: 6094B74A
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_bind_int64$sqlite3_mutex_leavesqlite3_step
                                                  • String ID:
                                                  • API String ID: 3305529457-0
                                                  • Opcode ID: dc92f9052f14c19b23696c87723feab2593fd922d888b89f432a916288e70c30
                                                  • Instruction ID: cea3564161c85327b61b62d60446574847d05a2bcfebeda4641ea5396b37aa5a
                                                  • Opcode Fuzzy Hash: dc92f9052f14c19b23696c87723feab2593fd922d888b89f432a916288e70c30
                                                  • Instruction Fuzzy Hash: D401A8B45047049FCB00DF19D9C968ABBE5FF98354F158869FC888B305D374E8548BA6
                                                  Function 6094B764 Relevance: 4.5, APIs: 3, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6094B795
                                                    • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                  • sqlite3_bind_int64.SQLITE3 ref: 6094B7B3
                                                  • sqlite3_step.SQLITE3 ref: 6094B7C1
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_bind_int64$sqlite3_mutex_leavesqlite3_step
                                                  • String ID:
                                                  • API String ID: 3305529457-0
                                                  • Opcode ID: aa85c24925b376cbc314ef521cc12e9f9171d3119abae0787e576649609cd9a8
                                                  • Instruction ID: 1e84d685e39bf1e153ba29bb425c2efe513faafee25cd0ef6e7f8ad628d1a415
                                                  • Opcode Fuzzy Hash: aa85c24925b376cbc314ef521cc12e9f9171d3119abae0787e576649609cd9a8
                                                  • Instruction Fuzzy Hash: 6B01BBB45057049FCB00DF19D58968ABBE5EF98354F15C46AFC888B305E374E854CFA6
                                                  Function 6090C1D6 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_mutex_enter.SQLITE3 ref: 6090C1EA
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 6090C22F
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                  • String ID:
                                                  • API String ID: 1477753154-0
                                                  • Opcode ID: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                  • Instruction ID: fc120f7ed3300d8301d0f99cb769197b575d5683181bd6b289e4b53452841bc5
                                                  • Opcode Fuzzy Hash: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                  • Instruction Fuzzy Hash: 6501F4715042548BDB449F2EC4C576EBBEAEF65318F048469DD419B326D374D882CBA1
                                                  Function 609255D4 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 609255B2
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_logsqlite3_mutex_leave
                                                  • String ID:
                                                  • API String ID: 1465156292-0
                                                  • Opcode ID: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
                                                  • Instruction ID: 19c4c58ecb434a21204d9b38047e93a23a7f28015e8477a734fda6841bb58fe8
                                                  • Opcode Fuzzy Hash: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
                                                  • Instruction Fuzzy Hash: 56317AB4A082188FCB04DF69D880A8EBBF6FF99314F008559FC5897348D734D940CBA5
                                                  Function 6092570B Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 60925769
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_logsqlite3_mutex_leave
                                                  • String ID:
                                                  • API String ID: 1465156292-0
                                                  • Opcode ID: f78b12b45e858c7fd8cb74f5d211d4e30abbc68d4504511404b73e1b177a8d68
                                                  • Instruction ID: d5dd20366bd30be5098f9e48471fbeb1ccf01997be5a2761bb4486817e6b3aba
                                                  • Opcode Fuzzy Hash: f78b12b45e858c7fd8cb74f5d211d4e30abbc68d4504511404b73e1b177a8d68
                                                  • Instruction Fuzzy Hash: 23F08171A10A28D7CB106F29EC8958EBBB9FF69254B055058ECC1A730CDB35D925C791
                                                  Function 609254B1 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 60925508
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_logsqlite3_mutex_leave
                                                  • String ID:
                                                  • API String ID: 1465156292-0
                                                  • Opcode ID: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                  • Instruction ID: ad89f0bb34aa7175efe61e1ac22fb0c12735e6005c3b9edbf096fd229bca234b
                                                  • Opcode Fuzzy Hash: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                  • Instruction Fuzzy Hash: 5A01A475B107148BCB109F2ACC8164BBBFAEF68254F05991AEC41DB315D775ED458BC0
                                                  Function 60925686 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_logsqlite3_mutex_leave
                                                  • String ID:
                                                  • API String ID: 1465156292-0
                                                  • Opcode ID: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
                                                  • Instruction ID: 4fd0dfe8dd6226820e052206e0db6187a6d8a97f2116fb4a305c2fd2856f8961
                                                  • Opcode Fuzzy Hash: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
                                                  • Instruction Fuzzy Hash: 94F08CB5A002099BCB00DF2AD88088ABBBAFF98264B05952AEC049B314D770E941CBD0
                                                  Function 60925655 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 60925678
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_logsqlite3_mutex_leave
                                                  • String ID:
                                                  • API String ID: 1465156292-0
                                                  • Opcode ID: 20ce1548f611e36a3668a48b9975394e1a388ab84833d9cb320a678b216caf11
                                                  • Instruction ID: bc2fa39936d9f4ed0ba1ebf98b65e017ff83ed2bbf5e058a49948814e7f33c49
                                                  • Opcode Fuzzy Hash: 20ce1548f611e36a3668a48b9975394e1a388ab84833d9cb320a678b216caf11
                                                  • Instruction Fuzzy Hash: 59E0EC74A042089BCB04DF6AD4C194AB7F9EF58258B14D665EC458B309E231E9858BC1
                                                  Function 609256E5 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                    • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_bind_int64sqlite3_mutex_leave
                                                  • String ID:
                                                  • API String ID: 3064317574-0
                                                  • Opcode ID: 8bfbb127be37b3944cf6aee767a60d103abce584902525ba566a621f413e0d82
                                                  • Instruction ID: 7a9bf9350bb0d435b7485bd9c083abc2dab3a9c90cc7cce47300d03dda88f0d0
                                                  • Opcode Fuzzy Hash: 8bfbb127be37b3944cf6aee767a60d103abce584902525ba566a621f413e0d82
                                                  • Instruction Fuzzy Hash: FFD092B4909309AFCB00EF29C48644EBBE5AF98258F40C82DFC98C7314E274E8408F92
                                                  Function 6090577D Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fc903d30242b0235a49ca3dc9f8df4f0198bb3c17ee07b08e44db8f45d9d2100
                                                  • Instruction ID: 8dcd3a280e311d85a08cff7bb149483fc74061697cd2af1d422aa8a6e56622f3
                                                  • Opcode Fuzzy Hash: fc903d30242b0235a49ca3dc9f8df4f0198bb3c17ee07b08e44db8f45d9d2100
                                                  • Instruction Fuzzy Hash: 3DE0E2287142159BDB08EE6AC6C181B77ABBFD9654760846CE9078F202E776E9029640
                                                  Function 609255FF Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
                                                  • Instruction ID: 29002ccca7877ead4b7e7e784383ace88c03f26ddf616943a2b43c0eb71ea2e3
                                                  • Opcode Fuzzy Hash: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
                                                  • Instruction Fuzzy Hash: 36E0E2B850430DABDF00CF09D8C188A7BAAFB08364F10C119FC190B305C371E9548BA1
                                                  Function 6092562A Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c82c79c3d673ce5d83164ffe7b594e49b00bd73c00824d0aa5044480003c1f0d
                                                  • Instruction ID: a276b763828cd9d21177d39229c24ef0f5c00ef14d0f26540801fec71d9d5410
                                                  • Opcode Fuzzy Hash: c82c79c3d673ce5d83164ffe7b594e49b00bd73c00824d0aa5044480003c1f0d
                                                  • Instruction Fuzzy Hash: 29E0E2B850430DABDF00CF09D8C198A7BAAFB08264F10C119FC190B304C331E9148BE1
                                                  Function 6090F435 Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                  • Instruction ID: aa639d4c52eda77921d109c173628d401b16d57fa3137d2b917a91732d8775c8
                                                  • Opcode Fuzzy Hash: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                  • Instruction Fuzzy Hash: D7C01265704208574B00E92DE8C154577AA9718164B108039E80B87301D975ED084291
                                                  Function 6090576B Relevance: .0, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 83a733227118cb881a49c8c313e73996236a25ff6ef409992dae375156ab2579
                                                  • Instruction ID: b9da89681c28018b616aefc3abdd9d2409dd53a1bfe33812f7039069606fa4db
                                                  • Opcode Fuzzy Hash: 83a733227118cb881a49c8c313e73996236a25ff6ef409992dae375156ab2579
                                                  • Instruction Fuzzy Hash: 6DB09214310A0F829B008B29A4819277BEEAB989897558064990A8A115FA71F88286C0
                                                  Function 6096C598 Relevance: 51.2, APIs: 22, Strings: 7, Instructions: 417COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_initialize.SQLITE3 ref: 6096C5BE
                                                    • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                  • sqlite3_log.SQLITE3 ref: 6096C5FC
                                                  • sqlite3_free.SQLITE3 ref: 6096C67E
                                                  • sqlite3_free.SQLITE3 ref: 6096CD71
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 6096CD80
                                                  • sqlite3_errcode.SQLITE3 ref: 6096CD88
                                                  • sqlite3_close.SQLITE3 ref: 6096CD97
                                                  • sqlite3_create_function.SQLITE3 ref: 6096CDF8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_free$sqlite3_closesqlite3_create_functionsqlite3_errcodesqlite3_initializesqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                  • String ID: BINARY$NOCASE$RTRIM$porter$rtree$rtree_i32$simple
                                                  • API String ID: 1320758876-2501389569
                                                  • Opcode ID: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                  • Instruction ID: 66f98c4e8467cc0752991b2fada45a5d6d89a43a55ba94f1559c09c68fc79e30
                                                  • Opcode Fuzzy Hash: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                  • Instruction Fuzzy Hash: 7A024BB05183019BEB119F64C49536ABFF6BFA1348F11882DE8959F386D7B9C845CF82
                                                  Function 60926471 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_mbcs_to_utf8
                                                  • String ID: \$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                                  • API String ID: 937752868-2111127023
                                                  • Opcode ID: 790c833cc1fbb367a9c2b03a48d0fe6427ec60a778556f52a2f7a42315cae969
                                                  • Instruction ID: 65a1564e5812e901c47d2d0e8e64920046ae54dd737849fc0956122b524b53c9
                                                  • Opcode Fuzzy Hash: 790c833cc1fbb367a9c2b03a48d0fe6427ec60a778556f52a2f7a42315cae969
                                                  • Instruction Fuzzy Hash: 19512C706187018FE700AF69D88575DBFF6AFA5708F10C81DE8999B214EB78C845DF42
                                                  Function 6092A6C1 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 352COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: memcmp$sqlite3_mprintf$sqlite3_malloc$sqlite3_freesqlite3_vfs_find
                                                  • String ID: @$access$cache
                                                  • API String ID: 4158134138-1361544076
                                                  • Opcode ID: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
                                                  • Instruction ID: 35071b2ec389daa84eb338d99e29a1052eb2425681bc363379ff67fe3f9a0dd7
                                                  • Opcode Fuzzy Hash: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
                                                  • Instruction Fuzzy Hash: 27D19E75D183458BDB11CF69E58039EBBF7AFAA304F20846ED4949B349D339D882CB52
                                                  Function 6094844A Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 374COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • ATTACH '' AS vacuum_db;, xrefs: 60948529
                                                  • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 60948728
                                                  • SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 609486C8
                                                  • SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %', xrefs: 60948708
                                                  • INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0), xrefs: 60948788
                                                  • SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' , xrefs: 60948748
                                                  • BEGIN;, xrefs: 609485DB
                                                  • ATTACH ':memory:' AS vacuum_db;, xrefs: 60948534
                                                  • PRAGMA vacuum_db.synchronous=OFF, xrefs: 609485BB
                                                  • SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' , xrefs: 609486E8
                                                  • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';, xrefs: 60948768
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_log
                                                  • String ID: ATTACH '' AS vacuum_db;$ATTACH ':memory:' AS vacuum_db;$BEGIN;$INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)$PRAGMA vacuum_db.synchronous=OFF$SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' $SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0$SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'$SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' $SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';$SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                                                  • API String ID: 632333372-52344843
                                                  • Opcode ID: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                  • Instruction ID: 17dae18cb22bd420f764556e48f7e631e7f528851c991f2db59136dec61311d4
                                                  • Opcode Fuzzy Hash: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                  • Instruction Fuzzy Hash: 1202F6B0A046299BDB2ACF18C88179EB7FABF65304F1081D9E858AB355D771DE81CF41
                                                  Function 609602C8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 266COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                    • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                    • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                    • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                    • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                    • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                    • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                  • sqlite3_malloc.SQLITE3 ref: 60960384
                                                  • sqlite3_free.SQLITE3 ref: 609605EA
                                                  • sqlite3_result_error_code.SQLITE3 ref: 6096060D
                                                  • sqlite3_free.SQLITE3 ref: 60960618
                                                  • sqlite3_result_text.SQLITE3 ref: 6096063C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_free$sqlite3_result_error_code$sqlite3_bind_int64sqlite3_mallocsqlite3_mprintfsqlite3_resetsqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                  • String ID: offsets
                                                  • API String ID: 463808202-2642679573
                                                  • Opcode ID: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                  • Instruction ID: 1101d6838161b799219a4b3d5732631e197d31251dd2d8b91c34f261bd2faa79
                                                  • Opcode Fuzzy Hash: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                  • Instruction Fuzzy Hash: 72C1D374A183198FDB14CF59C580B8EBBF2BFA8314F2085A9E849AB354D734D985CF52
                                                  Function 6091A3AA Relevance: 16.7, APIs: 11, Instructions: 175COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_value_text.SQLITE3 ref: 6091A3C1
                                                  • sqlite3_value_bytes.SQLITE3 ref: 6091A3D6
                                                  • sqlite3_value_text.SQLITE3 ref: 6091A3E4
                                                  • sqlite3_value_bytes.SQLITE3 ref: 6091A416
                                                  • sqlite3_value_text.SQLITE3 ref: 6091A424
                                                  • sqlite3_value_bytes.SQLITE3 ref: 6091A43A
                                                  • sqlite3_result_text.SQLITE3 ref: 6091A5A2
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_result_text
                                                  • String ID:
                                                  • API String ID: 2903785150-0
                                                  • Opcode ID: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                  • Instruction ID: 050d84d3da0bd462ad4a4a15df4a38950001fc66f1de33c81d7c2c3a6f7146e7
                                                  • Opcode Fuzzy Hash: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                  • Instruction Fuzzy Hash: 8971D074E086599FCF00DFA8C88069DBBF2BF59314F1485AAE855AB304E734EC85CB91
                                                  Function 6092854D Relevance: 15.4, APIs: 10, Instructions: 432COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_freesqlite3_malloc
                                                  • String ID:
                                                  • API String ID: 423083942-0
                                                  • Opcode ID: 039a1925b88827ab71129b12bf0a0cfd7bb9a75e2f5fb5313a60c0869b9e4a18
                                                  • Instruction ID: dba10035f3c017a022ff92dc0406edc4c972eb6647695f7afdbed5011b3e14eb
                                                  • Opcode Fuzzy Hash: 039a1925b88827ab71129b12bf0a0cfd7bb9a75e2f5fb5313a60c0869b9e4a18
                                                  • Instruction Fuzzy Hash: 9112E3B4A15218CFCB18CF98D480A9EBBF6BF98304F24855AD855AB319D774EC42CF90
                                                  Function 60912453 Relevance: 15.2, APIs: 10, Instructions: 247COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091264D
                                                  • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912662
                                                  • sqlite3_malloc.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091273E
                                                  • sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912753
                                                  • sqlite3_os_init.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912758
                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912803
                                                  • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091280E
                                                  • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091282A
                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091283F
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_freesqlite3_mallocsqlite3_mutex_freesqlite3_os_init
                                                  • String ID:
                                                  • API String ID: 3556715608-0
                                                  • Opcode ID: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                  • Instruction ID: 37d7613b282c24208f37f95ee69ae3eaf9c0527d79975c213f2f38643f7f707f
                                                  • Opcode Fuzzy Hash: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                  • Instruction Fuzzy Hash: FEA14A71A2C215CBEB009F69CC843257FE7B7A7318F10816DD415AB2A0E7B9DC95EB11
                                                  Function 6095F5D9 Relevance: 15.1, APIs: 10, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_malloc.SQLITE3 ref: 6095F645
                                                  • sqlite3_exec.SQLITE3 ref: 6095F686
                                                    • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                  • sqlite3_free_table.SQLITE3 ref: 6095F6A0
                                                  • sqlite3_mprintf.SQLITE3 ref: 6095F6C7
                                                    • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                    • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                  • sqlite3_free.SQLITE3 ref: 6095F6B4
                                                    • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                  • sqlite3_free.SQLITE3 ref: 6095F6D4
                                                  • sqlite3_free.SQLITE3 ref: 6095F6ED
                                                  • sqlite3_free_table.SQLITE3 ref: 6095F6FF
                                                  • sqlite3_realloc.SQLITE3 ref: 6095F71B
                                                  • sqlite3_free_table.SQLITE3 ref: 6095F72D
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_freesqlite3_free_table$sqlite3_execsqlite3_initializesqlite3_logsqlite3_mallocsqlite3_mprintfsqlite3_mutex_entersqlite3_reallocsqlite3_vmprintf
                                                  • String ID:
                                                  • API String ID: 1866449048-0
                                                  • Opcode ID: 2addae8d4502475aa330d0fbe12d9077f3fed0f055932ab6dac269a256a03500
                                                  • Instruction ID: 9ac78cbffd0e0cf27e5d0fdbf17c3a3d034f00011a14f89e76d08e502163788c
                                                  • Opcode Fuzzy Hash: 2addae8d4502475aa330d0fbe12d9077f3fed0f055932ab6dac269a256a03500
                                                  • Instruction Fuzzy Hash: 8751F1B49467099FDB01DF69D59178EBBF6FF68318F104429E884AB300D379D894CB91
                                                  Function 6094078D Relevance: 15.0, APIs: 10, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_finalize.SQLITE3 ref: 609407B4
                                                    • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940672
                                                    • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940696
                                                  • sqlite3_finalize.SQLITE3 ref: 609407C2
                                                    • Part of subcall function 6094064B: sqlite3_mutex_enter.SQLITE3 ref: 609406A7
                                                  • sqlite3_finalize.SQLITE3 ref: 609407D0
                                                  • sqlite3_finalize.SQLITE3 ref: 609407DE
                                                  • sqlite3_finalize.SQLITE3 ref: 609407EC
                                                  • sqlite3_finalize.SQLITE3 ref: 609407FA
                                                  • sqlite3_finalize.SQLITE3 ref: 60940808
                                                  • sqlite3_finalize.SQLITE3 ref: 60940816
                                                  • sqlite3_finalize.SQLITE3 ref: 60940824
                                                  • sqlite3_free.SQLITE3 ref: 6094082C
                                                    • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_finalize$sqlite3_logsqlite3_mutex_enter$sqlite3_free
                                                  • String ID:
                                                  • API String ID: 14011187-0
                                                  • Opcode ID: d36625bd4fa8924ea0abcbec615d2e266582c2e39b3be902bd1f9101c01d6c45
                                                  • Instruction ID: 14c977e837db455c9c1ce3b69ce7d4e0fb0da6313972e550a4586d0eb1b189ee
                                                  • Opcode Fuzzy Hash: d36625bd4fa8924ea0abcbec615d2e266582c2e39b3be902bd1f9101c01d6c45
                                                  • Instruction Fuzzy Hash: F7116774504B008BCB50BF78C9C965877E9AFB5308F061978EC8A8F306EB34D4918B15
                                                  Function 6091C159 Relevance: 14.0, Strings: 11, Instructions: 290COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $ AND $%s USING %sINDEX %s%s$%s USING AUTOMATIC %sINDEX%.0s%s$)><$0$ANY($COVERING $SCAN$SEARCH$rowid
                                                  • API String ID: 0-780898
                                                  • Opcode ID: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                  • Instruction ID: 1b008e11d07f16b9462ef115b46fd1892196ed4c5360d6a6f9a636b6bab85f9b
                                                  • Opcode Fuzzy Hash: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                  • Instruction Fuzzy Hash: 46D109B0A087099FD714CF99C19079DBBF2BFA8308F10886AE495AB355D774D982CF81
                                                  Function 609061F1 Relevance: 13.9, Strings: 11, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: aolf$aolf$bolb$bolc$buod$buod$laer$laer$rahc$tni$txet
                                                  • API String ID: 0-2604012851
                                                  • Opcode ID: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                  • Instruction ID: a78f5df49eecf700eafad7d6eadd6707640e608d2d263d021760269e78388884
                                                  • Opcode Fuzzy Hash: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                  • Instruction Fuzzy Hash: 2D31B171A891458ADB21891C85503EE7FBB9BE3344F28902EC8B2DB246C735CCD0C3A2
                                                  Function 60939559 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 426COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: memcmp$sqlite3_logsqlite3_mutex_try
                                                  • String ID: 0$SQLite format 3
                                                  • API String ID: 3174206576-3388949527
                                                  • Opcode ID: e2a376b1a29b79c4f9f51ec04e7584e9c4e5062bfe0a82991cc629df80cc0a0f
                                                  • Instruction ID: d3cc03899c2fb96d27ccc41cf7ad58ff30b38a29db2c3208110d6cb2c70dce50
                                                  • Opcode Fuzzy Hash: e2a376b1a29b79c4f9f51ec04e7584e9c4e5062bfe0a82991cc629df80cc0a0f
                                                  • Instruction Fuzzy Hash: A3028BB0A082659BDB09CF68D48178ABBF7FFA5308F148269E8459B345DB74DC85CF81
                                                  Function 6095F004 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_value_text.SQLITE3 ref: 6095F030
                                                  • sqlite3_value_text.SQLITE3 ref: 6095F03E
                                                  • sqlite3_stricmp.SQLITE3 ref: 6095F0B3
                                                  • sqlite3_free.SQLITE3 ref: 6095F180
                                                    • Part of subcall function 6092E279: strcmp.MSVCRT ref: 6092E2AE
                                                    • Part of subcall function 6092E279: sqlite3_free.SQLITE3 ref: 6092E3A8
                                                  • sqlite3_free.SQLITE3 ref: 6095F1BD
                                                    • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                  • sqlite3_result_error_code.SQLITE3 ref: 6095F34E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_free$sqlite3_value_text$sqlite3_mutex_entersqlite3_result_error_codesqlite3_stricmpstrcmp
                                                  • String ID: |
                                                  • API String ID: 1576672187-2343686810
                                                  • Opcode ID: bd5e6f80f73383bab87bf36e59bc4c906ea1158fee4d4fada053c93264453b50
                                                  • Instruction ID: c4017fd8acd983bc841f22cdb0f4132ffe50c361176833da1127552c957ad2bb
                                                  • Opcode Fuzzy Hash: bd5e6f80f73383bab87bf36e59bc4c906ea1158fee4d4fada053c93264453b50
                                                  • Instruction Fuzzy Hash: B2B189B4A08308CBDB01CF69C491B9EBBF2BF68358F148968E854AB355D734EC55CB81
                                                  Function 60953679 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_file_control.SQLITE3 ref: 609537BD
                                                  • sqlite3_free.SQLITE3 ref: 60953842
                                                  • sqlite3_free.SQLITE3 ref: 6095387C
                                                    • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                  • sqlite3_stricmp.SQLITE3 ref: 609538D4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_free$sqlite3_file_controlsqlite3_mutex_entersqlite3_stricmp
                                                  • String ID: 6$timeout
                                                  • API String ID: 2671017102-3660802998
                                                  • Opcode ID: 8cffcba2199636318c40f61931f0f453c1b4c4e8a0677f5b7de6569c291e0b77
                                                  • Instruction ID: da3e9078838fdf1f068eeacc94130b5fe058058c2a53432068b0843c8cdd1fdd
                                                  • Opcode Fuzzy Hash: 8cffcba2199636318c40f61931f0f453c1b4c4e8a0677f5b7de6569c291e0b77
                                                  • Instruction Fuzzy Hash: 6CA11270A083198BDB15CF6AC88079EBBF6BFA9304F10846DE8589B354D774D885CF41
                                                  Function 6095D3BB Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 187COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_snprintf.SQLITE3 ref: 6095D450
                                                    • Part of subcall function 60917354: sqlite3_vsnprintf.SQLITE3 ref: 60917375
                                                  • sqlite3_snprintf.SQLITE3 ref: 6095D4A1
                                                  • sqlite3_snprintf.SQLITE3 ref: 6095D525
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_snprintf$sqlite3_vsnprintf
                                                  • String ID: $)><$sqlite_master$sqlite_temp_master
                                                  • API String ID: 652164897-1572359634
                                                  • Opcode ID: 8bad6b48079287e07d66e35ebf7d727d8c0cc4a3de3635d3393f65d8d520b325
                                                  • Instruction ID: a98725bc65f6cff0ffebef66634980575a39ba2d787d432de3c608a01e11e389
                                                  • Opcode Fuzzy Hash: 8bad6b48079287e07d66e35ebf7d727d8c0cc4a3de3635d3393f65d8d520b325
                                                  • Instruction Fuzzy Hash: 5991F275E05219CFCB15CF98C48169DBBF2BFA9308F14845AE859AB314DB34ED46CB81
                                                  Function 6091B05A Relevance: 12.3, APIs: 8, Instructions: 349COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_value_text.SQLITE3 ref: 6091B06E
                                                  • sqlite3_result_error_toobig.SQLITE3 ref: 6091B178
                                                  • sqlite3_result_error_nomem.SQLITE3 ref: 6091B197
                                                  • sqlite3_result_text.SQLITE3 ref: 6091B5A3
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                                  • String ID:
                                                  • API String ID: 2352520524-0
                                                  • Opcode ID: 91a3e282f54c964bbb8224fbc5594699699e4a7ba29507b0b3f6ff953b241f0e
                                                  • Instruction ID: 99f21b63ad5c9672efebb0dd762c853f70c7e366ddc85f9db9da2d733c13ec0c
                                                  • Opcode Fuzzy Hash: 91a3e282f54c964bbb8224fbc5594699699e4a7ba29507b0b3f6ff953b241f0e
                                                  • Instruction Fuzzy Hash: F9E16B71E4C2199BDB208F18C89039EBBF7AB65314F1584DAE8A857351D738DCC19F82
                                                  Function 6096A481 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                    • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                    • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                  • sqlite3_exec.SQLITE3 ref: 6096A4D7
                                                    • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                  • sqlite3_result_text.SQLITE3 ref: 6096A5D3
                                                    • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                    • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                    • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                  • sqlite3_exec.SQLITE3 ref: 6096A523
                                                  • sqlite3_exec.SQLITE3 ref: 6096A554
                                                  • sqlite3_exec.SQLITE3 ref: 6096A57F
                                                  • sqlite3_result_error_code.SQLITE3 ref: 6096A5E1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_exec$sqlite3_bind_intsqlite3_freesqlite3_logsqlite3_mprintfsqlite3_resetsqlite3_result_error_codesqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                  • String ID: optimize
                                                  • API String ID: 3659050757-3797040228
                                                  • Opcode ID: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                  • Instruction ID: 653702cfcd2f061f0588c77de086fc27204f9fc351fc8b4992cba684a546c14d
                                                  • Opcode Fuzzy Hash: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                  • Instruction Fuzzy Hash: E831C3B11187119FE310DF24C49570FBBE6ABA1368F10C91DF9968B350E7B9D8459F82
                                                  Function 6096544A Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_column_blob.SQLITE3 ref: 609654FB
                                                  • sqlite3_column_bytes.SQLITE3 ref: 60965510
                                                  • sqlite3_reset.SQLITE3 ref: 60965556
                                                  • sqlite3_reset.SQLITE3 ref: 609655B8
                                                    • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                    • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                  • sqlite3_malloc.SQLITE3 ref: 60965655
                                                  • sqlite3_free.SQLITE3 ref: 60965714
                                                  • sqlite3_free.SQLITE3 ref: 6096574B
                                                    • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                  • sqlite3_free.SQLITE3 ref: 609657AA
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_reset$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mutex_leave
                                                  • String ID:
                                                  • API String ID: 2722129401-0
                                                  • Opcode ID: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                  • Instruction ID: e3a8cc565ee031670952cbbbf81914cbe75110044a29491daaf6513bdc913a85
                                                  • Opcode Fuzzy Hash: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                  • Instruction Fuzzy Hash: BBD1D270E14219CFEB14CFA9C48469DBBF2BF68304F20856AD899AB346D774E845CF81
                                                  Function 609644FC Relevance: 12.2, APIs: 8, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_malloc.SQLITE3 ref: 609645D9
                                                    • Part of subcall function 60928099: sqlite3_malloc.SQLITE3 ref: 609280ED
                                                  • sqlite3_free.SQLITE3 ref: 609647C5
                                                    • Part of subcall function 60963D35: memcmp.MSVCRT ref: 60963E74
                                                  • sqlite3_free.SQLITE3 ref: 6096476B
                                                    • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                  • sqlite3_free.SQLITE3 ref: 6096477B
                                                  • sqlite3_free.SQLITE3 ref: 60964783
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_free$sqlite3_malloc$memcmpsqlite3_mutex_enter
                                                  • String ID:
                                                  • API String ID: 571598680-0
                                                  • Opcode ID: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                  • Instruction ID: 53ad94a03898eae12f4127695087571842428d6fdffc19c65fee49adcf86f1ae
                                                  • Opcode Fuzzy Hash: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                  • Instruction Fuzzy Hash: 5E91F674E14228CFEB14CFA9D890B9EBBB6BB99304F1085AAD849A7344D734DD81CF51
                                                  Function 60929740 Relevance: 12.1, APIs: 8, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_mprintf.SQLITE3 ref: 60929761
                                                    • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                    • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                  • sqlite3_mprintf.SQLITE3 ref: 609297C8
                                                  • sqlite3_mprintf.SQLITE3 ref: 6092988B
                                                  • sqlite3_free.SQLITE3 ref: 609298A4
                                                  • sqlite3_free.SQLITE3 ref: 609298AC
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_mprintf$sqlite3_free$sqlite3_initializesqlite3_vmprintf
                                                  • String ID:
                                                  • API String ID: 251866411-0
                                                  • Opcode ID: a3bf00685530be514bf65e4252527f4a7bfa11b3ac4fddf1f02e32dfe1b6d316
                                                  • Instruction ID: c0caaa5c89e6f65941469514643da9571fc5146b16edc1869e8ccb0497590022
                                                  • Opcode Fuzzy Hash: a3bf00685530be514bf65e4252527f4a7bfa11b3ac4fddf1f02e32dfe1b6d316
                                                  • Instruction Fuzzy Hash: 4C417970E142098FCB00DF68D48069EFBF6FFAA314F15852AE855AB344DB34D842CB81
                                                  Function 6091A74D Relevance: 10.7, APIs: 7, Instructions: 246COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_value_int.SQLITE3 ref: 6091A7A9
                                                  • sqlite3_value_bytes.SQLITE3 ref: 6091A7C3
                                                  • sqlite3_value_blob.SQLITE3 ref: 6091A7D0
                                                  • sqlite3_value_text.SQLITE3 ref: 6091A7E3
                                                  • sqlite3_value_int.SQLITE3 ref: 6091A842
                                                  • sqlite3_result_text.SQLITE3 ref: 6091A973
                                                  • sqlite3_result_blob.SQLITE3 ref: 6091AA08
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_value_int$sqlite3_result_blobsqlite3_result_textsqlite3_value_blobsqlite3_value_bytessqlite3_value_text
                                                  • String ID:
                                                  • API String ID: 1854132711-0
                                                  • Opcode ID: 784825b838f169ca3662fcccfed6716ebcc1b6a8caffef0423c1b1d1c55abeb3
                                                  • Instruction ID: 5a39f3de11663d91415d6d961256fd3a5a8574b0eada45011bd6777fd74d0884
                                                  • Opcode Fuzzy Hash: 784825b838f169ca3662fcccfed6716ebcc1b6a8caffef0423c1b1d1c55abeb3
                                                  • Instruction Fuzzy Hash: 6CA15C71E0862D8BDB05CFA9C88069DB7B2BF69324F148299E865A7391D734DC86CF50
                                                  Function 609634F0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                    • Part of subcall function 60962F28: sqlite3_log.SQLITE3 ref: 60962F5D
                                                  • sqlite3_mprintf.SQLITE3 ref: 60963534
                                                  • sqlite3_blob_open.SQLITE3 ref: 6096358B
                                                  • sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                  • sqlite3_malloc.SQLITE3 ref: 609635BB
                                                  • sqlite3_blob_read.SQLITE3 ref: 60963602
                                                  • sqlite3_free.SQLITE3 ref: 60963621
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_blob_bytessqlite3_blob_opensqlite3_blob_readsqlite3_blob_reopensqlite3_freesqlite3_logsqlite3_mallocsqlite3_mprintf
                                                  • String ID:
                                                  • API String ID: 4276469440-0
                                                  • Opcode ID: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                  • Instruction ID: 177081cd506585250240414a33056f89eeda992db91a315aff795e5fc91eaf1e
                                                  • Opcode Fuzzy Hash: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                  • Instruction Fuzzy Hash: C641E5B09087059FDB40DF29C48179EBBE6AF98354F01C87AE898DB354E734D841DB92
                                                  Function 6091A226 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_value_text.SQLITE3 ref: 6091A240
                                                  • sqlite3_value_text.SQLITE3 ref: 6091A24E
                                                  • sqlite3_value_bytes.SQLITE3 ref: 6091A25A
                                                  • sqlite3_value_text.SQLITE3 ref: 6091A27C
                                                  Strings
                                                  • ESCAPE expression must be a single character, xrefs: 6091A293
                                                  • LIKE or GLOB pattern too complex, xrefs: 6091A267
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_value_text$sqlite3_value_bytes
                                                  • String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
                                                  • API String ID: 4080917175-264706735
                                                  • Opcode ID: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                  • Instruction ID: 7e7232241edcba55bc41816b79a09feadaac9d75cc2fb544db44a2248cbef301
                                                  • Opcode Fuzzy Hash: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                  • Instruction Fuzzy Hash: A4214C74A182198BCB00DF79C88165EBBF6FF64354B108AA9E864DB344E734DCC6CB95
                                                  Function 609250BB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6092506E: sqlite3_log.SQLITE3 ref: 609250AB
                                                  • sqlite3_mutex_enter.SQLITE3 ref: 609250E7
                                                  • sqlite3_value_text16.SQLITE3 ref: 60925100
                                                  • sqlite3_value_text16.SQLITE3 ref: 6092512C
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 6092513E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_value_text16$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                  • String ID: library routine called out of sequence$out of memory
                                                  • API String ID: 2019783549-3029887290
                                                  • Opcode ID: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                  • Instruction ID: f6310061860eb79c45c0a7b6efb00bde58ba827c5a391e7df96a4cb3fbc4cfa9
                                                  • Opcode Fuzzy Hash: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                  • Instruction Fuzzy Hash: 81014C70A083049BDB14AF69C9C170EBBE6BF64248F0488A9EC958F30EE775D8818B51
                                                  Function 609406CF Relevance: 10.5, APIs: 7, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_finalize.SQLITE3 ref: 609406E3
                                                    • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940672
                                                    • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940696
                                                  • sqlite3_free.SQLITE3 ref: 609406F7
                                                  • sqlite3_free.SQLITE3 ref: 60940705
                                                  • sqlite3_free.SQLITE3 ref: 60940713
                                                  • sqlite3_free.SQLITE3 ref: 6094071E
                                                  • sqlite3_free.SQLITE3 ref: 60940729
                                                  • sqlite3_free.SQLITE3 ref: 6094073C
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_free$sqlite3_log$sqlite3_finalize
                                                  • String ID:
                                                  • API String ID: 1159759059-0
                                                  • Opcode ID: 19269ae46022e444f8470c890b78f38089a522c4155da373e534dfec766a18bc
                                                  • Instruction ID: 8ceab58ab7f3fb7faec85fb80e78016d1f3d655de586deaf1cb04ee1bc4e3406
                                                  • Opcode Fuzzy Hash: 19269ae46022e444f8470c890b78f38089a522c4155da373e534dfec766a18bc
                                                  • Instruction Fuzzy Hash: C801E8B45447108BDB00AF78C4C5A59BBE5EF79B18F06096DECCA8B305D734D8809B91
                                                  Function 60947378 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_free.SQLITE3(?), ref: 609476DD
                                                    • Part of subcall function 60904423: sqlite3_mutex_leave.SQLITE3(6090449D,?,?,?,60908270), ref: 60904446
                                                  • sqlite3_log.SQLITE3 ref: 609498F5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_freesqlite3_logsqlite3_mutex_leave
                                                  • String ID: List of tree roots: $d$|
                                                  • API String ID: 3709608969-1164703836
                                                  • Opcode ID: 4de08d56d8a6e192ae2dda07a929c8b2a00a3f2e2d212eb9bfb53aebfe2a6bac
                                                  • Instruction ID: c91562837ba2d96ae21b52ab8334c840e7cbe23d8154f1acff92b465618a0bd4
                                                  • Opcode Fuzzy Hash: 4de08d56d8a6e192ae2dda07a929c8b2a00a3f2e2d212eb9bfb53aebfe2a6bac
                                                  • Instruction Fuzzy Hash: 3FE10570A043698BDB22CF18C88179DFBBABF65304F1185D9E858AB251D775DE81CF81
                                                  Function 60960052 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 196COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                    • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                    • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                    • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                  • sqlite3_column_int64.SQLITE3 ref: 609600BA
                                                  • sqlite3_column_text.SQLITE3 ref: 609600EF
                                                  • sqlite3_free.SQLITE3 ref: 6096029A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_bind_int64sqlite3_column_int64sqlite3_column_textsqlite3_freesqlite3_resetsqlite3_result_error_codesqlite3_step
                                                  • String ID: e
                                                  • API String ID: 786425071-4024072794
                                                  • Opcode ID: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                  • Instruction ID: e80500568aa73e744b5c90812a7938b6c4ac38b40afb48beb036dafaf3e7d002
                                                  • Opcode Fuzzy Hash: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                  • Instruction Fuzzy Hash: 6291E270A18609CFDB04CF99C494B9EBBF2BF98314F108529E869AB354D774E885CF91
                                                  Function 609470DE Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_exec
                                                  • String ID: sqlite_master$sqlite_temp_master$|
                                                  • API String ID: 2141490097-2247242311
                                                  • Opcode ID: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                  • Instruction ID: 9143400cfb6dc20a8edc2ca7c04099347fc9d468871a1d2187ae3123f936d49a
                                                  • Opcode Fuzzy Hash: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                  • Instruction Fuzzy Hash: C551B6B09083289BDB26CF18C885799BBFABF59304F108599E498A7351D775DA84CF41
                                                  Function 60963637 Relevance: 7.8, APIs: 5, Instructions: 258COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_free$memcmpsqlite3_realloc
                                                  • String ID:
                                                  • API String ID: 3422960571-0
                                                  • Opcode ID: 50eda45380483794e32bdd730fc6b6b580c41d30328003452ec2c22d7d846426
                                                  • Instruction ID: 3b390e38dde49c5924589a602beaf2ee173d98914be71c714148da16d267e2cf
                                                  • Opcode Fuzzy Hash: 50eda45380483794e32bdd730fc6b6b580c41d30328003452ec2c22d7d846426
                                                  • Instruction Fuzzy Hash: 42B1D0B4E142189BEB05CFA9C5807DDBBF6BFA8304F148429E858A7344D374E946CF91
                                                  Function 6094B137 Relevance: 7.7, APIs: 5, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6090A0D5: sqlite3_free.SQLITE3 ref: 6090A118
                                                  • sqlite3_malloc.SQLITE3 ref: 6094B1D1
                                                  • sqlite3_value_bytes.SQLITE3 ref: 6094B24C
                                                  • sqlite3_malloc.SQLITE3 ref: 6094B272
                                                  • sqlite3_value_blob.SQLITE3 ref: 6094B298
                                                  • sqlite3_free.SQLITE3 ref: 6094B2C8
                                                    • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                    • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                    • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                    • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_freesqlite3_malloc$sqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_stepsqlite3_value_blobsqlite3_value_bytes
                                                  • String ID:
                                                  • API String ID: 683514883-0
                                                  • Opcode ID: a6abbae8c6e8f2e89577a489a37bdbe998ef9662ada317e1813a59820f6ee2b0
                                                  • Instruction ID: 83940ce9cf0a2bab7a741171fc95cc3a005d2848f59039768723a80715f2adcb
                                                  • Opcode Fuzzy Hash: a6abbae8c6e8f2e89577a489a37bdbe998ef9662ada317e1813a59820f6ee2b0
                                                  • Instruction Fuzzy Hash: E19133B1A052099FCB04CFA9D490B9EBBF6FF68314F108569E855AB341DB34ED81CB91
                                                  Function 6093A1DD Relevance: 7.7, APIs: 5, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A200
                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A391
                                                  • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A3A3
                                                  • sqlite3_free.SQLITE3 ref: 6093A3BA
                                                  • sqlite3_free.SQLITE3 ref: 6093A3C2
                                                    • Part of subcall function 6093A0C5: sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                    • Part of subcall function 6093A0C5: sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                    • Part of subcall function 6093A0C5: sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                    • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1A4
                                                    • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1C3
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_free$sqlite3_mutex_enter
                                                  • String ID:
                                                  • API String ID: 1903298374-0
                                                  • Opcode ID: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                  • Instruction ID: f6c450fbbadf2e04ab128defb7df19fdb2a161b4e6cf4e71623f80625393026f
                                                  • Opcode Fuzzy Hash: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                  • Instruction Fuzzy Hash: EB513870A047218BDB58DF69C8C074AB7A6BF65318F05896CECA69B305D735EC41CF91
                                                  Function 6093A0C5 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                  • sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                  • sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                  • sqlite3_free.SQLITE3 ref: 6093A1A4
                                                  • sqlite3_free.SQLITE3 ref: 6093A1C3
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                                  • String ID:
                                                  • API String ID: 1894464702-0
                                                  • Opcode ID: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                  • Instruction ID: 8ebadd1dc7ee404a0f141fd21885e91e0aa1156a5a6df10951b92a0b718128ce
                                                  • Opcode Fuzzy Hash: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                  • Instruction Fuzzy Hash: CF313C70B086118BDB18DF79C8C1A1A7BFBBFB2704F148468E8418B219EB35DC419F91
                                                  Function 6092535E Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 60925326: sqlite3_log.SQLITE3 ref: 60925352
                                                  • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,609254CC), ref: 6092538E
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 609253C4
                                                  • sqlite3_log.SQLITE3 ref: 609253E2
                                                  • sqlite3_log.SQLITE3 ref: 60925406
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 60925443
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_log$sqlite3_mutex_leave$sqlite3_mutex_enter
                                                  • String ID:
                                                  • API String ID: 3336957480-0
                                                  • Opcode ID: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                  • Instruction ID: a100dd02d465b32589d57b5b9efe4db3cd483c3b5de54de748c9b161d5d001e2
                                                  • Opcode Fuzzy Hash: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                  • Instruction Fuzzy Hash: D3315A70228704DBDB00EF28D49575ABBE6AFA1358F00886DE9948F36DD778C885DB02
                                                  Function 60961389 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_result_blob.SQLITE3 ref: 609613D0
                                                  • sqlite3_column_int.SQLITE3 ref: 6096143A
                                                  • sqlite3_data_count.SQLITE3 ref: 60961465
                                                  • sqlite3_column_value.SQLITE3 ref: 60961476
                                                  • sqlite3_result_value.SQLITE3 ref: 60961482
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_column_intsqlite3_column_valuesqlite3_data_countsqlite3_result_blobsqlite3_result_value
                                                  • String ID:
                                                  • API String ID: 3091402450-0
                                                  • Opcode ID: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                  • Instruction ID: 8b12398a3b1f37ca0d2e1a8d549e1f0529ecbd38da511dd0edd3444da8e5cc4d
                                                  • Opcode Fuzzy Hash: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                  • Instruction Fuzzy Hash: 72314DB19082058FDB00DF29C48064EB7F6FF65354F19856AE8999B361EB34E886CF81
                                                  Function 60939097 Relevance: 7.6, APIs: 5, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                  • String ID:
                                                  • API String ID: 251237202-0
                                                  • Opcode ID: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                  • Instruction ID: 8e14962182cb4ba31828fc05f1b37fa5954e33605a362b2e641de35f96add61e
                                                  • Opcode Fuzzy Hash: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                  • Instruction Fuzzy Hash: 022137B46087158BC709AF68C48570ABBF6FFA5318F10895DEC958B345DB74E940CB82
                                                  Function 6091A2E8 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_aggregate_context.SQLITE3 ref: 6091A31E
                                                  • sqlite3_value_text.SQLITE3 ref: 6091A349
                                                  • sqlite3_value_bytes.SQLITE3 ref: 6091A356
                                                  • sqlite3_value_text.SQLITE3 ref: 6091A37B
                                                  • sqlite3_value_bytes.SQLITE3 ref: 6091A387
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_aggregate_context
                                                  • String ID:
                                                  • API String ID: 4225432645-0
                                                  • Opcode ID: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                  • Instruction ID: 24a20a1669ecabf1c8c9e0f75de4e20f6480f0c3e20d7f4799920e66bb4c3c2a
                                                  • Opcode Fuzzy Hash: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                  • Instruction Fuzzy Hash: 3F21CF71B086588FDB009F29C48075E7BE7AFA4254F0484A8E894CF305EB34DC86CB91
                                                  Function 60903571 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_mutex_enter.SQLITE3(?,-00000200,?), ref: 6090359D
                                                  • sqlite3_mutex_leave.SQLITE3(?,-00000200,?), ref: 609035E0
                                                  • sqlite3_mutex_enter.SQLITE3(?,-00000200,?), ref: 609035F9
                                                  • sqlite3_mutex_leave.SQLITE3(?,-00000200,?), ref: 60903614
                                                  • sqlite3_free.SQLITE3(?,-00000200,?), ref: 6090361C
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                  • String ID:
                                                  • API String ID: 251237202-0
                                                  • Opcode ID: d176fa110bd2286076a254f1a84b89a7a2b75649dc4a807f2bdee778eef171d4
                                                  • Instruction ID: 98a7ce7f1ce2ff6a0e5ca4ca87ec4bf20a5c319c62b2fc6798152503390b0136
                                                  • Opcode Fuzzy Hash: d176fa110bd2286076a254f1a84b89a7a2b75649dc4a807f2bdee778eef171d4
                                                  • Instruction Fuzzy Hash: B211FE725186218BCB00EF7DC8C16197FE7FB66358F01491DE866D7362D73AD480AB42
                                                  Function 609441F6 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 262COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_log
                                                  • String ID: ($string or blob too big$|
                                                  • API String ID: 632333372-2398534278
                                                  • Opcode ID: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                  • Instruction ID: 3c3a64a58f66130c0c9aec06ea77be0954bd7b4098f3428da06b6372deec6608
                                                  • Opcode Fuzzy Hash: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                  • Instruction Fuzzy Hash: 5DC10CB5A043288FCB66CF28C981789B7BABB59304F1085D9E958A7345C775EF81CF40
                                                  Function 6092362D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_stricmp.SQLITE3(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6094E8D4), ref: 60923675
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_stricmp
                                                  • String ID: BINARY
                                                  • API String ID: 912767213-907554435
                                                  • Opcode ID: 3d1fa6dfa686e47e8cf6a82fec0319180f7cc9a55e66fae3459e63466e3d3e47
                                                  • Instruction ID: 142a1e9d4f1e8552d2c1f4074703eb5ae9f1e70d76b7ded3e689f9c37387bea1
                                                  • Opcode Fuzzy Hash: 3d1fa6dfa686e47e8cf6a82fec0319180f7cc9a55e66fae3459e63466e3d3e47
                                                  • Instruction Fuzzy Hash: 11512AB8A142159FCF05CF68D580A9EBBFBBFA9314F208569D855AB318D335EC41CB90
                                                  Function 6096D170 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: Virtual$Protect$Query
                                                  • String ID: @
                                                  • API String ID: 3618607426-2766056989
                                                  • Opcode ID: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                  • Instruction ID: 11fd3fd6c91f2e29dbdaed7331fdf7a08ef8f1da01c53322037319a40d79a89e
                                                  • Opcode Fuzzy Hash: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                  • Instruction Fuzzy Hash: 003141B5E15208AFEB14DFA9D48158EFFF5EF99254F10852AE868E3310E371D940CB52
                                                  Function 60928335 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_malloc.SQLITE3 ref: 60928353
                                                    • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                  • sqlite3_realloc.SQLITE3 ref: 609283A0
                                                  • sqlite3_free.SQLITE3 ref: 609283B6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                                  • String ID: d
                                                  • API String ID: 211589378-2564639436
                                                  • Opcode ID: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                  • Instruction ID: 0830c2115c9ea807631a831f7f1165b0ee40d8a8a94356aa67113494a68d5982
                                                  • Opcode Fuzzy Hash: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                  • Instruction Fuzzy Hash: 222137B0A04205CFDB14DF59D4C078ABBF6FF69314F158469D8889B309E3B8E841CBA1
                                                  Function 60901184 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: _Jv_RegisterClasses$libgcj-11.dll
                                                  • API String ID: 1646373207-2713375476
                                                  • Opcode ID: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                  • Instruction ID: e6822cb61b404b68644b44a252d8259deade1a358cfa59fcc717d95409d4d83a
                                                  • Opcode Fuzzy Hash: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                  • Instruction Fuzzy Hash: 0DE04F7062D30586FB443F794D923297AEB5F72549F00081CD9929B240EBB4D440D753
                                                  Function 6090A882 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .$:$:$;$;
                                                  • API String ID: 0-3979609778
                                                  • Opcode ID: 50b9d7b53ff024c5b5e5e467dd09a5a86a30f3212454febefa11a70b635a06cf
                                                  • Instruction ID: 88cbeff3cb36a4107b9ab761e04ae617a78179eaf1b2646578849985a96e8386
                                                  • Opcode Fuzzy Hash: 50b9d7b53ff024c5b5e5e467dd09a5a86a30f3212454febefa11a70b635a06cf
                                                  • Instruction Fuzzy Hash: 9D519DB1A083419ED701CF15C58438ABFF6FB55348F24891DD8959B291E3B9CA89CFD2
                                                  Function 60922538 Relevance: 6.3, APIs: 4, Instructions: 317COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_free
                                                  • String ID:
                                                  • API String ID: 2313487548-0
                                                  • Opcode ID: 17c4197e66eccf8e4e539c70c01e6b2d08fb8491bcf73b2b2b780fd64eb57762
                                                  • Instruction ID: 4e09bb13dd5a3c3c1d339de95b14bc5918580ae4e3dbdcf066e72e084d482625
                                                  • Opcode Fuzzy Hash: 17c4197e66eccf8e4e539c70c01e6b2d08fb8491bcf73b2b2b780fd64eb57762
                                                  • Instruction Fuzzy Hash: 15E14674928209EFDB04CF94D184B9EBBB2FF69304F208558D8956B259D774EC86CF81
                                                  Function 6094D584 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 285COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: sqlite_master$sqlite_sequence$sqlite_temp_master
                                                  • API String ID: 0-1177837799
                                                  • Opcode ID: 220fba3a2fb3ab4d5034cb0a2e8c7e996f73753fd556fb076663e5e6b14f60a3
                                                  • Instruction ID: e5240d50caebec33bd4ce83d4b9fb982fe545a794019e3d400788b6e3ec19482
                                                  • Opcode Fuzzy Hash: 220fba3a2fb3ab4d5034cb0a2e8c7e996f73753fd556fb076663e5e6b14f60a3
                                                  • Instruction Fuzzy Hash: F7C13974B062089BDB05DF68D49179EBBF3AFA8308F14C42DE8899B345DB39D841CB41
                                                  Function 6095B7D1 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_mutex_leave$sqlite3_logsqlite3_mutex_enter
                                                  • String ID:
                                                  • API String ID: 4249760608-0
                                                  • Opcode ID: 7f68af92de5908ba3e8dcee76b4af320268052eb1fd1a8b4810f9ee8d43ae996
                                                  • Instruction ID: 2374180173898b37ca3bb3ba1fa7e33799c7e45bceefb220d1965ad168ba1add
                                                  • Opcode Fuzzy Hash: 7f68af92de5908ba3e8dcee76b4af320268052eb1fd1a8b4810f9ee8d43ae996
                                                  • Instruction Fuzzy Hash: 7F412970A083048BE701DF6AC495B8ABBF6FFA5308F04C46DE8598B355D779D849CB91
                                                  Function 609292DA Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_freesqlite3_mallocsqlite3_value_bytessqlite3_value_text
                                                  • String ID:
                                                  • API String ID: 1648232842-0
                                                  • Opcode ID: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                  • Instruction ID: a01add595a6c287de5924383f0ed77e5cc34082cd65fcd393cbe5beac3228527
                                                  • Opcode Fuzzy Hash: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                  • Instruction Fuzzy Hash: 4531C0B4A042058FDB04DF29C094B5ABBE2FF98354F1484A9EC498F349D779E846CBA0
                                                  Function 60961492 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_step.SQLITE3 ref: 609614AB
                                                  • sqlite3_reset.SQLITE3 ref: 609614BF
                                                    • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                    • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                  • sqlite3_column_int64.SQLITE3 ref: 609614D4
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_column_int64sqlite3_mutex_entersqlite3_mutex_leavesqlite3_resetsqlite3_step
                                                  • String ID:
                                                  • API String ID: 3429445273-0
                                                  • Opcode ID: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                  • Instruction ID: 62863439de2fabb71fd3664abc4fbfc11ff04353a6e6e3e42574d1c19fb7889d
                                                  • Opcode Fuzzy Hash: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                  • Instruction Fuzzy Hash: AE316470A183408BEF15CF69C1C5749FBA6AFA7348F188599DC864F30AD375D884C752
                                                  Function 6093A57B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_snprintf$sqlite3_stricmpsqlite3_value_text
                                                  • String ID:
                                                  • API String ID: 1035992805-0
                                                  • Opcode ID: 213593095aed0ecc64844f89ed1f3878beaaf7633e295caa013ed5846923251b
                                                  • Instruction ID: 84d28b158f1a11e063f70be148de9c7b2eff514b3bcf7808f17aa895500be78a
                                                  • Opcode Fuzzy Hash: 213593095aed0ecc64844f89ed1f3878beaaf7633e295caa013ed5846923251b
                                                  • Instruction Fuzzy Hash: 8C3178B0A08324DFEB24CF28C481B4ABBF6FBA5318F04C499E4888B251C775D885DF42
                                                  Function 609034B2 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 609034D8
                                                  • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903521
                                                  • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 6090354A
                                                  • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903563
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                  • String ID:
                                                  • API String ID: 1477753154-0
                                                  • Opcode ID: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                  • Instruction ID: 848dca46e936c6e01d33e08870ae11aa620bd8b24bdb606da7ea596206f2e213
                                                  • Opcode Fuzzy Hash: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                  • Instruction Fuzzy Hash: 44111F726186218FDB00EF7DC8817597FEAFB66308F00842DE865E7362E779D8819741
                                                  Function 6092A43E Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_initialize.SQLITE3 ref: 6092A450
                                                    • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                  • sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                  • sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_leave
                                                  • String ID:
                                                  • API String ID: 2673540737-0
                                                  • Opcode ID: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                  • Instruction ID: c4988029ba64cfb2248a7cf0c790324acf4c13eb0f9cd3f15fdedc175ef3c91a
                                                  • Opcode Fuzzy Hash: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                  • Instruction Fuzzy Hash: F9019276E143148BCB00EF79D88561ABFE7FBA5324F008528EC9497364E735DC408B81
                                                  Function 6092A3C4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_value_text$sqlite3_freesqlite3_load_extension
                                                  • String ID:
                                                  • API String ID: 3526213481-0
                                                  • Opcode ID: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                  • Instruction ID: 98199466554994e62e20ad809be6129e3c08b78dd6d8c38fc18f61524e73aad2
                                                  • Opcode Fuzzy Hash: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                  • Instruction Fuzzy Hash: 4101E9B5A043059BCB00EF69D485AAFBBF5EF68654F10C529EC9497304E774D841CF91
                                                  Function 60969133 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_prepare.SQLITE3 ref: 60969166
                                                  • sqlite3_errmsg.SQLITE3 ref: 60969172
                                                    • Part of subcall function 609258A8: sqlite3_log.SQLITE3 ref: 609258E5
                                                  • sqlite3_errcode.SQLITE3 ref: 6096918A
                                                    • Part of subcall function 609251AA: sqlite3_log.SQLITE3 ref: 609251E8
                                                  • sqlite3_step.SQLITE3 ref: 60969197
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_log$sqlite3_errcodesqlite3_errmsgsqlite3_preparesqlite3_step
                                                  • String ID:
                                                  • API String ID: 2877408194-0
                                                  • Opcode ID: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                  • Instruction ID: d4ebd4c9a05a553e526e78eaaf80584f3afcfe73b3175c4c6dada352db343273
                                                  • Opcode Fuzzy Hash: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                  • Instruction Fuzzy Hash: 9F0186B091C3059BE700EF29C88525DFBE9EFA5314F11892DA89987384E734C940CB86
                                                  Function 609296D1 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_blobsqlite3_value_bytes
                                                  • String ID:
                                                  • API String ID: 1163609955-0
                                                  • Opcode ID: c446836a4840d302dbdc97fcf3f25a19881b43244be54ce00609cbc101420811
                                                  • Instruction ID: 8e0d1a1b7fe9adeaf330fda5a565ce202833de3a42fcd494fa905fee92021967
                                                  • Opcode Fuzzy Hash: c446836a4840d302dbdc97fcf3f25a19881b43244be54ce00609cbc101420811
                                                  • Instruction Fuzzy Hash: F6F0C8716282145FC3106F3994816697BE6DFA6758F0144A9F584CB314DB75CC82C742
                                                  Function 60961580 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_prepare_v2.SQLITE3 ref: 609615BA
                                                  • sqlite3_step.SQLITE3 ref: 609615C9
                                                  • sqlite3_column_int.SQLITE3 ref: 609615E1
                                                    • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                  • sqlite3_finalize.SQLITE3 ref: 609615EE
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_column_intsqlite3_finalizesqlite3_prepare_v2sqlite3_stepsqlite3_value_int
                                                  • String ID:
                                                  • API String ID: 4265739436-0
                                                  • Opcode ID: edb1a347b7ee41d63e69a54b369763b34702b79c0c254a7699785c0090147395
                                                  • Instruction ID: 970f7a8085286b868af170b9ae73916577c28f03d50975cfa6e3c5bd991c66ad
                                                  • Opcode Fuzzy Hash: edb1a347b7ee41d63e69a54b369763b34702b79c0c254a7699785c0090147395
                                                  • Instruction Fuzzy Hash: BE01E4B0D083049BEB10EF69C58575EFBF9EFA5314F00896DE8A997380E775D9408B82
                                                  Function 6092A62C Relevance: 6.0, APIs: 4, Instructions: 38stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_initialize.SQLITE3 ref: 6092A638
                                                    • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                  • sqlite3_mutex_enter.SQLITE3 ref: 6092A64F
                                                  • strcmp.MSVCRT ref: 6092A66A
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 6092A67D
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_mutex_leavestrcmp
                                                  • String ID:
                                                  • API String ID: 1894734062-0
                                                  • Opcode ID: 1480f87154849f1cdf239baa72c9ff1b5e3c835899009c68b4affe8256d9fce5
                                                  • Instruction ID: 0dacd04717b96a229033e5bf385d74358d6efc238696297f04088f4a0acd15ee
                                                  • Opcode Fuzzy Hash: 1480f87154849f1cdf239baa72c9ff1b5e3c835899009c68b4affe8256d9fce5
                                                  • Instruction Fuzzy Hash: EBF0B4726243044BC7006F799CC164A7FAEEEB1298B05802CEC548B319EB35DC0297A1
                                                  Function 609084D1 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_mutex_enter.SQLITE3 ref: 609084E9
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 60908518
                                                  • sqlite3_mutex_enter.SQLITE3 ref: 60908528
                                                  • sqlite3_mutex_leave.SQLITE3 ref: 6090855B
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                  • String ID:
                                                  • API String ID: 1477753154-0
                                                  • Opcode ID: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                  • Instruction ID: c41a4d3f3efa942db11cbd34a9101edfe28f26dd6f673ba1da0d5803e4a0adbd
                                                  • Opcode Fuzzy Hash: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                  • Instruction Fuzzy Hash: FD01A4B05093048BDB40AF25C5D97CABBA5EF15718F0884BDEC894F34AD7B9D5448BA1
                                                  Function 60940894 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_free.SQLITE3 ref: 609408BE
                                                  • sqlite3_blob_close.SQLITE3 ref: 609408C9
                                                    • Part of subcall function 60940849: sqlite3_mutex_enter.SQLITE3 ref: 60940864
                                                    • Part of subcall function 60940849: sqlite3_finalize.SQLITE3 ref: 6094086F
                                                    • Part of subcall function 60940849: sqlite3_mutex_leave.SQLITE3 ref: 60940885
                                                  • sqlite3_free.SQLITE3 ref: 609408AD
                                                    • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                  • sqlite3_free.SQLITE3 ref: 609408D1
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_free$sqlite3_mutex_enter$sqlite3_blob_closesqlite3_finalizesqlite3_mutex_leave
                                                  • String ID:
                                                  • API String ID: 3376080156-0
                                                  • Opcode ID: 62bba8bded67edb3e7ec5b4190a567f2186f1725189168df9a038347470dbc26
                                                  • Instruction ID: d915195a03e04bddfc3f3f5b3271b7f2e0ed873b55f11ac5d14163ef78522696
                                                  • Opcode Fuzzy Hash: 62bba8bded67edb3e7ec5b4190a567f2186f1725189168df9a038347470dbc26
                                                  • Instruction Fuzzy Hash: F5E039B09087008FDB10AF79C5C57057BE9AB74318F4618ACE8C28B346E735D8C0CB92
                                                  Function 609481BF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_log
                                                  • String ID: into$out of
                                                  • API String ID: 632333372-1114767565
                                                  • Opcode ID: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                  • Instruction ID: de20b162988cb891a2f8fbcf22309076e3e21d241eadb06c465d82de9f0e8d92
                                                  • Opcode Fuzzy Hash: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                  • Instruction Fuzzy Hash: 91910170A043149BDB26CF28C88175EBBBABF65308F0481E9E858AB355D7B5DE85CF41
                                                  Function 60919123 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 60918408: sqlite3_value_text.SQLITE3 ref: 60918426
                                                  • sqlite3_free.SQLITE3 ref: 609193A3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_freesqlite3_value_text
                                                  • String ID: (NULL)$NULL
                                                  • API String ID: 2175239460-873412390
                                                  • Opcode ID: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                  • Instruction ID: 63658e955800b40111a930d2026d12727b3b294c4be858d68b3f7c51d7abf176
                                                  • Opcode Fuzzy Hash: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                  • Instruction Fuzzy Hash: E3514B31F0825A8EEB258A68C89479DBBB6BF66304F1441E9C4A9AB241D7309DC6CF01
                                                  Function 60942334 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_log
                                                  • String ID: string or blob too big$|
                                                  • API String ID: 632333372-330586046
                                                  • Opcode ID: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                  • Instruction ID: 65a9847582dc10a4f4f17f1c4fc8d82f10366072c52f03016cacc5a11d353e3e
                                                  • Opcode Fuzzy Hash: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                  • Instruction Fuzzy Hash: 4D51B9749083689BCB22CF28C985789BBF6BF59314F1086D9E49897351C775EE81CF41
                                                  Function 609426B3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_log
                                                  • String ID: d$|
                                                  • API String ID: 632333372-415524447
                                                  • Opcode ID: b41da94c8e0873fb31ce46b9bf1ec845f2d469f37e36bd2a55cc8f8885e561b5
                                                  • Instruction ID: dac03e427e93f591f5d1737f90c886445feec93ea56e6f6f32424ebbe55d5cce
                                                  • Opcode Fuzzy Hash: b41da94c8e0873fb31ce46b9bf1ec845f2d469f37e36bd2a55cc8f8885e561b5
                                                  • Instruction Fuzzy Hash: 50510970A04329DBDB26CF19C981799BBBABF55308F0481D9E958AB341D735EE81CF41
                                                  Function 609494A9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_log
                                                  • String ID: -- $d
                                                  • API String ID: 632333372-777087308
                                                  • Opcode ID: 04c39e600f9b005651fcb68da317ac4a80b79d2e803021aaf364a84fff9736a0
                                                  • Instruction ID: 827f605eab188c5b26b82399601ab0ab65c2dc521f736992582695f4996adf34
                                                  • Opcode Fuzzy Hash: 04c39e600f9b005651fcb68da317ac4a80b79d2e803021aaf364a84fff9736a0
                                                  • Instruction Fuzzy Hash: 5651F674A042689FDB26CF28C885789BBFABF55304F1081D9E99CAB341C7759E85CF41
                                                  Function 609480BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_logsqlite3_value_text
                                                  • String ID: string or blob too big
                                                  • API String ID: 2320820228-2803948771
                                                  • Opcode ID: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                  • Instruction ID: 1f8da1134a73d261049fdcd83983d84c916c8a3f87851362e697cdb17b1d2bab
                                                  • Opcode Fuzzy Hash: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                  • Instruction Fuzzy Hash: F631D9B0A083249BCB25DF28C881799B7FABF69304F0085DAE898A7301D775DE81CF45
                                                  Function 6091407D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_aggregate_context.SQLITE3 ref: 60914096
                                                  • sqlite3_value_numeric_type.SQLITE3 ref: 609140A2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                  • String ID:
                                                  • API String ID: 3265351223-3916222277
                                                  • Opcode ID: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                  • Instruction ID: a3c0f903ff645dd1c5a8146eaa2078e963ad6c1b8d1bbf61d5d4caeb1888773d
                                                  • Opcode Fuzzy Hash: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                  • Instruction Fuzzy Hash: 19119EB0A0C6589BDF059F69C4D539A7BF6AF39308F0044E8D8D08B205E771CD94CB81
                                                  Function 60956040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_stricmp
                                                  • String ID: log
                                                  • API String ID: 912767213-2403297477
                                                  • Opcode ID: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                  • Instruction ID: cbf508da25866b0a35bc2ca480d64d7c482f0664b0359b741109bd545b4f9ff5
                                                  • Opcode Fuzzy Hash: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                  • Instruction Fuzzy Hash: FD11DAB07087048BE725AF66C49535EBBB3ABA1708F10C42CE4854B784C7BAC986DB42
                                                  Function 60902148 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_strnicmp
                                                  • String ID: SQLITE_
                                                  • API String ID: 1961171630-787686576
                                                  • Opcode ID: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                  • Instruction ID: 6d5ef3c0fd507030b5e8170497320435726bf3f0db30f2d6f2734bcd7f756fb3
                                                  • Opcode Fuzzy Hash: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                  • Instruction Fuzzy Hash: 2501D6B190C3505FD7419F29CC8075BBFFAEBA5258F10486DE89687212D374DC81D781
                                                  Function 6091A1B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_value_bytes.SQLITE3 ref: 6091A1DB
                                                  • sqlite3_value_blob.SQLITE3 ref: 6091A1FA
                                                  Strings
                                                  • Invalid argument to rtreedepth(), xrefs: 6091A1E3
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_value_blobsqlite3_value_bytes
                                                  • String ID: Invalid argument to rtreedepth()
                                                  • API String ID: 1063208240-2843521569
                                                  • Opcode ID: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                  • Instruction ID: c9489564a96cd83e586e3a08c251b8a8c74d553169181c25a19da25ffef599d7
                                                  • Opcode Fuzzy Hash: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                  • Instruction Fuzzy Hash: 0FF0A4B2A0C2589BDB00AF2CC88255577A6FF24258F1045D9E9858F306EB34DDD5C7D1
                                                  Function 609561A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561D7
                                                    • Part of subcall function 6092A43E: sqlite3_initialize.SQLITE3 ref: 6092A450
                                                    • Part of subcall function 6092A43E: sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                    • Part of subcall function 6092A43E: sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                    • Part of subcall function 6092A43E: sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                  • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561EB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_soft_heap_limit64$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_entersqlite3_mutex_leave
                                                  • String ID: soft_heap_limit
                                                  • API String ID: 1251656441-405162809
                                                  • Opcode ID: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                  • Instruction ID: 8891d4bbc0f5aef5547f00e3070395c34840fc2012d087b050684f6162b0ba7d
                                                  • Opcode Fuzzy Hash: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                  • Instruction Fuzzy Hash: C2014B71A083188BC710EF98D8417ADB7F2BFA5318F508629E8A49B394D730DC42CF41
                                                  Function 60925208 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 6092522A
                                                  • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 60925263
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: sqlite3_log
                                                  • String ID: NULL
                                                  • API String ID: 632333372-324932091
                                                  • Opcode ID: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                  • Instruction ID: 5a36de60e8574ea04015b231464f09686a41744340efbe7a8a869d8181b3dc96
                                                  • Opcode Fuzzy Hash: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                  • Instruction Fuzzy Hash: BAF0A070238301DBD7102FA6E44230E7AEBABB0798F48C43C95A84F289D7B5C844CB63
                                                  Function 6096D5A0 Relevance: 5.0, APIs: 4, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeavefree
                                                  • String ID:
                                                  • API String ID: 4020351045-0
                                                  • Opcode ID: 13d179c58506242de641c1793229aaf6d73ae3266bd26a3d41fb94aeb54caf06
                                                  • Instruction ID: 980a39aab3b848caec2c27f45d5308e77b440585e3cd6ccd446b63c63d51e1b6
                                                  • Opcode Fuzzy Hash: 13d179c58506242de641c1793229aaf6d73ae3266bd26a3d41fb94aeb54caf06
                                                  • Instruction Fuzzy Hash: 2D018070B293058BDB10DF28C985919BBFBABB6308B20855CE499D7355D770DC80EB62
                                                  Function 6096D4C0 Relevance: 5.0, APIs: 4, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4DF
                                                  • TlsGetValue.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4F5
                                                  • GetLastError.KERNEL32(?,?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4FD
                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D520
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3009886394.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                  • Associated: 00000004.00000002.3009863627.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010013325.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010028867.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010052383.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010069762.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000004.00000002.3010087513.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_60900000_darelvideostudio32.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                  • String ID:
                                                  • API String ID: 682475483-0
                                                  • Opcode ID: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                  • Instruction ID: 6dd43474153c21470d2d90641e64b96ed0da30414b2d41baa8b5e8831fa3fcb2
                                                  • Opcode Fuzzy Hash: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                  • Instruction Fuzzy Hash: 9AF0F972A163104BEB10AF659CC1A5A7BFDEFB1218F100048FC6197354E770DC40D6A2